FOUNDED 2025 · INDEPENDENT UK PRACTICE
01Service catalogue

Information security, AI governance and transformation. Senior advisory and assurance work.

Senior-led advisory and assurance for the security, AI governance and transformation decisions now visible to boards, regulators and customers. We work alongside leadership teams to set the direction, design the governance, controls and operating practice required to move from intent to implementation, and provide the assurance evidence those decisions now have to stand behind.

Choose the service by the situation

What is the next decision in front of you?

SITUATION

No CISO, or a CISO who needs senior cover

vCISO & CISO advisory → SITUATION

ISO 27001, SOC 2, DORA, NIS 2 on the roadmap

Cyber GRC & regulatory alignment → SITUATION

AI tools deploying faster than governance

AI security & governance → SITUATION

Operational resilience or DORA testing is due

Operational resilience & BC → SITUATION

An acquisition is live and cyber risk needs sizing

M&A cyber due diligence → SITUATION

The board needs to see where we actually stand

Maturity assessment & benchmarking →
03Pillar one

Leadership & Strategy

Senior security direction. Board-grade governance.

Fractional CISO leadership, security strategy and architecture, programme management, and transactional cyber due diligence, for organisations that need senior expertise without full-time headcount.

S01

CISO Advisory & Virtual CISO

Senior security leadership as a flexible, fractional service.

Senior CISO leadership integrated with your executive team, fractional, interim, or retained. Hands-on, accountable, and embedded in your governance.

TYPICAL SCOPE
  • ·Monthly board and audit committee reporting pack
  • ·Security strategy, target operating model and roadmap
  • ·Risk register, KRI cadence and risk appetite framework
  • ·Regulator engagement and customer assurance support
DIFFERENTIATOR

Board papers in your house style. KPIs your CFO can read. Risk appetite your leadership team can use.

ISO 27001 NIST CSF CIS Controls
BEST FOR
PE-backed scale-ups, regulated firms without a permanent CISO, CISO succession cover
TYPICAL TRIGGER
New regulatory scope, M&A integration, board loss of confidence, CISO departure
OUTPUTS
Board reporting pack · risk appetite framework · strategy & target operating model · regulator-facing narrative
ENGAGEMENT SHAPE
Fractional 2–4 days/mo · Interim 3–6 months FT · Retained advisory & escalation
S02

Cyber Strategy & Architecture

Security target states, roadmaps, and secure-by-design patterns.

Pragmatic security strategies and architecture that translate directly into delivery. Executive-ready roadmaps, reference patterns, and multi-cloud security design.

TYPICAL SCOPE
  • ·Current-state assessment and target-state architecture
  • ·Multi-year security roadmap mapped to funding cycles
  • ·Reference patterns for cloud, identity, data and AI
  • ·Architectural decision records for major design choices
DIFFERENTIATOR

Strategies measured against operational reality, not maturity-model theory.

NIST CSF ISO 27001 CIS Controls
BEST FOR
Organisations after a merger, an incident, an audit finding or a major platform shift
TYPICAL TRIGGER
New cloud / data / AI stack, funding round, regulator finding, target operating model refresh
OUTPUTS
Current & target architecture · multi-year roadmap · reference patterns · architectural decision records
ENGAGEMENT SHAPE
6–12 week strategic engagement · embedded architect option
S03

Programme Management & Transformation

Structure, delivery discipline, and transformation leadership.

Embedded programme management for the implementation phase, where many security programmes lose momentum. Converts security intent into operational reality through delivery cadence, dependency management and stakeholder governance.

TYPICAL SCOPE
  • ·Programme governance, RAID and benefits realisation
  • ·Vendor and partner management across the lifecycle
  • ·Executive sponsor and steering committee engagement
  • ·Transition planning and capability handover at close
DIFFERENTIATOR

Programme leadership, not delivery administration.

PRINCE2 Agile ISO 27001
BEST FOR
Programmes that have slipped past two consecutive quarters or lost executive confidence
TYPICAL TRIGGER
RAG amber/red, sponsor escalation, vendor delivery failure, regulator deadline at risk
OUTPUTS
Programme plan · RAID · benefits realisation · transition & handover pack
ENGAGEMENT SHAPE
3–9 month embedded programme leadership
S04

M&A Cyber Due Diligence

Pre-acquisition cyber due diligence across the full M&A lifecycle.

Cyber risk increasingly drives deal valuation, retrades and post-completion disputes. Structured cyber due diligence for strategic acquirers, private equity and corporate development teams, pre-LOI, between LOI and signing, and post-completion integration.

TYPICAL SCOPE
  • ·Pre-LOI red-flag assessment within five working days
  • ·Full diligence work covering technical and governance review
  • ·Day-one risk acceptance pack for the closing committee
  • ·Post-close integration roadmap and remediation programme
DIFFERENTIATOR

Findings written for the deal team, not the security team.

NIST CSF ISO 27001 SOC 2
BEST FOR
Mid-market strategic acquirers, private equity, corporate development teams
TYPICAL TRIGGER
LOI imminent or signed, NDA in place, signing date set, post-close integration starting
OUTPUTS
Pre-LOI red-flag report (5 days) · full DD report · day-one risk acceptance pack · integration roadmap
ENGAGEMENT SHAPE
Pre-LOI 1 week · Full DD 3–5 weeks · Post-close 8–12 weeks
04Pillar two

Governance, Risk & Compliance

ISO 27001. DORA. UK GDPR. Assurance readiness.

Gap-to-certification programmes, independent assurance, data protection advisory, maturity benchmarking and operational resilience. All regulator-grade, all delivered without drowning your team in paperwork.

S05

Cyber GRC & Regulatory Alignment

From gap to certification, without the bureaucracy.

GRC programmes that produce real compliance outcomes, certification, regulatory approval, client assurance, without drowning your team in paperwork.

TYPICAL SCOPE
  • ·Management system design and Statement of Applicability
  • ·Control implementation guidance and evidence pack
  • ·Audit committee and regulator-facing narrative
  • ·Pre-audit walkthrough and certification body engagement
DIFFERENTIATOR

Every artefact is designed to be used, not filed.

ISO 27001 DORA DSPT NIS 2 CE+ SOC 2
BEST FOR
First-time ISO 27001, SOC 2, DSPT, DORA, NIS 2 or CE+ programmes
TYPICAL TRIGGER
Customer questionnaire failure, regulator letter, certification gap, internal audit finding
OUTPUTS
ISMS · Statement of Applicability · control evidence pack · audit-committee narrative · pre-audit walkthrough
ENGAGEMENT SHAPE
4–9 month gap-to-certification · annual maintenance retainer
S06

Information Security Assurance

Independent assessment of your security effectiveness.

Objective assessment of whether security controls operate as intended, rather than whether they exist on paper. Executive-ready assurance reports, penetration testing oversight and third-party attestation review.

TYPICAL SCOPE
  • ·Independent control walkthroughs and design reviews
  • ·Penetration testing oversight and findings triage
  • ·Third-party attestation and ISAE 3402 review
  • ·Internal audit liaison and second-line reporting
DIFFERENTIATOR

Independent of your Chief Information Security Officer, your managed security provider and the tools you have procured.

ISO 27001 SOC 2 NIST CSF
BEST FOR
Boards, audit committees, internal audit, customers requesting independent assurance
TYPICAL TRIGGER
New customer demand, board concern, internal audit cycle, post-incident review
OUTPUTS
Independent assurance report · control walkthrough notes · pentest oversight findings · ISAE 3402 review
ENGAGEMENT SHAPE
2–6 week point-in-time · continuous quarterly assurance
S07

Data Protection & UK GDPR Advisory

UK GDPR compliance, ICO-aligned artefacts and outsourced DPO support.

Sustained operational discipline aligned to UK GDPR, the Data Protection Act 2018, the Data (Use and Access) Act 2025 and PECR. DPIA advisory, transfer mechanisms, breach response, ICO engagement and outsourced DPO support.

TYPICAL SCOPE
  • ·DPIA methodology and execution for high-risk processing
  • ·Records of processing activities and lawful basis design
  • ·International transfer mechanisms and contractual support
  • ·Outsourced DPO or DPO-equivalent retainer
DIFFERENTIATOR

DUAA 2025 changes baked in. ICO AI audit framework applied where AI is in scope.

UK GDPR DPA 2018 DUAA 2025 PECR
BEST FOR
Public-sector buyers, AI use cases, complex international transfers, outsourced DPO needs
TYPICAL TRIGGER
DUAA 2025 changes, ICO engagement, breach notification, AI deployment, new processing activity
OUTPUTS
DPIA · ROPA · transfer mechanism · breach response pack · outsourced DPO advisory
ENGAGEMENT SHAPE
Outsourced DPO retainer · DPIA programme · breach response
S08

Cyber Maturity Assessment & Benchmarking

Where you are. Where you need to be. What it costs to close the gap.

Tier-based maturity assessment against NIST CSF 2.0, CIS Controls and ISO 27001. Quantified, comparable, sector-benchmarked. Outputs are written so the board can decide and the security team can execute.

TYPICAL SCOPE
  • ·Tiered maturity scoring against NIST CSF, CIS or ISO
  • ·Sector benchmark and current-state heatmap
  • ·Sequenced uplift roadmap with effort and cost estimate
  • ·Board-grade reporting pack and executive narrative
DIFFERENTIATOR

Maturity scored in language a board would accept.

NIST CSF 2.0 CIS Controls v8 ISO 27001
BEST FOR
New CISOs, new board chairs, post-incident reviews, pre-budget cycles, pre-funding readiness
TYPICAL TRIGGER
Board ask for "where do we stand", investor readiness, post-incident baseline, pre-audit
OUTPUTS
Tier-scored maturity · current-state heatmap · sector benchmark · sequenced uplift roadmap
ENGAGEMENT SHAPE
4–6 week baseline · annual re-assessment
S09

Operational Resilience & Business Continuity

ISO 22301, important business services, ICT resilience and exercise programmes.

Resilience programmes aligned to ISO 22301, FCA & PRA operational resilience expectations, DORA ICT resilience and CBI sector standards. Important Business Service identification, impact tolerances, scenario testing and exercise programmes.

TYPICAL SCOPE
  • ·Important Business Service identification and mapping
  • ·Impact tolerance setting and scenario testing programme
  • ·ISO 22301 business continuity management system design
  • ·DORA Article 12 testing approach and regulator evidence
DIFFERENTIATOR

Designed for regulators who increasingly inspect operational outcomes, not policies.

ISO 22301 DORA FCA SS1/21 PRA SS6/21
BEST FOR
FCA/PRA-regulated firms, DORA in-scope financial entities, NHS trusts, CNI operators
TYPICAL TRIGGER
SS1/21 deadline, DORA Article 12 testing, NIS 2 incident exercise, regulator letter
OUTPUTS
IBS map · impact tolerances · scenario test programme · ISO 22301 BCMS · regulator evidence
ENGAGEMENT SHAPE
6–12 week stand-up · annual test-programme retainer
05Pillar three

AI Governance & Transformation

EU AI Act. ISO 42001. NIST AI RMF. Adoption and operating model.

AI governance, transformation programmes, management systems, alignment work and model security testing for organisations adopting AI as a core operating capability, with regulator-grade evidence and board-level accountability throughout.

S10

AI Security & Governance

Put AI governance in place before adoption outpaces accountability. EU AI Act high-risk Annex III obligations apply from 2 August 2027; general-purpose AI rules in force since 2 August 2025.

AI presents significant opportunity alongside novel risk. Many organisations are deploying AI tools faster than their governance can keep pace, creating regulatory, reputational and operational exposure. We define what governance should look like for your AI estate, and then operationalise it.

TYPICAL SCOPE
  • ·AI policy, governance forum and use-case approval process
  • ·Use-case classification under the EU AI Act
  • ·Model lifecycle controls, model card and assurance pack
  • ·AI risk register and ongoing reporting cadence
DIFFERENTIATOR

Governance defined alongside deployment, not retrofitted afterwards.

EU AI Act ISO 42001 NIST AI RMF
BEST FOR
Organisations with live AI deployment and a board sponsor
TYPICAL TRIGGER
First AI tool in production, board AI risk paper, EU AI Act provider/deployer classification
OUTPUTS
AI policy · use-case classifier · model & system cards · AI risk register · approval workflow
ENGAGEMENT SHAPE
8–12 week stand-up · quarterly governance retainer
S11

ISO 42001 & NIST AI RMF Alignment

AI management systems aligned to ISO 42001 and NIST AI RMF.

Organisations deploying AI need a defensible management system, not a one-off policy document. We implement ISO/IEC 42001:2023 AI management systems mapped to NIST AI RMF, with EU AI Act provisions for high-risk systems where relevant.

TYPICAL SCOPE
  • ·AI management system scope and applicability statement
  • ·AI impact assessment process and template library
  • ·Control catalogue mapped to ISO 42001, NIST AI RMF, EU AI Act
  • ·Certification body engagement and stage 1/2 readiness
DIFFERENTIATOR

Build once. Satisfy ISO 42001, NIST AI RMF, and EU AI Act overlap.

ISO 42001 NIST AI RMF NIST AI 600-1
BEST FOR
AI builders selling to regulated buyers; firms preparing for EU AI Act high-risk obligations
TYPICAL TRIGGER
Buyer questionnaire mentions ISO 42001, AI Act conformity scope, SOC 2 + AI customer ask
OUTPUTS
AI management system · AI impact assessment · control catalogue · stage 1/2 readiness
ENGAGEMENT SHAPE
6–9 month implementation · pre-certification support
S12

AI Red-teaming & Model Security Testing

Adversarial evaluation of LLMs, agentic systems and AI-embedded products.

AI security differs materially from traditional application security. Large language models can produce ungrounded outputs; prompts can be manipulated; agentic systems can take unintended actions; and the AI supply chain introduces model-integrity and weight-poisoning risks. Structured adversarial testing across prompt injection, jailbreaks, data exfiltration, model evasion and supply-chain integrity.

TYPICAL SCOPE
  • ·Prompt injection, jailbreak and adversarial input testing
  • ·Training data exfiltration and model evasion evaluation
  • ·Agentic system safety and tool-use abuse testing
  • ·Supply-chain integrity review for model and library chain
DIFFERENTIATOR

Adversarial testing across the AI lifecycle, not just the model in isolation.

OWASP LLM Top 10 MITRE ATLAS NIST AI 600-1
BEST FOR
Organisations putting LLMs, GenAI or agentic AI into customer- or staff-facing workflows
TYPICAL TRIGGER
Pre-launch security sign-off, post-incident review, regulator request, board assurance need
OUTPUTS
Threat model · adversarial test plan · findings report · remediation roadmap
ENGAGEMENT SHAPE
2–6 week point-in-time · continuous red-team retainer
S13

AI Adoption & Transformation

End-to-end programme leadership for AI adoption in the business.

For organisations moving from AI pilots into AI as a core operating capability. We help leadership teams shape the AI transformation programme, sequence high-value use cases, build the operating model, and embed the governance and assurance work alongside delivery, so adoption and accountability move together.

TYPICAL SCOPE
  • ·AI strategy and use-case portfolio with prioritised pipeline
  • ·Operating model for AI development, deployment and oversight
  • ·Governance and assurance embedded alongside delivery
  • ·Capability uplift and skills programme for the firm
DIFFERENTIATOR

AI transformation that ships with governance, not after it.

ISO 42001 NIST AI RMF EU AI Act
BEST FOR
Organisations standing up an AI capability across multiple business units
TYPICAL TRIGGER
AI strategy approved, AI centre of excellence forming, multiple pilots reaching production
OUTPUTS
Target operating model · AI governance forum · use-case pipeline · skills & capability plan
ENGAGEMENT SHAPE
12–24 week embedded transformation
06Pillar four

Security Operations & Engineering

Hands-on security across the live estate.

Incident response and security operations, cloud security posture management, security architecture review, and third-party and supply-chain risk. Hands-on work for live operating environments.

S14

Incident Response & Security Operations

Playbooks, tabletop exercises, SOC advisory and operational readiness.

When a security incident occurs, the quality of your response is determined by the preparation done beforehand. We develop incident response capabilities, playbooks, tabletop exercises, SOC operating models and IR retainers, that organisations can actually execute under pressure.

TYPICAL SCOPE
  • ·Major incident retainer with senior incident manager
  • ·Tabletop and live-fire exercise programme
  • ·SOC operating model design and effectiveness review
  • ·Post-incident remediation programme leadership
DIFFERENTIATOR

Designed to satisfy DORA Article 17, NIS 2 Article 23 and FCA notification windows.

NIST IR DORA Art. 17 NIS 2 Art. 23
BEST FOR
DORA, NIS 2, FCA and ICO-reportable incidents; organisations without a 24/7 in-house IR team
TYPICAL TRIGGER
Live or suspected incident, post-incident review, regulator notification due, tabletop exercise
OUTPUTS
72-hour notification pack · forensic plan · containment timeline · regulator engagement narrative
ENGAGEMENT SHAPE
Retainer for first-30-minutes assurance · live response · post-incident review
S15

Cloud Security Posture Management

AWS, Azure, GCP. Landing zones, guardrails and posture remediation.

Cloud security is built on hundreds of decisions: landing zone design, organisational guardrails, IAM patterns, network controls, logging architecture, key management. We design, assess and remediate cloud posture across AWS, Azure and GCP.

TYPICAL SCOPE
  • ·Posture baseline against CIS Benchmarks and CSA CCM
  • ·Landing zone hardening for AWS / Azure / GCP
  • ·IAM, network and key management remediation
  • ·CSPM tooling selection and integration
DIFFERENTIATOR

Posture, not just policy. Remediation, not just findings.

CIS Benchmarks CSA CCM NIST CSF
BEST FOR
AWS, Azure, GCP estates with multiple accounts and rapid product change
TYPICAL TRIGGER
Audit finding, posture drift, new landing zone, multi-cloud expansion, M&A integration
OUTPUTS
Posture baseline · landing zone hardening · IAM/network/KMS remediation · CSPM tooling
ENGAGEMENT SHAPE
4–8 week baseline · ongoing remediation engagement
S16

Security Architecture Review

Independent review of security architecture, designs and reference patterns.

Architecture decisions made early are expensive to reverse, and many security incidents trace to design weaknesses rather than control failures. Independent architecture review of system designs, reference patterns and secure-by-design assurance, conducted before commitments are made.

TYPICAL SCOPE
  • ·Reference architecture review and decision records
  • ·Design-stage security on major change initiatives
  • ·Exception governance and risk acceptance process
  • ·Pattern library for product and engineering teams
DIFFERENTIATOR

Identify design weaknesses during architecture review, not after the incident.

NIST CSF ISO 27001 SABSA
BEST FOR
Pre-build design reviews on high-stakes systems; reference pattern libraries
TYPICAL TRIGGER
Major change initiative, new product, new vendor, regulator architecture request
OUTPUTS
Architecture decision records · pattern library · exception governance · design-stage findings
ENGAGEMENT SHAPE
2–4 week point-in-time · embedded architecture authority
S17

Third-Party & Supply Chain Risk

Vendor due diligence, supply chain risk and contractual cyber clauses.

Third-party risk has shifted from a procurement form to a regulatory mandate. DORA Article 28, NIS 2 Article 21 and FCA/PRA outsourcing rules now require continuous oversight of critical providers. We design third-party risk programmes that satisfy the regulator and the business.

TYPICAL SCOPE
  • ·Critical third-party register and oversight framework
  • ·DORA Article 28 contractual control set
  • ·Continuous monitoring approach and threshold model
  • ·Exit planning and concentration risk reporting
DIFFERENTIATOR

Vendor risk that runs continuously, not annually.

DORA Art. 28 NIS 2 Art. 21 FCA SYSC 8 PRA SS2/21
BEST FOR
DORA Article 28, NIS 2 Article 21 and FCA/PRA outsourcing scope
TYPICAL TRIGGER
Critical vendor onboarding, concentration risk surfaced, regulator vendor review
OUTPUTS
Critical TPR register · DORA Art. 28 contracts · monitoring threshold model · exit plan
ENGAGEMENT SHAPE
6–12 week stand-up · annual oversight retainer
07First conversation

A 30-minute consultation. Clear next steps.

In thirty minutes we will clarify the decision, the regulatory or assurance pressure, the likely evidence gap, and the next practical move, whether or not InfoSecAI is the right delivery partner.

No pitch deck. A working conversation with a senior practitioner.