InfoSecAI · Founded 2025 · Booking H1 2026 engagements now
Service catalogue

Security and AI governance services for decisions, delivery and assurance.

InfoSecAI helps organisations understand what needs to change, decide what matters most, and put the right governance, controls and ways of working in place to achieve their target operating model across security, regulation and AI.

01 · 4 services Leadership & Strategy vCISO · Strategy · Programme · M&A DD 02 · 5 services Governance, Risk & Compliance ISO 27001 · DORA · UK GDPR · Maturity · Resilience 03 · 3 services AI Security & Governance EU AI Act · ISO 42001 · NIST AI RMF · Red-teaming 04 · 4 services Security Operations & Engineering IR · Cloud · Architecture · Supply chain
How to choose

Choose the service by the outcome you need.

Choose the outcome you need and we will route the work to the right capability: strategy, regulatory alignment, AI governance, operating model design or control implementation.

Direction and operating modelLeadership & Strategy
Standards, regulation and assuranceGovernance, Risk & Compliance
AI governance and controlsAI Security & Governance
Control implementation and embeddingSecurity Operations & Engineering
Four phases. One accountable team. Assess, Align, Design, Deliver and Embed.
01

Leadership & Strategy

Senior security direction. Board-grade governance.

Fractional CISO leadership, strategy and architecture, programme delivery, and transactional cyber due diligence for organisations that need senior expertise without full-time headcount.

S01 Flagship

CISO Advisory & Virtual CISO

Senior security leadership as a flexible, fractional service.

Many organisations need senior security leadership but cannot justify or attract a full-time CISO. InfoSecAI provides experienced practitioners with 15+ years in CISO, Head of Security or Security Director roles who integrate directly with your leadership team on a fractional, interim or retained basis. The engagement is not a generic advisory retainer; it is hands-on security leadership, accountable for outcomes and embedded in your governance.

Who is this for
  • Organisations without a dedicated CISO or Head of Information Security
  • Companies with a CISO vacancy requiring interim coverage during recruitment
  • Fast-growing businesses where security demands have outpaced internal capacity
  • Boards or audit committees seeking independent, senior security counsel
  • Organisations preparing for regulatory requirements, certification or due diligence
Frameworks ISO 27001 NIST CSF CIS Controls
S02

Cyber Strategy & Architecture

Security target states, roadmaps and secure-by-design patterns.

Security strategy should not be a 50-page document that sits on a shelf. InfoSecAI develops pragmatic security strategies and architecture that translate directly into actionable programmes. We work across enterprise IT, multi-cloud environments and operational technology to define security target states, design secure architecture patterns and produce prioritised implementation roadmaps that boards can fund and teams can deliver.

Who is this for
  • Organisations without a coherent, documented security strategy
  • Technology teams undergoing cloud migration or platform consolidation
  • Businesses where security architecture decisions are made reactively, project by project
  • CISOs who need independent validation of their strategic direction
  • Organisations preparing security investment cases for board approval
Frameworks NIST CSF SABSA TOGAF Zero Trust CSA
S03

Cybersecurity Programme Management & Transformation

Structure, delivery discipline and transformation leadership.

Security improvements frequently stall after the initial assessment. Gap analyses produce findings. Improvement plans are created. But six months later, the same gaps remain. InfoSecAI provides the programme management discipline, delivery governance and transformation leadership to convert security intentions into operational reality. We embed with your teams, bring structure to complexity and maintain momentum through the difficult middle phase where most programmes lose traction.

Who is this for
  • Organisations with multiple concurrent security initiatives lacking coordination
  • Security teams that have completed assessments but struggle to implement remediation
  • Businesses undergoing large-scale technology migration with security implications
  • Organisations where security improvement has stalled despite executive sponsorship
  • CISOs inheriting fragmented security programmes requiring consolidation
Frameworks PRINCE2 Agile SAFe ITIL NIST CSF
S04 Flagship

M&A Cyber Due Diligence

Pre-acquisition cyber due diligence across the full M&A lifecycle.

Cyber risk increasingly drives deal valuation, retrades and post-completion disputes. InfoSecAI delivers structured cyber due diligence for strategic acquirers, private equity sponsors and vendor sales: from red-flag reviews under tight LOI timelines to confirmatory diligence with quantified findings. We translate technical security posture into commercial language that informs valuation, SPA negotiation and Day 0/1/30/100 integration planning.

Who is this for
  • Strategic acquirers conducting pre-LOI and confirmatory diligence
  • Private equity sponsors with portfolio cyber and AI assurance requirements
  • Sell-side companies preparing for vendor due diligence
  • Boards evaluating cyber risk in deal scenarios
  • General counsel seeking SPA cyber schedule and indemnity support
Frameworks NIST CSF ISO 27001 SOC 2 CIS Controls
02

Governance, Risk & Compliance

ISO 27001. DORA. UK GDPR. Assurance readiness.

Gap-to-certification programmes, independent assurance, data protection advisory, maturity benchmarking, and operational resilience. Practical governance and controls built for regulators, auditors, and acquirers. Not for the binder.

S05 Flagship

Cyber GRC & Regulatory Alignment

From gap assessment to certification. Pragmatic compliance that satisfies auditors.

Governance, Risk and Compliance is where security strategy meets operational reality. InfoSecAI delivers GRC programmes that achieve real compliance outcomes (certification, regulatory approval, client assurance) without drowning your team in bureaucracy. We focus on producing the minimum viable governance that satisfies auditors while genuinely improving your security posture. Every artefact we produce is designed to be used, not filed.

Who is this for
  • Organisations pursuing ISO 27001 certification or 2022 transition
  • Financial services firms subject to DORA, FCA or PRA expectations
  • NHS organisations and health-tech companies requiring DSPT compliance
  • Government contractors and CNI operators subject to CAF or NIS Regulations
  • Organisations needing Cyber Essentials or Cyber Essentials Plus certification
Frameworks ISO 27001:2022 DORA NIS 2 UK GDPR DSPT Cyber Essentials
S06

Information Security Assurance

Independent assessment of your security effectiveness.

Assurance provides an independent, objective view of whether your security controls work in practice, not just whether they exist on paper. InfoSecAI delivers assurance engagements that go beyond documentation reviews to evaluate real-world control effectiveness, providing boards, regulators and clients with practical confidence in your security posture. Every finding produces an actionable recommendation, not just a risk rating.

Who is this for
  • Boards and audit committees requiring independent security assurance
  • Organisations preparing for external audit, regulatory review or client due diligence
  • CISOs who need an objective view of programme effectiveness
  • Organisations that have invested in security but are uncertain whether controls are effective
  • Companies requiring third-party risk assurance over critical suppliers
Frameworks ISO 27001 NIST CSF CIS Controls SOC 2 OWASP
S07

Data Protection & UK GDPR Advisory

UK GDPR compliance, ICO-aligned artefacts and outsourced DPO support.

Data protection requires sustained operational discipline aligned to UK GDPR, the Data Protection Act 2018, the Data (Use and Access) Act 2025 and PECR. InfoSecAI provides advisory and outsourced DPO services that produce artefacts aligned to ICO expectations: complete records of processing, defensible DPIAs, lawful basis assessments, international transfer documentation (IDTA, UK extension to DPF) and ICO engagement support. We focus on practical adoption, not legal verbiage.

Who is this for
  • Organisations without an in-house DPO requiring outsourced support
  • Companies subject to ICO regulatory requirements or post-breach review
  • Businesses processing high-risk or special category personal data
  • Organisations transferring data internationally requiring transfer risk assessments
  • Companies integrating UK GDPR with ISO 27001 or AI governance programmes
Frameworks UK GDPR DPA 2018 DUAA 2025 PECR ICO AI Audit
S08

Cyber Maturity Assessment & Benchmarking

Where you are. Where you need to be. What it costs to close the gap.

Most organisations cannot articulate their security maturity in language a board would accept. InfoSecAI delivers tier-based maturity assessment against NIST CSF 2.0, CIS Controls v8 or ISO 27001, with quantified scoring per domain, sector benchmarking against comparable organisations, and a prioritised roadmap with effort and cost banded for board approval. The output is a single page the CEO can read and a multi-year programme the CFO can fund.

Who is this for
  • Boards seeking objective measurement of security investment effectiveness
  • New CISOs requiring a baseline of inherited security posture
  • Organisations preparing for fundraising, M&A or regulatory requirements
  • CFOs evaluating cyber programme return on investment
  • Companies benchmarking security maturity against sector peers
Frameworks NIST CSF 2.0 CIS Controls v8 ISO 27001
S09

Operational Resilience & Business Continuity

ISO 22301, important business services, ICT resilience and exercise programmes.

Resilience is a senior leadership expectation and increasingly a regulatory mandate. InfoSecAI designs and operationalises resilience programmes aligned to ISO 22301, FCA and PRA SS1/21 operational resilience requirements and DORA Article 6 ICT resilience obligations. We define important business services, set defensible impact tolerances, build business continuity plans organisations can execute, and design exercise programmes that satisfy auditors and stress-test real recovery capability.

Who is this for
  • FCA-regulated firms subject to operational resilience requirements
  • Financial entities preparing for DORA enforcement
  • Organisations pursuing ISO 22301 certification
  • Boards seeking quantified resilience assurance
  • Critical infrastructure operators with NIS Regulation obligations
Frameworks ISO 22301 DORA Article 6 PRA SS1/21 FCA Op Res
03

AI Security & Governance

EU AI Act. ISO 42001. NIST AI RMF. Production AI.

AI governance frameworks, EU AI Act compliance, ISO 42001 management systems, NIST AI RMF alignment, model security testing, and AI red-teaming. Built for organisations deploying AI faster than their governance can keep pace.

S10 Flagship

AI Security & Governance

Govern your AI before regulators force you to. EU AI Act high-risk obligations land 2026.

AI creates extraordinary opportunity and novel risk. Most organisations are deploying AI tools faster than their governance can keep pace, creating regulatory, reputational and operational exposure. InfoSecAI helps organisations govern AI responsibly by building governance frameworks that enable innovation while managing risk. We combine deep security expertise with practical AI knowledge to address the specific threats that AI systems introduce: bias, hallucination, data poisoning, prompt injection, model extraction and supply chain compromise.

Who is this for
  • Organisations deploying or procuring AI systems that need governance frameworks
  • Regulated firms subject to the EU AI Act requiring compliance assessment
  • Boards and risk committees seeking independent AI risk counsel
  • Technology teams building AI products that need security-by-design guidance
  • Organisations using third-party AI tools (including LLMs) without adequate governance
Frameworks EU AI Act ISO 42001 NIST AI RMF OWASP ML Top 10
S11

ISO 42001 & NIST AI RMF Alignment

AI management systems aligned to ISO 42001 and NIST AI RMF.

Organisations deploying AI need a defensible management system, not a one-off policy document. InfoSecAI implements ISO/IEC 42001:2023 AI management systems mapped to NIST AI RMF (Govern, Map, Measure, Manage) and EU AI Act provider obligations: build once, satisfy three regulatory regimes. The programme includes AI policy suite, AI risk register, model and system cards, conformity assessment artefacts and the audit artefacts required for ISO 42001 certification.

Who is this for
  • Organisations pursuing ISO 42001 certification
  • AI providers subject to EU AI Act high-risk obligations
  • Multi-jurisdictional firms aligning AI governance across regimes
  • Technology companies building AI products with regulatory exposure
  • Leadership teams requiring auditable AI governance artefacts
Frameworks ISO 42001:2023 NIST AI RMF EU AI Act
S12

AI Red-teaming & Model Security Testing

Adversarial evaluation of LLMs, agentic systems and AI-embedded products.

AI security is fundamentally different from traditional application security. Models hallucinate, prompts inject, agents take unintended actions and supply chains compromise weights. InfoSecAI delivers structured AI red-teaming aligned to the NIST Generative AI Profile (NIST AI 600-1), OWASP LLM Top 10 and emerging UK AISI evaluation expectations: threat modelling, jailbreak resistance, prompt injection, data poisoning, model extraction, content safety, bias probing and agentic tool-use risks. The methodology is documented; the findings are reproducible.

Who is this for
  • Organisations deploying production LLM and agentic AI applications
  • AI product teams with security and safety obligations
  • Boards evaluating AI risk independently of internal teams
  • Companies preparing for EU AI Act conformity assessment
  • Technology firms responding to enterprise customer AI assurance requests
Frameworks NIST AI 600-1 OWASP LLM Top 10 UK AISI
04

Security Operations & Engineering

Hands-on security across the live estate.

Practical security work for live operating environments. Incident response and SecOps, cloud security posture, security architecture review, and third-party and supply chain risk.

S13 Flagship

Incident Response & Security Operations

Playbooks, tabletop exercises, SOC advisory and operational readiness.

When a security incident occurs, the quality of your response is determined by the preparation done beforehand. InfoSecAI develops incident response capabilities that organisations can execute during disruption, including practical playbooks, realistic tabletop exercises, communication templates and escalation procedures. We also provide SOC advisory services covering operating model design, SIEM and SOAR optimisation and detection engineering guidance.

Who is this for
  • Organisations without formal incident response plans or tested playbooks
  • Security teams with plans on paper that have never been exercised
  • Companies required to demonstrate IR capability for regulatory compliance
  • Organisations building or optimising internal SOC capabilities
  • Businesses needing regulatory incident reporting procedures (FCA, ICO, DORA)
Frameworks NIST SP 800-61 MITRE ATT&CK ISO 27035 DORA
S14

Cloud Security Posture Management

AWS, Azure, GCP. Landing zones, guardrails and posture remediation.

Cloud security posture is built on hundreds of decisions: landing zone design, organisational guardrails, IAM patterns, network controls, logging architecture, key management. Together these decisions determine whether a real production incident is contained or catastrophic. InfoSecAI delivers cloud security architecture and posture remediation for AWS, Azure and GCP, covering CIS Benchmarks, NIST SP 800-53 cloud overlays, Kubernetes hardening and CSPM tooling design. Practical, context-led, vendor-agnostic.

Who is this for
  • Organisations migrating to cloud or consolidating cloud estates
  • Companies with material CSPM findings requiring structured remediation
  • Multi-cloud organisations needing consistent governance across providers
  • Engineering teams designing landing zones for new business units
  • Security teams supporting Kubernetes and container workloads
Frameworks CIS Benchmarks NIST 800-53 CSA CCM
S15

Security Architecture Review

Independent review of security architecture, designs and reference patterns.

Architecture decisions made early are expensive to reverse, and most security incidents trace back to design weaknesses, not control failures. InfoSecAI provides independent technical review of security architectures, reference patterns, design documents and high-risk change proposals: applying threat modelling (STRIDE, PASTA, attack trees), control mapping and recommendations grounded in NIST and ISO patterns. The output is the architecture review the design needed before approval or implementation.

Who is this for
  • Engineering teams seeking pre-implementation design assurance
  • CISOs reviewing architecture submissions from delivery teams
  • Organisations rolling out new platforms or significant architectural change
  • Security teams adopting Zero Trust or new architectural patterns
  • Audit committees requiring independent design oversight
Frameworks STRIDE PASTA NIST 800-207 SABSA
S16

Third-Party & Supply Chain Risk

Vendor due diligence, supply chain risk and contractual cyber clauses.

Third-party risk has shifted from a procurement form to a regulatory mandate. DORA Article 28, NIS 2 Article 21 and FCA and PRA outsourcing rules now require continuous oversight of supply chain cyber posture, not annual questionnaires. InfoSecAI designs and operates third-party risk programmes covering vendor tiering, due diligence at scale, AI vendor assurance, contractual cyber clauses and ongoing monitoring. Proportionate by design, defensible to regulators.

Who is this for
  • Financial firms subject to DORA Article 28 outsourcing requirements
  • Organisations covered by NIS 2 supply chain obligations
  • Companies with material AI vendor exposure
  • Boards seeking quantified third-party risk assurance
  • Procurement and security functions integrating cyber clauses into contracts
Frameworks DORA Article 28 NIS 2 ISO 27036
Get started

A 30-minute consultation. Clear next steps.

Use the first conversation to clarify the outcome, and next steps.

Book via Outlook Email info@infosecai.net
Looking for something else?