Packages

Readiness programs for audit pressure, AI adoption, and identity risk.

Select a focused assessment, implementation sprint, or advisory retainer designed to move an organization from uncertainty to executive-ready action.

Schedule a strategy call Compare packages

Frameworks & focus areas

SOC 2ISO 27001ITSG-33NIST CSFNIST AI RMFGDPRPHIPAHIPAAIAMPAMZero Trust

Frameworks and regulations

SOC 2, ISO 27001, ITSG-33, NIST CSF, NIST AI RMF, GDPR, PHIPA, and HIPAA are translated into one control roadmap where requirements overlap.

Anonymized outcomes

Typical engagement outputs include evidence owners, remediation sequencing, executive risk summaries, policy priorities, and audit-support narratives.

Credentials and operating evidence

The work is grounded in enterprise security, IAM/PAM, GRC, AI governance, public-sector assessment support, and defensible documentation.

Service packages

High-value engagements scoped for clarity.

Each package is scoped around one business pressure, one primary outcome, and a short list of executive-ready outputs.

Flagship AI engagement

AI Governance & Shadow AI Assessment

2–4 weeksAssessment or implementation sprint

Best fit

For organizations adopting ChatGPT, Copilot, Claude, Gemini, or AI-enabled SaaS without clear guardrails.

Primary outcome

Discover unmanaged AI usage, reduce data exposure, and produce an executive-ready AI governance roadmap.

Core outputs

Shadow AI discovery and risk inventory
AI acceptable-use policy and data-handling rules
AI vendor and tool risk review

Additional scope is finalized during discovery.

Discuss this package Related service

SaaS trust accelerator

SOC 2 Readiness Sprint

4–6 weeksFixed-scope readiness sprint

Best fit

For SaaS, AI, fintech, and B2B teams responding to enterprise customer security reviews.

Primary outcome

Move from scattered controls to a structured SOC 2 readiness plan with evidence owners and audit-prep priorities.

Core outputs

Trust Services Criteria gap assessment
Control and evidence mapping
Policy and documentation pack priorities

Additional scope is finalized during discovery.

Discuss this package Related service

Security management system

ISO 27001 Readiness & ISMS Program

6–12 weeksReadiness assessment or implementation program

Best fit

For organizations preparing for ISO 27001 certification or building a stronger security management program.

Primary outcome

Define ISMS scope, risk methodology, control roadmap, and operating model without overwhelming the team with documentation.

Core outputs

ISO 27001 gap assessment
ISMS scope and Statement of Applicability support
Risk assessment methodology and treatment plan

Additional scope is finalized during discovery.

Discuss this package Related service

Canadian public sector alignment

ITSG-33 Security Assessment Support

3–8 weeksAssessment, evidence preparation, or remediation roadmap

Best fit

For Canadian government vendors, public-sector teams, and regulated organizations requiring ITSG-33-aligned security support.

Primary outcome

Translate security controls, risks, and evidence into an assessment-ready package aligned to Canadian public-sector expectations.

Core outputs

ITSG-33 control alignment review
Security assessment gap analysis
Risk treatment and remediation roadmap

Additional scope is finalized during discovery.

Discuss this package Related service

Identity risk reduction

IAM / PAM Modernization Program

4–12 weeksAssessment, roadmap, or implementation support

Best fit

For teams with manual access reviews, fragmented identity systems, privileged-account sprawl, or audit pressure.

Primary outcome

Reduce identity and privileged-access risk with a practical roadmap for Okta, Entra ID, SailPoint, CyberArk, or BeyondTrust environments.

Core outputs

IAM/PAM current-state assessment
Joiner-mover-leaver and access review maturity review
Privileged account discovery approach

Additional scope is finalized during discovery.

Discuss this package Related service

Recurring executive leadership

Virtual CISO Advisory Retainer

Monthly retainer3–6 month minimum advisory engagement

Best fit

For organizations requiring senior security leadership without a full-time CISO hire.

Primary outcome

Ongoing security roadmap ownership, executive reporting, audit readiness, vendor oversight, and governance support.

Core outputs

Monthly executive risk review
Security roadmap and policy oversight
Board-ready reporting and risk register maintenance

Additional scope is finalized during discovery.

Discuss this package Related service

Not sure which package fits?

A strategy call maps your business pressure — customer security reviews, SOC 2, ISO 27001, ITSG-33, AI governance, IAM/PAM, or vCISO — to the smallest practical engagement that creates momentum.

Schedule a strategy call