Services
Fixed-scope foundation sprints that build a coherent baseline: ownership, control narrative, and an evidence index that fits your stack.
Outcomes you can expect
This is built for day-to-day operations first, and reviewer scrutiny as a byproduct.
- Consistent security narrative you can reuse in due diligence
- Clear control ownership and governance
- Evidence index and collection plan
- Implementation notes to operationalise quickly
Works with Vanta/Drata and your existing policies and evidence store. No tool replacement required. No system access needed.
Not a GRC tool. Not templates to download. Not an MSP taking over operations.
Module coverage (explicit)
To avoid overpromising across frameworks, we only mark a module as “available” when the artefact library and delivery SOP exist and have been delivered successfully.
| Module | Status | What it covers | Notes |
|---|---|---|---|
| Procurement-ready baseline | Available | Questionnaires (for example SIG Lite), policy requests, and evidence requests. | Designed to unblock enterprise procurement reviews quickly. |
| NIS2 baseline | Available | Denmark-focused NIS2 operational baseline: governance, policies, procedures, and evidence structure. | No legal advice or formal scope determination. |
| ISO/IEC 27001 baseline | Pilot | Baseline artefacts and mapping towards ISO/IEC 27001 requirements. | Certification depends on implementation and an accredited certification body. No guarantee. |
| SOC 2 baseline | Pilot | Baseline artefacts and mapping for SOC 2 readiness. | A SOC 2 report is issued by a CPA firm. We do not perform the examination. |
| GDPR operational baseline | Roadmap | Planned module for operational GDPR documentation and evidence. | Not sold until the module is ready. |
If your requirement set is not listed, share it on the call. We will confirm fit and scope before committing.
Compare engagements at a glance
| Engagement | Coverage | Doc count | Mapping and evidence | Delivery | Revisions | Care Plan |
|---|---|---|---|---|---|---|
|
Express Foundation Sprint
€1,200
|
One baseline module: Procurement-ready baseline or NIS2 baseline. Pilot modules by confirmation. | 8 to 12 core docs | Included | 2 to 5 business days | 2 rounds | Optional |
|
Most popular
Core Foundation Sprint
€2,500
|
One baseline module: Procurement-ready baseline or NIS2 baseline. Pilot modules by confirmation. | About 20 docs plus mappings | Included | 5 to 10 business days | 2 rounds | Included (year 1) |
|
Dual-Framework Foundation Sprint
From €5,000
|
Two requirement sets integrated (examples: ISO/IEC 27001 + SOC 2, ISO/IEC 27001 + NIS2, procurement due diligence + NIS2) | About 30 to 40 docs (crosswalk) | Included | 5 to 10 business days | 2 rounds | Included (year 1) |
|
Enterprise Custom Engagement
From €10,000
|
Multi requirement scope and regulated environments (examples: complex audits, multi stakeholder rollouts) | Defined in scope | Included | Scoped on call | Defined in scope | Defined in scope |
Doc counts vary slightly with scope and existing material. The artefact list is concrete on each sprint section below.
Engagement details
Express Foundation Sprint
Fast baseline for one requirement set
What’s included
- Core policy set (starter scope)
- Evidence index and collection plan (starter)
- Reviewer-ready PDF export
- Implementation notes (operational playbook)
- One handover call
Artefact list (examples)
- Information Security Policy
- Access Control Policy
- Password and MFA Standard
- Asset inventory
- Risk register
- Security Awareness Procedure
- Incident Response Quick Guide
- Supplier Security Checklist
- Evidence checklist (starter)
- Implementation notes (starter)
Lists are representative. Your actual sprint is tailored to your tooling and owners without changing the fixed artefact structure.
After delivery, you still need to
- Assign document owners and approve the documents
- Configure controls in your environment (MFA, logging, backups)
- Start collecting evidence using the checklist (access reviews, vuln scans)
- Use the notes to close reviewer questions
Core Foundation Sprint Most popular
Audit readiness under a real deadline
What’s included
- ≈20-document suite (policies + procedures)
- Control mapping workbook
- Evidence index and collection plan
- Implementation notes and rollout playbook
- Two revision rounds
- Handover call
Artefact list (examples)
- Information Security Policy
- Risk Management Policy + Risk Register
- Access Control Policy + Joiner/Mover/Leaver procedure
- Logging and Monitoring Policy
- Backup and Restore Policy
- Secure Configuration Standard
- Vulnerability Management Procedure
- Change Management Procedure
- Incident Response Policy + Playbook
- Business Continuity overview + test checklist
- Supplier security policy and assessment
- Data Classification + Handling Standard
- Security Training and Awareness Procedure
- Exception or risk acceptance
- Control mapping workbook (your chosen requirement set)
- Evidence checklist (reviewer-ready)
- Implementation notes (with common pitfalls and evidence cues)
Lists are representative. Your actual sprint is tailored to your tooling and owners without changing the fixed artefact structure.
After delivery, you still need to
- Assign owners and approve the documents
- Implement and configure controls (MFA, access reviews, logging, backups)
- Run evidence activities (access reviews, vuln scans, supplier reviews)
- Use the checklist to keep reviewers satisfied
Dual-Framework Foundation Sprint
Two requirement sets in one coherent system
What’s included
- One coherent document set covering both frameworks or regulations
- Crosswalk mapping where relevant (for example ISO 27001 to SOC 2)
- Evidence checklist (dual-use)
- Implementation notes and rollout plan
- Two revision rounds
- Handover call
Artefact list (examples)
- Core suite (as in Core)
- Control mapping workbook for each framework or regulation
- Crosswalk worksheet where relevant (for example ISO 27001 to SOC 2)
- Evidence checklist (dual-use)
- Implementation notes and rollout plan
Lists are representative. Your actual sprint is tailored to your tooling and owners without changing the fixed artefact structure.
After delivery, you still need to
- Choose the audit order (ISO first, SOC first, or parallel)
- Assign owners and approve the documents
- Implement control operations and start evidence capture
- Use the crosswalk to avoid duplicated work in reviews
Enterprise Custom Engagement
Regulated or complex organisations with bespoke scope
What’s included
- Bespoke artefact list and timeline
- Custom mapping and evidence approach
- Stakeholder workshops as needed
- Defined revision policy in scope
Artefact list (examples)
- Defined during scoping
Lists are representative. Your actual sprint is tailored to your tooling and owners without changing the fixed artefact structure.
After delivery, you still need to
- Execute the agreed rollout plan and evidence plan
- Run governance cadence (risk reviews, access reviews, supplier reviews)
- Maintain versioning and change log (Care Plan optional)
Care Plan
Controlled maintenance for your baseline, with scheduled update cycles within defined limits.
What it covers
- Up to 4 update cycles per year (quarterly)
- Change log and versioning maintained
- Support for small organisational changes (roles, tools, vendors)
- Framework update guidance (documentation impact)
- Target response time: 3 to 5 business days for requests
- Pricing: €600 per year (Express), €1,200 per year renewal (Core), €1,800 per year renewal (Dual-Framework)
When updates happen
- Tooling changes (IdP, ticketing, logging, backups)
- Org changes (new teams, new owners, new vendors)
- Audit feedback requiring documentation changes
- Framework updates impacting document wording or evidence
What is not included
- New framework rollouts (scoped separately)
- Legal interpretation (GDPR/NIS2)
- Implementation work inside your environment