Which frameworks do you cover?

SOC 2 (Type I and Type II), HIPAA Security and Privacy Rules, PCI-DSS v4.0, CMMC 2.0 Level 1 and Level 2, NIST 800-171, and ISO 27001 Annex A.

How long does SOC 2 take?

Type I readiness runs three to four months from kickoff to attestation. Type II requires an additional three to twelve month observation window. Most companies start with Type I, then move into a Type II observation period the same year.

Do I keep the policy library?

Yes. The policy library, control matrix, and evidence collection runbook are all delivered as source files and are yours to maintain or transfer.

Services · Compliance

Compliance.

Q: Do you perform the audit?

No. We prepare you for the audit and accompany you through it. The audit itself is performed by an independent CPA firm. We can recommend several we have worked with.

Compliance is a contract requirement before it's a security one. We get you ready for SOC 2, HIPAA, PCI-DSS, CMMC, or NIST 800-171 in months, with a policy library and evidence runbook your team owns.

Overview

You didn't start the company to write security policies. We do that work, fast, in language an auditor recognizes. The work is structured around the framework your customers, regulators, or insurers actually require, not a generic checklist.

What's included

Framework selection and scope definition (which entities, systems, and data are in scope)
Control gap analysis with prioritized remediation
Policy and procedure authorship (typically 18 to 32 documents)
Evidence collection runbook and quarterly evidence calendar
Auditor introductions and audit accompaniment
Annual or quarterly maintenance support

What you get

Policy library. Source-controlled documents tailored to your business, not stock templates.
Control matrix. Maps each control to the responsible owner, evidence artifact, and review cadence.
Evidence runbook. Tells the team what to collect, where to store it, and how often.
Audit accompaniment. A senior consultant sits with you through the auditor walkthroughs.

Engagement sizes

Readiness. One framework, gap analysis and policy library. Three to four months.
Type I full. Readiness plus audit accompaniment for SOC 2 Type I or HIPAA. Four to five months.
Type II full. Readiness, audit, and evidence collection through the observation window. Nine to fourteen months.

Common questions

Do you perform the audit?

No. We prepare you for it and sit beside you during it. The audit itself is performed by an independent CPA firm. We can recommend several we have worked with.

Can you handle multiple frameworks at once?

Yes. SOC 2 plus HIPAA, or SOC 2 plus ISO 27001, are common combinations. We map overlapping controls so you do the work once.

Do you support DoD contractors?

Yes. CMMC 2.0 Level 1 and Level 2 readiness, including SSP and POA&M authorship, plus liaison with the C3PAO assessor when scheduled.