FOUNDED 2025 · INDEPENDENT UK PRACTICE
01About InfoSecAI

Information security and AI governance, made practical.

InfoSecAI is an independent UK consultancy. We work with boards, audit committees and senior security leaders to translate regulatory pressure, risk appetite and operational reality into governance, controls and evidence that hold up under scrutiny.

Founded in 2025 by Paul Jolliffe, the practice is built around twenty years of senior security leadership across financial services, healthcare, government, telecoms, manufacturing, technology and professional services. The work spans information security, governance, risk, compliance, AI security, resilience, operations and engineering, delivered end-to-end by the same accountable practitioner team rather than handed between silos.

InfoSecAI exists because too much security and AI governance work is still bought as slideware and delivered through subcontracted juniors. We reject the introduce-and-exit pattern, the framework theatre, and the practice of selling tools as governance. Engagements are senior from day one, evidence-led throughout, and sized to the firm in front of us, not to a generic maturity model.

Request a 30-minute working consultation Find the right advisory route
Principles · how we work

Six commitments that hold across every engagement.

Practitioner commitments that hold regardless of sector, regulator or duration. Senior from day one. Evidence over slideware. AI used where it earns it.

01
Senior from day one
02
Evidence over slideware
03
Regulator-aware, board-ready
04
Proportionate to risk
05
Continuity across the lifecycle
06
AI used where it earns it
Full principles & commentary
02What we do

Seventeen senior-led services across four pillars of practice.

The practice is organised into four pillars covering leadership and strategy, governance, risk and compliance, AI governance and transformation, and security operations and engineering. Each pillar is delivered by the same accountable team.

PILLAR 01

Leadership & Strategy

CISO advisory, cyber strategy, programme leadership, M&A diligence.

04 SERVICES  → PILLAR 02

Governance, Risk & Compliance

ISO 27001, DORA, UK GDPR, assurance, maturity, operational resilience.

05 SERVICES  → PILLAR 03

AI Governance & Transformation

EU AI Act, ISO 42001, NIST AI RMF, adoption and operating model.

04 SERVICES  → PILLAR 04

Security Operations & Engineering

Incident response, cloud posture, architecture review, supply-chain risk.

04 SERVICES  →
03Practitioner-built capability

Fourteen toolkits accelerate the structured work.

Across frameworks, regulations and attestations. AI-accelerated for mapping, drafting and gap analysis; senior-reviewed for judgement. In private preview with early-access partners through H1 2026.

GROUP 01 07 KITS

Frameworks & standards

ISO 27001 · ISO 22301 · ISO 42001 · NIST CSF · NIST AI RMF · CIS Controls · Cyber Essentials.
GROUP 02 05 KITS

Regulations

DORA · NIS 2 · EU AI Act · GDPR · UK GDPR with DUAA 2025 changes baked in.
GROUP 03 02 KITS

Attestations

SOC 1 · SOC 2. Trust Services Criteria and ICFR mapped to ISO 27001 to avoid duplicate evidence.
04Frameworks & regulations

Designed around the standards your business operates under, and the regulations it answers to.

Engagements are mapped across these by default. We reuse controls across certification and attestation cycles rather than recreating them per framework.

Standards

International, certifiable

07
  • ISO/IEC 27001:2022
  • ISO/IEC 42001:2023
  • NIST CSF 2.0
  • NIST AI RMF 1.0
  • CIS Controls v8.1
  • SOC 2 (TSC 2017)
  • Cyber Essentials
Regulations

Statutory, sector-specific

07
  • UK GDPR & DPA 2018
  • DUAA 2025
  • EU AI Act
  • DORA
  • NIS 2
  • PCI DSS 4.0.1
  • DSPT (NHS)
05Sector practice

Adapted to the regulator, the customer base, and the operating model.

Security and AI governance expectations differ markedly by sector. Eight sectors are at the centre of current practice.

01

Financial Services

DORA
02

Healthcare

DSPT
03

Government & Public

GovAssure
04

Technology

EU AI Act
05

Telecommunications

TSA 2021
06

Manufacturing

NIS 2
07

Retail & e-commerce

PCI DSS
08

Professional Services

SRA Code
06Engagement methodology

Every engagement runs through the same four phases.

A disciplined, end-to-end methodology paced for funding cycles and audit reality. Senior practitioner across all four phases.

  1. PHASE 0101

    Assess

    Where you are today, what is at risk, and what good looks like for your sector and obligations.

    Output
    Current-state & risk baseline
  2. PHASE 0202

    Align

    Translate priorities, regulatory drivers and risk appetite into a defensible scope and decision path.

    Output
    Priorities, scope & governance
  3. PHASE 0303

    Design

    Define the target state, the controls, the operating model and the roadmap. Sequenced for delivery reality.

    Output
    Target state & roadmap
  4. PHASE 0404

    Deliver & Embed

    Hands-on delivery, evidence creation, governance and knowledge transfer. Capability that lasts beyond the engagement.

    Output
    Execution, evidence & capability
07Founder & principal practitioner
Paul Jolliffe, Founder of InfoSecAI
Credentials
  • MBA
  • CISSP
  • ISO 27001:2022 LA
  • ISO 27001:2022 LI
  • ISO 27001:2022 IA
  • PRINCE2 Practitioner
Independent senior practice

Paul Jolliffe. Senior information security and AI governance practitioner.

Twenty years of international senior security leadership across the private and public sectors. Roles span Chief Information Security Officer, Head of Cyber Security, Head of Managed Security Services, and senior consulting and programme management.

Deep practice across financial services, manufacturing, healthcare, energy, telecommunications, technology and professional services. Strategy aligned to ISO 27001, NIST, CIS Controls, DSPT and CAF, with compliance work spanning PCI DSS, GDPR and UK GDPR, NIS 2, and SOC 1 and 2.

InfoSecAI was founded in 2025 for organisations that require clarity, senior leadership and hands-on delivery, without adding complexity or treating compliance as a paperwork exercise.

Recent senior roles
2021 — PRESENT
  • 2025 — NOW
    Founder & Principal Practitioner
    InfoSecAI
  • 2025
    Chief Technical Security Officer (vCISO)
    Phoenix Software
  • 2024 — 25
    Senior Cyber Security Programme Manager
    Philip Morris International
  • 2022 — 24
    Chief Information Security Officer
    Britannia Financial Group
  • 2021 — 22
    Head of Cybersecurity
    MTN

Earlier career  ·  Senior consulting, security product and programme leadership across IBM, KPMG, PwC and Deutsche Telekom (T-Systems).

08How we work

Six principles that shape every engagement.

Practitioner commitments that hold across every piece of work, regardless of sector, regulator or duration.

PRINCIPLE 01

Senior from day one

Engagements are led and delivered by senior practitioners. No subcontracted juniors, no introduction-and-exit pattern, no offshore handoffs.

PRINCIPLE 02

Evidence over slideware

Artefacts are written to survive external scrutiny, auditor, regulator, acquirer or the next CISO. Not narrative dressed as evidence.

PRINCIPLE 03

Regulator-aware, board-ready

Findings and decisions are framed for the audiences that matter: audit committees, the FCA, the ICO, internal audit, customer security teams.

PRINCIPLE 04

Proportionate to risk

Controls are sized to appetite, maturity and obligations. Enterprise scaffolding does not get bolted onto a 200-person firm, or vice versa.

PRINCIPLE 05

Continuity across the lifecycle

One accountable team from initial scoping through to embedded capability. The methodology is the contract.

PRINCIPLE 06

AI used where it earns it

Toolkits accelerate structured work, mapping, drafting, gap analysis, under senior review. The judgement stays human.

09Publishing
INSIGHTS · LIBRARY 06 PAPERS

White papers, briefings and field notes

The long-form library. Evergreen reference papers structured to support a senior decision rather than fill a feed. Authored by Paul Jolliffe and provided as downloadable PDFs suitable for inclusion in board and audit committee packs.

Browse the library  →
BLOG · DISPATCHES WEEKLY

The Brief · weekly dispatches

The working journal. Shorter pieces written week-by-week on current regulatory positions, supervisory expectations and the questions clients are putting on the table. Distributed via The Brief and published on the site.

Read the dispatches  →
10First conversation

Tell us what needs to change. We will help shape the next move.

Use the first thirty minutes to clarify the outcome, the constraints and the next step. No pitch deck, no sales call. A working conversation with a senior practitioner.