Compliance · Implementation · Fractional CISO

Compliance should be a byproduct.
Not the product.

Template platforms swap your company name into an 80-page policy and call it done. Auditors don't. We're the operators who actually implement ISO 27001, ISO 42001, SOC 2, EU AI Act and GDPR — so the certificate is just the receipt.

Book a 45-min working session See where vendors stop →
Founding teamEx-Big 4 & mid-tier
Combined years30+ in IT advisory
EngagementOutcome-based
01 / Where we come in

Your compliance platform generates policies.
Someone still has to run them.

The template-platform modelMost vendors

You get a policy library. You're on your own after that.

  • ×Name-swapped policies. Same templates, your logo. Auditors recognise them on sight.
  • ×A dashboard, not a control. Green ticks don't equal evidence an auditor will accept.
  • ×"Guidance only" consulting. You still write, review, implement, and run tabletop exercises.
  • ×Each framework, separately. Five overlapping checklists, five sets of work.
  • ×Audit day is your problem. Engineers pulled off-roadmap for two months of screenshot requests.
The Protectify modelWhere we come in

We don't generate policies. We make them true.

  • +Policies fit to your environment. Cloud topology, dev workflow, physical or remote — written for what you actually run.
  • +Controls operated, not just documented. Tabletop CSIRT, vuln SLAs, change management, vendor risk — done with your team.
  • +One implementation, every framework. ISO 27001, 42001, SOC 2, AI Act, GDPR mapped to a single control set.
  • +We sit across from the auditor. Daily auditor calls, evidence pulls, clarifications — handled by us in your seat.
  • +Platform-agnostic. Bring Vanta, Drata, Sprinto, or none. We work either way.
02 / What we actually do

The work that doesn't fit inside a SaaS dashboard.

01

Run the tabletop exercise.

CSIRT walkthroughs your auditor will sample — incident response, breach simulation, recovery drills. We facilitate; your team performs.

02

Enforce the vulnerability SLA.

30-day critical remediation isn't a line in a PDF; it's a cadence with your engineers. We instrument it and make it stick.

03

Wire change management into your pipeline.

Approved, tested, traceable deploys — adapted to your existing Git, CI and ticketing flow. No new ceremony for ceremony's sake.

04

Triage your vendor risk.

Sub-processor reviews, DPAs, security questionnaires, AI model providers — assessed and tracked, not just listed.

05

Curate evidence, not screenshots.

What an auditor will accept versus what they'll push back on — built into how your team works, not assembled in a panic.

06

Pick the right auditor.

A cheap certificate that falls apart in your customer's procurement review costs more than a real one. We help you choose.

03 / Frameworks & services

One control set. Every certificate that matters to your buyer.

27K
Infosec · global

ISO/IEC 27001

The information security management system buyers ask for first. Stage 1 + Stage 2 readiness, surveillance, and recertification cycles.

ISMS scopeAnnex A controlsStage 1 / 2
42K
AI governance · new

ISO/IEC 42001

The AI management system standard. Risk assessment, model lifecycle, transparency and human oversight — built to map directly to the EU AI Act.

AIMSModel riskLifecycle
SOC
Trust services · US

SOC 2 · Type I & II

Type I design opinion in 8–12 weeks. Type II observation window scoped to your buyer's procurement gate, not your vendor's calendar.

SecurityAvailabilityConfidentiality
AI
EU regulation · staged

EU AI Act

Risk-tier classification, GPAI obligations, technical documentation, conformity assessment readiness. Aligned with your ISO 42001 work, not duplicated.

Risk tieringGPAIConformity
GDPR
Data protection · EU/UK

GDPR & UK GDPR

Records of processing, lawful basis, DPIAs, sub-processor governance, breach process. Plus DPO advisory where you need a named one.

RoPADPIADSARDPO advisory
CISO
Retainer · monthly

Fractional CISO

A named security leader in your exec channel — board reporting, customer security calls, vendor reviews, and the judgement calls your team shouldn't be making alone.

Board reportingCustomer callsOn-call
04 / How we work

Four phases. One fixed-fee commitment per certificate.

Week 0 – 2

Diagnose

Two-week control gap assessment against your target frameworks, mapped to your real environment — cloud, codebase, vendors, headcount.

Week 2 – 10

Implement

We embed with engineering and ops. Policies written, controls operated, evidence curated — adapted to your pipeline, not bolted on top of it.

Week 10 – 14

Audit

We brief, attend and respond. Auditor questions, screenshot requests, clarifications — we sit in your seat. Engineering keeps shipping.

Ongoing

Operate

Quarterly control reviews, surveillance audits, new product reviews, customer security questionnaires. Compliance as a steady state.

05 / Outcome-based pricing

You pay for the certificate.
Not the hours.

01 · DiagnosticTwo weeks

Compliance gap study

For founders mapping the road to their first enterprise deal.

Fixed fee· credited toward implementation
  • Control gap across up to two frameworks
  • Auditor & platform recommendation, vendor-neutral
  • Time-to-certificate plan and budget envelope
  • Executive readout with your investors if needed
Start diagnostic
02 · ImplementationMost chosen

Implementation to certificate

Series A–C teams getting ISO 27001, SOC 2 or ISO 42001 the first time.

Outcome fee· payable on certificate
  • Fixed price, no hourly meters or scope-creep change orders
  • Policies, controls, evidence — implemented with your team
  • Tabletop exercises, vuln cadence, change-management wiring
  • We sit across from the auditor; your engineers keep shipping
  • Twelve months of surveillance and questionnaire support
Scope an engagement
03 · Fractional CISOMonthly retainer

A named security leader

For teams past their first certificate who need a security voice in the room.

Monthly· cancellable quarterly
  • Named CISO in your Slack and exec channel
  • Customer security calls, vendor reviews, board reporting
  • Surveillance audits, recertification, new-framework scoping
  • On-call advisory for security incidents and disclosures
Talk to a partner
No hourly meters

One fixed fee. Tied to the certificate landing, not consultant hours logged.

No template tax

You don't pay us to rename a PDF.

No lock-in

Bring your own platform — Vanta, Drata, Sprinto, or none.

06 / The founding team

Three operators. Thirty plus years between Big 4 and mid-tier advisory.

IT Audit & SOC Lead
Managing Partner · IT Audit & Assurance
EX-BIG 4CISAISO 27001 LA

A decade embedded in Big 4 IT audit practices across the US, UK and India. Led SOC 1 and SOC 2 Type II examinations for fintech, SaaS and enterprise clients. Deep hands-on experience scoping audit windows, curating evidence packages, and managing auditor relationships from kick-off to certificate issuance.

Security & Fractional CISO Lead
Managing Partner · Security Engineering & vCISO
EX-MID-TIERCISSPCCSP

Twelve years in IT security advisory and fractional CISO engagements across regulated sectors. Built and operated SOC and incident-response programs at scale. Provides board-level security leadership, customer security calls, and on-call advisory for disclosures — the judgement layer that sits between your engineering team and your auditor.

Privacy & AI Governance Lead
Managing Partner · Data Protection & AI Governance
EX-BIG 4CIPP/EISO 42001 LA

Privacy and AI governance specialist with Big 4 roots. Delivered GDPR implementation programmes across regulated financial entities and was an early practitioner of ISO 42001 and EU AI Act readiness work. Leads records of processing, DPIAs, sub-processor governance, and DPO advisory where a named officer is required.

07 / Audit week

When the auditor asks, "who's the control owner here?" — we answer.

A real audit runs two months. Daily standups. Screenshot requests. Justification trails. The certificate is decided in those rooms, not in the policy PDF.

Your team should be shipping product. We sit in your seat with the auditor, defend the design, walk through the operating evidence, and clear the findings before they become qualifications.

Average client engineering hours during audit: 12 hrs / week
A 45-minute working session, not a sales call

Bring the auditor. Bring the questionnaire.
Bring whatever's stuck.

We'll spend the first thirty minutes on your actual situation and the last fifteen telling you whether you need us, a platform, both, or neither.

Book a working session support@protectifyai.com
If we're not the right fit, we'll tell you in the call. No follow-up sequences.