Who it’s for
CISOs, Heads of Audit, COOs, and boards facing a regulatory deadline (DORA, PCI DSS v4, ISO 27001 for a regulated client) where the cost of slipping the date is concrete and the risk of a thin programme is concrete too.
Outcome
- A certification-ready ISMS mapped to the standard you target
- An evidence base structured to the auditor’s expectations, not yours
- A control owner per control, accountable to the board
- A 90-day post-certification plan so BAU compliance doesn’t atrophy
- An audit-prep dry run with structured findings and remediation plan
On pattern across prior engagements: programmes run under this model have reduced PCI scope by up to 70% through tokenisation, and delivered AOCs with zero qualification on first attempt.
Operating model
We run the programme as your GRC lead for the duration. We hold the relationships with the auditor and the regulator. We design the controls with engineering and operations, not for them. We run the readiness assessments. We write the management responses. We attend every audit meeting.
Engagement length & shape
- ISO 27001 (greenfield): ~26 weeks scoping → controls → internal audit → external Stage 1 → Stage 2.
- SOC 2 Type 1: 12-16 weeks.
- PCI DSS v4 (regulated card programme): 16-20 weeks.
- DORA (in-scope EU operator): 12-20 weeks depending on baseline.
Most consultants leave a slide deck. Salvador Cloud left an operating model the team is still using two years later.
What's NOT in scope
- External auditor role (we run the programme; you appoint the auditor)
- Day-to-day BAU compliance after certification (we transition to your team)
- Mass-market awareness training
Anonymised case study
See how this service plays out in practice.
Read the case study →
Frequently asked
Which frameworks do you cover?
ISO 27001, SOC 2, PCI DSS v4, GDPR, SOX ITGCs, DORA. Most engagements run more than one in parallel because the underlying controls overlap heavily; we map once and report many.Can you take us from zero to ISO 27001 certified?
Yes. End-to-end ISO 27001 certifications have been delivered across regulated UK fintech, energy, and consumer finance. Typical timeline is 6–9 months from kickoff to external audit pass; we hold the pen on the ISMS, you hold the keys to the systems.How does PCI DSS v4 differ from v3.2.1 in practice?
v4 adds customised approach (defined-objective compliance), tighter authentication requirements, and explicit expectations on automation for control monitoring. The biggest engineering shift is the move toward continuous evidence rather than point-in-time attestation; we design the evidence pipeline alongside the controls.What's the engagement model?
Discovery (2 weeks) → gap analysis + remediation plan (4 weeks) → remediation programme (variable, 2–6 months) → audit support (2 weeks). Throughout, we own the auditor relationship and translate technical evidence into auditor-readable artefacts.Do you do internal audit?
We do GRC operating model design, audit-readiness review, and pre-audit walkthrough. We don't sign off as your independent internal audit function — that's an independence violation. We point you to partners who do.
Next step
Ready to scope this engagement?
No proposals, no pitching. We'll diagnose, scope, and price up front.