Compliance readiness that doesn’t take over your company
A customer or market now requires SOC 2, ISO 27001, HIPAA, or a privacy framework. The goal is to get there without turning your roadmap into an audit project.
One program, many frameworks
The treadmill version of compliance treats every framework as a separate project: a SOC 2 project this year, an ISO project next year, a HIPAA scramble when the health-system deal shows up. Each one starts from scratch. Each one exhausts your team a little more.
I build it the other way: one coherent security program — one set of policies, one evidence library, one risk register — mapped outward to every framework your markets demand. The second certification costs a fraction of the first. The fifth is mostly paperwork.
What working together looks like
Gap assessment
Where you stand against the framework that’s gating your deal — scoped honestly, including what you can defer.
Pragmatic remediation
Close the gaps that matter, in priority order, with your engineers getting specific asks — not a 300-row spreadsheet.
Audit support
I sit with you through auditor selection, evidence review, and the audit itself — as your security leader, not a bystander.
Frameworks covered
SOC 2, ISO 27001, HIPAA and PHIPA, GDPR, and the newer arrivals — NIS2 and DORA in the EU, national schemes like Cyber Essentials and BSI IT-Grundschutz, CMMC and CPCSC for defence-adjacent work. The full list, grouped by the market each one unlocks, is in the frameworks guide.
If your framework isn’t on the list, the program-first approach still applies — that’s the point of it.
Where compliance platforms fit
Tools like Vanta and Drata are genuinely useful — I use them with clients. They collect evidence and monitor controls well. What they don’t do is make scoping decisions, negotiate with auditors, or take accountability when a customer’s security team pushes back. The platform needs an owner. I work with your tools, not against them.
FAQ
How long does SOC 2 take?
For most seed-to-Series-B companies: three to six months to a Type 1, then a Type 2 observation window of three to twelve months. If someone promises two weeks, ask what they’re skipping.
Our customer wants SOC 2 — should we do ISO 27001 instead?
Usually you do what the customer asks. But if your market is global or security-mature, ISO can be the better long-term anchor. This is exactly the kind of call we make together, based on your pipeline.
Do we need to pause feature work?
No. A well-scoped readiness effort runs alongside your roadmap. The failure mode is trying to do everything at once — which is a scoping problem, not a compliance requirement.
What if we fail the audit?
Audits aren’t pass/fail surprises when the readiness work is honest. We don’t book the auditor until the evidence says you’re ready.
A certification deadline on the horizon?
The next step is a 30-minute conversation — no pitch, no obligation. An honest read on where you stand and what actually matters next.