[ ISO 27001 / SOC 2 ]
Enterprise buyers ask for ISO 27001 or SOC 2 increasingly often. The cert opens deals worth hundreds of thousands of euros — but the preparation work is months of policy authoring, evidence collection, and auditor coordination. We do all of it.
Fixed-price engagement covering the full preparation cycle. The price doesn’t change if it takes longer; we take the risk on duration.
Detailed assessment of where you are today vs the control framework. Prioritised by audit-blocking severity. You see the full work list before signing.
The full policy suite written to your business: information security, acceptable use, access management, incident response, supplier management, change management, business continuity, disaster recovery.
Technical controls deployed: MFA enforcement, logging configuration, vulnerability management, encryption at rest, backup verification, vendor risk assessment processes. Real implementation, not "we’ll write a document about it."
The evidence room every auditor asks for: access reviews, change logs, vulnerability scan history, training completion, vendor reviews, business continuity tests. Organised by control, ready to hand over.
We work with your chosen auditor directly. We coordinate the audit timeline, prepare your team for interviews, respond to evidence requests, manage findings remediation between Stage 1 and Stage 2 (or SOC 2 Type I / Type II).
Once certified, the work isn’t over. Annual surveillance audits, continuous monitoring evidence collection, policy review cadence. Optional retainer keeps it all running.
ISO 27001 control A.8.8 requires vulnerability management. SOC 2 CC7.1 requires the same. Both demand evidence of regular external testing — which means our penetration testing service is already producing the artefact your auditor will want. Bundling the two means the testing cadence, the remediation tracking, and the audit evidence are all running in one stream, not three.
Our vCISO retainer typically rounds out the engagement: someone owns the security programme on an ongoing basis, attends the audit, and represents your business in front of the auditor.
Every promise on this block is grounded in something we kept hearing customers complain about elsewhere. We picked the opposite as our default.
Agent-managed workflows handle the daily and weekly work. You see results in plain language every week — not "we’ll check in at the end of the quarter."
Your engagement is owned by one senior person from day one. No bait-and-switch to a junior team after the contract is signed. No reassignments every few months.
Every price is on our pricing page. Month-to-month after the initial term. 30-day cancellation. No renewal surprises, no "inflation adjustment," no exit interview.
Code, data, playbooks, architecture decisions — all documented and handed over. We’re here to make ourselves useful, not indispensable.
From €15,000 per certification cycle. Tell us which cert you’re going for and what evidence you already have — we’ll come back with a scope.
Contact us → Penetration Testing →