How long does ISO 27001 certification take?

ISO 27001 certification typically takes six to twelve months for a mid-sized organisation, depending on the current state of your information security management system. The process involves a gap assessment, implementing the required controls, an internal audit, and a two-stage external audit by an accredited certification body. Organisations with existing security frameworks in place tend to move through the process faster.

What is DORA and which financial firms must comply?

DORA, the Digital Operational Resilience Act, came into force in January 2025 and applies to financial entities operating in the EU, including banks, insurers, investment firms, payment institutions, and their critical ICT third-party providers. It requires firms to demonstrate operational resilience across five pillars: ICT risk management, incident reporting, resilience testing, third-party risk management, and information sharing.

What does a GDPR audit involve?

A GDPR audit reviews how your organisation collects, stores, processes, and shares personal data against the requirements of the UK GDPR or EU GDPR. It covers lawful basis for processing, privacy notices, subject access request processes, data retention policies, third-party processor agreements, and breach notification procedures. The output is a gap report with prioritised remediation steps.

What is NIS2 and who does it apply to?

NIS2 is the EU Network and Information Security Directive, which EU member states were required to transpose into national law by October 2024. It applies to organisations in sectors designated as essential or important, including healthcare, energy, transport, banking, financial market infrastructure, digital infrastructure, and managed service providers above certain size thresholds. NIS2 requires risk management measures, incident reporting within 24 hours, and supply chain security controls.

What is PCI DSS and which businesses need it?

PCI DSS, the Payment Card Industry Data Security Standard, applies to any organisation that stores, processes, or transmits payment card data. This includes retailers, hotels, restaurants, healthcare providers that take card payments, and their technology providers. The standard has twelve top-level requirements covering network security, access control, encryption, vulnerability management, and monitoring. Non-compliance can result in fines and loss of card processing rights.

Audits & Compliance

Know where you stand. Stay ahead of the rules.

Regulation is expanding fast. But compliance only sticks when your IT is under control and your security is concrete, so we focus on those first to help ensure you are ready to meet the strict audit requirements. Once you are ready, we can guide you through ISO 27001, DORA, NIS2, GDPR, and beyond, closing genuine gaps, building evidence, and helping prepare you for the audits you need to complete.

Get in touch

The compliance reality

Compliance is not optional. The question is how prepared you are

Regulation is tightening across every sector. Most compliance failures trace back to IT that was never fully under control and security gaps papered over rather than fixed. These numbers reflect what organisations face when those foundations are missing.

of organisations are likely to fail a compliance audit

Inadequate preparation and undocumented controls are the most common reasons businesses don't pass first time

of organisations say their compliance programme consistently meets standards

Most organisations know their compliance posture has gaps. Closing them before an audit is exactly where we work

of businesses say compliance complexity has increased significantly in the last 3 years

NIS2, DORA, AI Act, and evolving GDPR enforcement have added substantial new obligations across most sectors

of SMEs have never had a formal IT or security audit

Without independent review, control gaps go undetected and accumulate quietly until a regulatory event or breach forces the issue

Statistics sourced from Verizon, Sophos, Swimlane, Gartner, FBI, and Standish Group. Some figures represent general industry estimates drawn from multiple research sources.

How we can help

Compliance services that close gaps before auditors find them

We look at your IT, your security controls, and your obligations together. Then we close what needs closing, fix what needs fixing, and build the evidence to help you prepare for your audits and support you through them. Every engagement is scoped around your obligations.

ISO 27001 Implementation & Certification Readiness

ISO 27001 is the gold standard for information security management. We guide you through the full journey: gap analysis, risk assessment, control implementation, documentation, internal audit, and preparation for certification, working with your chosen certification body. You leave with a complete, audit-ready ISMS, documented controls, and the evidence package your certification body expects.

GDPR & Data Protection Compliance

GDPR enforcement is active and the Autoriteit Persoonsgegevens issues fines regularly. We build or audit your data protection programme end-to-end: lawful basis mapping, Records of Processing Activities, DPIAs, data subject rights procedures, breach notification processes, and DPO advisory support. You leave with a completed RoPA, documented lawful basis mapping, and breach notification procedures ready to use.

PCI DSS Readiness & Compliance

If your business handles card payments, PCI DSS compliance is non-negotiable. We conduct gap assessments against the current PCI DSS standard, identify scope boundaries, help implement the required controls, and prepare you for your QSA assessment or Self-Assessment Questionnaire. You leave with a gap assessment report, a remediation plan, and a completed SAQ or QSA readiness package.

Compliance Gap Analysis

Before you can close gaps, you need to know where they are. We conduct structured gap assessments against your target framework: ISO 27001, Cyber Essentials, NIST, NIS2, DORA, or sector-specific regulatory requirements, mapping your current state to each control. You leave with a prioritised remediation plan, effort estimates, and a clear map of exactly what needs to change.

Risk Assessment & Risk Register

Formal risk management is central to ISO 27001, NIS2, DORA, and most other compliance frameworks. We run risk identification workshops, build and maintain your risk register, score and prioritise risks consistently, and produce the risk treatment plans that auditors expect to see. You leave with a scored risk register, documented treatment plans, and the evidence auditors expect to see.

Regulatory Compliance (NIS2, DORA, FCA)

Sector-specific regulation is growing in scope and enforcement. We help financial services firms meet FCA and DORA obligations, healthcare organisations meet data protection requirements including DSPT, and businesses in critical infrastructure comply with NIS2. You leave with a controls mapping, gap remediation plan, and a regulator-ready evidence pack.

Audit Preparation & Readiness Reviews

An external audit should never be a surprise. We run pre-audit readiness reviews that replicate the assessor's process, interviewing staff, reviewing evidence, testing controls, and identifying anything that would result in a finding. We then work with you to close issues before the auditor arrives. You leave with closed gaps, a clean evidence package, and your team prepared for every stage of the assessor's process.

Penetration Testing & Vulnerability Assessments

Many compliance frameworks require evidence of regular penetration testing. We scope, manage, and interpret penetration testing engagements across network, application, and social engineering vectors, working with trusted specialist testers. You get risk-rated findings in both technical and executive formats, with a prioritised remediation plan your team can act on.

Internal IT & Security Audits

An internal audit by an independent team is one of the most effective ways to find gaps before regulators or attackers do. We conduct structured audits of your IT controls, access management, configuration baselines, patch status, and operational procedures, producing a structured findings report with risk-rated, prioritised recommendations your team can act on immediately.

Policy & Procedure Development

Compliance lives and dies on documentation. We write, review, and update the full policy suite that frameworks require: information security policy, acceptable use, access control, incident response, business continuity, data retention, and more. You leave with a complete policy suite your staff will read and your auditors will accept without query.

Supplier & Third-Party Compliance

Your compliance obligations don't stop at your boundary. We help you assess and manage third-party compliance risk, reviewing supplier security questionnaires, auditing critical vendors, and drafting data processing agreements. You leave with a supplier assurance programme, a third-party risk register, and reviewed DPAs in place.

Continuous Compliance Monitoring

Achieving compliance is only half the challenge. Maintaining it is where most organisations struggle. We put in place the ongoing monitoring, evidence collection cadence, and management reporting that keeps your compliance posture current between audits. You get a compliance posture report, a populated evidence library, and board-ready dashboards showing your status at any point in the cycle.

Why Cyvra