GRC & Compliance Audit

ISO 27001, PCI DSS, SOC 2 & Regulatory Compliance, Made Audit-Ready

Governance, risk and compliance work only counts if it survives an external audit. We build the policies, controls and evidence trail your assessor actually expects to see.

ISO/IEC 27001:2022PCI DSSSOC 2GDPRHIPAAEU NIS2DORACRA 2027EU AI ActDPDP Act 2023CERT-InRBISEBI CSCRFIRDAIUAE NESASaudi NCA ECCSAMA CSFPDPLBCP/DRP
What's Included

Frameworks we take you through, end to end

ISO/IEC 27001:2022 Readiness

Gap assessment, ISMS design, Statement of Applicability, and internal audit support ahead of certification.

PCI DSS Compliance

Scoping, control implementation and QSA-ready evidence for merchants and payment service providers.

SOC 2 Readiness (Type I & II)

Trust Services Criteria mapping and control design ahead of your SOC 2 audit.

GDPR & Data Privacy

Data mapping, lawful-basis review and privacy control implementation for organisations handling EU personal data.

HIPAA Compliance

Administrative, physical and technical safeguard review for healthcare and healthtech platforms.

RBI Cyber Security Framework

Control alignment for NBFCs, fintechs and payment platforms regulated by the RBI.

SEBI CSCRF Compliance

Cyber security and cyber resilience framework alignment for SEBI-regulated entities.

IRDAI Compliance Audit

Information and cyber security control review for insurance sector entities.

DPDP Act 2023 (India)

Readiness for India's Digital Personal Data Protection Act — data-principal rights, consent management and breach-notification controls.

CERT-In Directions

Alignment with CERT-In's 2022 cyber security directions: logging, incident reporting timelines and audit evidence.

BCP / DRP Planning

Business continuity and disaster recovery planning, tested through tabletop exercises.

European, Middle East & International Readiness

Exporting to the EU or the Gulf? We get you ahead of the regulation wave

Indian service providers and product companies working with European and Middle East clients are increasingly asked to prove conformity with local cyber law. We build that evidence before your customers or regulators ask.

EU NIS2 Directive

Gap assessment and control alignment against NIS2 for essential/important entities and their supply-chain partners — governance, risk management and incident-reporting obligations.

DORA (Financial Sector)

Digital Operational Resilience Act readiness for financial entities and their ICT third-party providers — resilience testing, incident classification and register-of-information support.

Cyber Resilience Act (CRA)

Get ahead of the CRA's core obligations (broadly applying from 2027) for products with digital elements — secure-by-design, vulnerability handling and SBOM/lifecycle evidence.

EU AI Act

Risk-classification and governance mapping for AI systems placed on the EU market, aligned with our AI & LLM Security practice and ISO/IEC 42001.

GDPR (EU)

Data mapping, lawful-basis review, DPIAs and cross-border transfer safeguards for organisations handling EU personal data.

UAE — NESA & DESC

Alignment with UAE Information Assurance (NESA/SIA) standards, Dubai's DESC ISR, and ADHICS for healthcare entities in Abu Dhabi.

Saudi Arabia — NCA ECC & SAMA

Readiness for the National Cybersecurity Authority's Essential Cybersecurity Controls (ECC) and the SAMA Cyber Security Framework for the financial sector.

Qatar — NIA

National Information Assurance (NIA) policy alignment and Qatar Central Bank cyber requirements for regulated entities.

Gulf Data Protection (PDPL)

Saudi & UAE Personal Data Protection Law readiness — data-subject rights, consent, cross-border transfer and breach-notification controls.

ISO/IEC 42001 & NIST AI RMF

AI management-system and AI risk-framework readiness — increasingly requested alongside traditional security compliance.

Our Process

How the engagement runs

Scope

A short call to align on assets, timelines and compliance targets.

Test

Manual, expert-led testing augmented by AI-assisted analysis.

Report

Business-risk-ranked findings with reproducible proof-of-concept.

Retest

One included retest cycle plus an attestation letter.

FAQs

Common questions

Typically 8–16 weeks depending on organisational maturity and scope, covering gap assessment, control implementation, and internal audit before your certification body audit.

No — certification is issued by accredited certification bodies / QSAs. We prepare you to pass that audit and can support liaison with your chosen certifying body.

GRC delivers structured governance, documented controls and audit-ready evidence. vCISO provides ongoing security leadership and execution. Many clients run both in parallel — see our vCISO page for the distinction.

Yes — many controls overlap. We map a single control set to multiple frameworks where possible to reduce duplicate effort.

Yes. We run gap assessments and control-alignment programs for EU NIS2, DORA, the Cyber Resilience Act (CRA, broadly applying from 2027) and the EU AI Act — increasingly required of Indian service providers and product companies exporting to Europe.

Ready to scope this engagement?

Get a fixed-price quote within one business day.