a black background with white letters
Get Started

Governance and Assurance

Governance and Assurance

Our security governance and assurance services help organisations build security programmes that work in practice. 

Governance vs Reality

7 1

Most organisations know they need structured security governance. Clients are asking for ISO 27001 certificates. Regulators expect documented controls. Boards want assurance that risk is being managed.

The problem is that governance programmes often become compliance exercises. Policies get written to satisfy auditors rather than to guide decisions. Controls are documented but never tested. The management system exists on paper but has no connection to daily operations.

This creates two risks. First, the organisation spends time and resources on a framework that does not improve security. Second, when something goes wrong, the gap between documented controls and practice becomes a liability.

Governance should describe how your organisation manages security in practice. If the management system does not reflect reality, it is not governance. It is theatre.

Talk to us about Governance

Our Governance and Assurance Services

Work Ethics 09

Security Maturity Assessments

A structured evaluation of your current security programme against a recognised framework. We assess people, processes, and technology to give you a clear picture of where you stand, where the gaps are, and what to prioritise.

Product Regulation 05

Secure Software Development Lifecycle

Implement a secure software development lifecycle built around recognised secure development practices, including OWASP SAMM, Microsoft SDL, NIST SSDF, and DevSecOps-aligned controls. We help you embed security across design, development, testing, release, and deployment, with clear ownership, practical guardrails, and processes that work in real delivery environments.

Validation 15 1

ISO 27001 Implementation

Build an information security management system that works for your organisation, not just for the auditor. We help you define scope, implement controls, establish risk management processes, and prepare the documentation needed for certification. We can also support you through the audit itself, helping you respond to questions, clarify evidence, and navigate the process with confidence.

artificial intelligence 17 1

ISO 42001 Implementation

Implement a management system for responsible AI governance aligned to ISO 42001. We help you establish AI risk management processes, document accountability structures, and build the controls needed for trustworthy AI operations.

Our Delivery Approach

01

Scoping & Context

We start by understanding your organisation. What you build, how you operate, your regulatory environment, your risk appetite, and what is driving the need for governance. This determines what the management system needs to cover and how it should be structured.

02

Gap analysis

We assess your current controls, policies, and processes against the relevant standard or framework. This identifies what already exists, what needs strengthening, and what needs to be built from scratch.

03

Design and implementation

We work with your teams to design controls and processes that fit your operations. Policies are written in language your people understand. Processes are built around how work actually gets done. Documentation supports operations rather than replacing them.

04

Testing and validation

Before any external assessment, we validate that controls work as intended. This includes internal audits, evidence reviews, and management review preparation. If something is not working, we fix it.

05

Ongoing support

Governance is not a one-off project. We help you establish the routines needed to maintain and improve your management system over time. This includes internal audits, surveillance audit preparation, continual improvement processes, and periodic reassessment.

FAQ

What is the difference between governance and assurance?

Governance defines how your organisation manages security through policies, controls, and processes. Assurance validates that those controls actually work in practice. Governance sets the structure. Assurance proves it is effective.

How long does ISO 27001 implementation typically take?

For most technology organisations, implementation takes between three and six months. The timeline depends on your starting point, the complexity of your environment, and how quickly your team can adopt new processes.

How is a security maturity assessment different from a gap analysis?

A gap analysis measures your current state against a specific standard, such as ISO 27001, and identifies what is missing. A security maturity assessment is broader. It evaluates your overall security programme against a maturity model, covering people, processes, and technology. It tells you not just what is missing, but how well what you have actually works. A maturity assessment is useful when you are not sure which standard to pursue or when you want a general picture of your security posture.

What if we already have ISO 27001 and want to add ISO 42001?

We help you integrate ISO 42001 into your existing management system rather than building a separate one. Both standards share common management system requirements, so much of the foundation is already in place. We identify what additional controls and processes are needed for AI governance and help you implement them within your current framework.

What does an internal security audit involve?

An internal audit assesses whether your controls operate as documented. This includes reviewing evidence, interviewing staff, and testing processes against your policies and relevant standards. The outcome is a structured report with clear findings and remediation actions.

Can you support us during the audit itself?

Yes. We can support you during the audit by helping you present evidence, respond to auditor questions, and clarify how your controls operate in practice. The goal is to ensure the process runs smoothly and that your team is prepared.

Start With a Conversation

Tell us where you are with governance and what you are trying to achieve. We will help you identify the right approach.

Book a Scoping Call