Skip to content
Governance · Service

Compliance & Risk Assessments

Audit evidence, not audit theatre.

Structured evaluation of security controls against regulatory requirements and industry standards.

Request a scope All services
8 frameworks
ISO · SOC 2 · PCI · HIPAA · NIST · CSF · CIS · PIPEDA
1:1 mapping
Control → evidence → owner
< 90 days
Avg. gap-to-remediation
CPA-signed
Attestation-grade artifacts
Overview

Risk-based assessments provide detailed gap analysis, remediation roadmaps, and strategic recommendations to ensure compliance and measurable risk reduction. Coverage across HIPAA, ISO 27001, PCI DSS, SOC 2, and sector-specific frameworks.

What you receive
  • Gap analysis
  • Control mapping (HIPAA · ISO 27001 · PCI · SOC 2)
  • Remediation roadmap
  • Board-ready risk scorecard
  • Evidence repository template
Cadence
7-day sprint · ongoing optional
Compliance mapping
ISO 27001 / 27701SOC 2 Type I & IIPCI DSS v4HIPAA Security RuleNIST CSF / SP 800-53PIPEDA / GDPR / CCPA
Outcomes
  • Unified control library across frameworks
  • Evidence-automated controls with drift detection
  • Board-ready risk scorecard in dollars
  • Auditor-first documentation package
Methodology

How the engagement runs. Phase by phase.

PHASE 01

Scoping + framework selection

Applicable frameworks, boundaries, Type I vs. Type II.

1 week
PHASE 02

Current-state assessment

Control walk-through, evidence sampling, interview key owners.

2–4 weeks
PHASE 03

Gap analysis + risk ranking

Findings matrix, FAIR-quantified risks, remediation effort estimate.

1 week
PHASE 04

Remediation roadmap

Sequenced plan with owners, due dates, dependencies, and evidence targets.

1 week
PHASE 05

Remediation execution + evidence build

Direct support for closing gaps and building audit artifacts.

4–10 weeks
PHASE 06

Audit-readiness review

Dry-run with an auditor's perspective, gap-closure of weak evidence.

1–2 weeks
Tools & stack

What we actually use. No secrets.

Every tool earns its place. We publish our stack so your team can audit, review, and integrate with what we bring.

DR Drata / Vanta / Tugboat
Drata
ON OneTrust / LogicGate
OneTrust
CU
Custom control matrices
OP OpenSCAP + NIST OSCAL
OpenSCAP + NIST OSCAL
JI Jira + Confluence governance templates
Jira + Confluence governance templates
EV Evidence vault (SharePoint / S3-WORM)
Evidence vault
DA Data-flow mapping (Mermaid + custom)
Data-flow mapping
RI Risk-quantification (FAIR)
Risk-quantification
DR Drata / Vanta / Tugboat
Drata
ON OneTrust / LogicGate
OneTrust
CU
Custom control matrices
OP OpenSCAP + NIST OSCAL
OpenSCAP + NIST OSCAL
JI Jira + Confluence governance templates
Jira + Confluence governance templates
EV Evidence vault (SharePoint / S3-WORM)
Evidence vault
DA Data-flow mapping (Mermaid + custom)
Data-flow mapping
RI Risk-quantification (FAIR)
Risk-quantification
Platform
  • DR Drata / Vanta / Tugboat
    Drata / Vanta / Tugboat
    Continuous control monitoring and evidence automation
GRC
  • ON OneTrust / LogicGate
    OneTrust / LogicGate
    Enterprise risk register and control library management
Mapping
  • CU
    Custom control matrices
    Cross-framework control consolidation (ISO ↔ SOC 2 ↔ PCI)
Automation
  • OP OpenSCAP + NIST OSCAL
    OpenSCAP + NIST OSCAL
    Machine-readable control state and evidence
Workflow
  • JI Jira + Confluence governance templates
    Jira + Confluence governance templates
    Audit-ready ticketing and documentation hygiene
Storage
  • EV Evidence vault (SharePoint / S3-WORM)
    Evidence vault (SharePoint / S3-WORM)
    Immutable, versioned evidence with retention policy
Documentation
  • DA Data-flow mapping (Mermaid + custom)
    Data-flow mapping (Mermaid + custom)
    Visual DFDs for HIPAA / GDPR / PCI
Risk
  • RI Risk-quantification (FAIR)
    Risk-quantification (FAIR)
    Dollar-value risk modeling for executive conversations
Techniques

How we do the work. Not just what.

T.01

Single control library

We map your controls once, then apply them to every framework. One SOC 2 CC6.1 control can satisfy ISO A.9, PCI 7.1, and HIPAA §164.308(a)(4) simultaneously.

T.02

Evidence-first design

Every control is paired with its evidence source (log query, policy doc, screenshot, ticket) before the audit, not during.

T.03

Risk-based prioritization

We rank gaps by likelihood × impact, not by checklist completeness. 70% of your effort goes to the 10% of controls that matter.

T.04

FAIR-aligned quantification

For executives: translate compliance gaps into annualized loss expectancy in dollars. Moves the conversation from 'maybe' to decision.

T.05

Auditor-first documentation

Every artifact is structured the way auditors actually read them. Your first audit is smoother because we wrote it for the reader.

T.06

Continuous, not point-in-time

Controls are instrumented for drift detection. You don't discover failure the week of your renewal.

From the field

Real problems. Real fixes.

Anonymized incidents from actual engagements: what broke, why it mattered, and how we fixed it.

01
Problem

Client was chasing SOC 2 and ISO 27001 separately with two different consultants. 60% duplicate work.

Impact

Budget was exhausted before either audit. Controls were inconsistent across frameworks.

Resolution

Built a unified control library mapped to both frameworks. 85 controls collapsed to 42 shared + 12 framework-specific. Delivered both audits in one cycle at 70% of the combined original cost.

02
Problem

Three-year-old ISO ISMS was theoretical. Policies existed, evidence didn't.

Impact

Surveillance audit in 6 weeks, and the first pull of control evidence returned empty for 40% of controls.

Resolution

Triaged by audit-criticality, closed 25 evidence gaps in 3 weeks via log queries + ticket retrofit. Remaining 15 controls re-scoped or remediated before audit. Passed with 2 minor non-conformities.

03
Problem

HIPAA risk assessment flagged 140 findings. No way to fix them all before year-end.

Impact

Board demanded a defensible prioritization without security theatre.

Resolution

Ran FAIR analysis on top 30 findings. Board approved a $1.2M prioritized plan targeting $11M of quantified annualized loss. Remaining findings documented with compensating controls and scheduled.

Data model

Control + evidence lifecycle

From framework requirement to auditor evidence.

input
process
store
output
closed Frameworks Unified control library Current-state assessment Gap + risk rank Remediation tickets Evidence vault (WORM) Auditor package
Metrics we ship against

Targets, not promises.

Metric
Our target
Baseline (industry avg)
Control overlap across frameworks
≥ 55% shared
Siloed approach: 0%
Evidence automation
≥ 70% of controls
Manual-only avg: 15%
First-audit finding rate
0 material, ≤ 3 minor
Industry avg: 2 material, 8 minor
Remediation cycle time
< 60 days Sev-1
Industry avg: 180 days
Questions we hear

Answered plainly.

Have something we didn't cover? Ask us directly →

Can you do multiple frameworks at once?
Yes. That's where we add the most value. A unified control library lets ISO, SOC 2, PCI, and HIPAA share 50–70% of work.
Do you act as auditor?
No — we are your consultant. We prepare you for independent auditors (CPA for SOC 2, CB for ISO). This preserves attestation independence.
What if we already have a GRC platform?
We work with Drata, Vanta, OneTrust, Tugboat, or your in-house. Our deliverables plug into your control library, not replace it.
How do you handle risk acceptance?
We use FAIR to quantify annualized loss expectancy in dollars. Risk acceptance is a defensible, documented executive decision — not a checkbox.
Next step

Scope a compliance engagement.

30-minute scoping call. You'll talk to an operator, not a BDR.

Request a scope All services
Often paired with
Patch Management Service
Structured patch lifecycle management — vulnerability tracking, testing, deployment, and verification.