Packages

Readiness programs for audit pressure, AI adoption, and identity risk.

Select a focused assessment, implementation sprint, or ongoing advisory retainer designed to move your organization from uncertainty to audit-ready authority.

Frameworks & practice areas
FrameworksSOC 2ISO 27001ITSG-33NIST CSFNIST AI RMFGDPRPHIPAHIPAA
Practice areasIAMPAMZero Trust
Service packages

B2B GRC and compliance sprints that convert.

Four primary offers built around specific commercial outcomes, fixed timelines, and premium deliverables. Experience credentials grounded in 13+ years of enterprise and federal security leadership.

Flagship AI engagementFixed-fee CAD $14,000

AI Governance & Shadow AI Assessment

2-week sprint

50% (CAD $7,000) credited toward subsequent AI Governance or AIGuardium engagement signed within 30 days.

Best fit

For organizations adopting ChatGPT, Copilot, Claude, Gemini, or AI-enabled SaaS without clear guardrails.

Primary outcome

Discover unmanaged AI usage, reduce data exposure, and produce an executive-ready AI governance roadmap.

Core outputs

  • Shadow AI discovery and risk inventory
  • AI acceptable-use policy and data-handling rules
  • AI vendor and tool risk review
  • Executive AI risk report and remediation roadmap
  • AIGuardium pilot integration and advisory roadmap
SaaS trust acceleratorFrom CAD $18,000

SOC 2 Readiness Sprint

4-week sprint

Fixed-fee readiness sprint

Best fit

For SaaS, AI, fintech, and B2B teams responding to enterprise customer security reviews.

Primary outcome

Move from scattered controls to a structured SOC 2 readiness plan with evidence owners and audit-prep priorities.

Core outputs

  • Trust Services Criteria gap assessment
  • Control and evidence mapping
  • Policy and documentation pack priorities
  • Risk register and remediation roadmap
  • Audit-support plan and executive summary
Canadian public sector alignmentScoped proposal · custom SOW

ITSG-33 Security Assessment Support

3–8 weeks

Federal procurement-ready · scoped SOW · 3 business days

Best fit

For Canadian government vendors, public-sector teams, and regulated organizations requiring ITSG-33-aligned security support.

Primary outcome

Translate security controls, risks, and evidence into an assessment-ready package aligned to Canadian public-sector expectations.

Core outputs

  • ITSG-33 control alignment review
  • Security assessment gap analysis
  • Risk treatment and remediation roadmap
  • Evidence package planning & SOW support
  • Executive findings report for leadership or assessors
Recurring executive leadershipStarting from CAD $7,500/month

Virtual CISO Advisory Retainer

Monthly retainer

Subject to a 3-month minimum commitment

Best fit

For organizations requiring senior security leadership without a full-time CISO hire.

Primary outcome

Ongoing security roadmap ownership, executive reporting, audit readiness, vendor oversight, and governance support.

Core outputs

  • Monthly executive risk review
  • Security roadmap and policy oversight
  • Board-ready reporting and risk register maintenance
  • SOC 2, ISO 27001, ITSG-33, or AI governance support
  • Incident readiness and vendor-risk advisory

*Starting price assumes defined scope and standard evidence availability. Final fee depends on systems, evidence maturity, and timeline. Implementation support is scoped separately.*

Secondary Offerings

Implementation & Scoped Specialties

Advisory frameworks establish the roadmap. When you need direct engineering support, we provide targeted implementation specialties scoped entirely to your findings.

Scoped after assessment

IAM & PAM Modernization

Target Profile: For teams with manual access reviews, privileged-account sprawl, or audit pressure.

Primary Focus: Okta, Entra ID, SailPoint, CyberArk, and BeyondTrust roadmap design.

Scoped after assessment

Zero Trust Architecture

Target Profile: For conditional access, segmentation, and continuous identity verification.

Primary Focus: Identity-first maturity roadmap and platform integration scoping.

Scoped after assessment

Custom IT & Security Solutions

Target Profile: For secure internal systems, portals, integrations, and automated compliance workflows.

Primary Focus: Bespoke software build scoped to your precise operations.

Scoped after assessment

PHIPA / HIPAA Readiness

Target Profile: For healthcare, health-tech, and service teams handling regulated health information.

Primary Focus: Privacy-security gap review, control roadmap, and evidence priorities for PHIPA, HIPAA, PIPEDA, and related obligations.

Artifact-Shaped Proof

Sanitized deliverables built for scrutiny.

We don't rely on generic testimonials. Our credibility is grounded in the high-fidelity strategic artifacts, Gap Registers, and ISMS roadmaps we deliver directly to leadership and auditors.

REDACTED
4RHD Solutions · Client Assessment
EXECUTIVE AI GOVERNANCE & SHADOW AI ASSESSMENT
Target Scope: Canadian regulated financial entity [REDACTED]
Practitioner: E. OnuohaDate: 2026-05-27

Executive Risk Report Cover Page

Provides board-level risk scoring, active Shadow AI tool tallies, and policy-remediation priorities mapped to the NIST AI Risk Management Framework.

TSC CRITERIA4RHD GAP REVIEWREMEDIATION ACTION
CC6.1 (Access Control)[GAP] Manual access review pathDeploy CyberArk JIT authorization
CC7.1 (Vulnerability)[GAP] Untracked SaaS endpointsIntegrate browser GRC discovery tool
CC8.1 (Change Mgmt)[OK] PR merge approvals trackedAutomated Github audit trail active
Showing 3 of 84 mapped criteria. Mapped once across SOC 2 and ISO 27001 frameworks.

Sanitized GRC Gap Matrix

Maps existing technical controls directly to Trust Services Criteria (SOC 2) and ISO 27001 control domains, identifying evidence owners immediately.

READINESS SPRINT ROADMAP4-WEEK TRACK
W1
System Scoping & Assessment
Define boundary, map data assets.
W2
Control Design & Owner Sync
Map existing evidence, identify gaps.
W3
Remediation & Policy Drafting
Author templates, adjust configurations.

Readiness Roadmap Sample

Breaks down the 4-week compliance sprint into weekly milestones, specifying active technical dependencies and exact owner responsibilities.

Anonymized Engagement Signals
B2B FINTECH SAAS

SOC 2 Type I readiness program completed in 4.5 weeks. Customer reviews satisfied.

GOVERNMENT SERVICES VENDOR

ITSG-33 tailored assessment evidence package approved by PSPC department assessors.

Historical performance only; future outcomes are subject to independent auditor pass criteria.

Anonymized Outcome Records

Demonstrates proven delivery metrics across North American regulated sectors, SaaS vendors, and Canadian public-sector procurement.

Not sure which package fits your current obligations?

A strategy call maps your current business pressure (customer security reviews, SOC 2, ISO 27001, ITSG-33, AI governance, IAM/PAM, or vCISO) to the smallest practical engagement that creates momentum.