You need compliance. You don't need the nightmare.
A big customer wants SOC 2. Your investors are asking about it. You know you need it.
But every consultant wants to sell you:
- A 200-page policy manual nobody will read
- Tools you don't need (yet)
- Processes so complicated your team ignores them
- A six-figure bill
You need compliance that fits your business. Not some cookie-cutter framework.
Compliance Frameworks I Work With
SOC 2 Type II
The big one. Every enterprise customer wants it. I help you get it without the bloat.
- ✓ Readiness assessment & gap analysis
- ✓ Control selection (what you actually need)
- ✓ Policy & procedure documentation
- ✓ Auditor selection & management
- ✓ Audit prep & support
- ✓ Post-audit remediation
PCI DSS
You handle credit card data. Now you need PCI. Let's get it done right.
- ✓ SAQ (Self-Assessment Questionnaire) completion
- ✓ Network segmentation planning
- ✓ Quarterly scanning requirements
- ✓ Compensating control documentation
NIST Cybersecurity Framework
Need a security program that makes sense? NIST CSF is the foundation.
- ✓ Framework implementation
- ✓ Maturity assessment
- ✓ Control mapping & gap analysis
- ✓ Risk-based prioritization
ISO 27001
International customers want it. I help you figure out if you really need it (and how to get it if you do).
- ✓ Gap assessment
- ✓ ISMS implementation
- ✓ Risk treatment planning
- ✓ Certification prep
CIS Controls
Practical, prioritized security controls that work for any organization. Start with the basics and mature over time.
- ✓ Implementation Group selection (IG1, IG2, IG3)
- ✓ Control prioritization & roadmap
- ✓ Gap analysis & maturity assessment
- ✓ Integration with existing frameworks
How I Help
I figure out what you actually need. Not what some framework says you should do.
We start with a readiness assessment. I look at where you are. What's already in place. What's missing. What'll take the most work.
Then we build a plan that fits your business. Right-sized controls. Policies your team will actually follow. Evidence collection that doesn't make everyone hate their job.
I help you pick an auditor. Prep for the audit. Respond to requests. Fix issues. Get your report.
No cookie-cutter templates. No overkill. Just what you need to pass.
What Makes This Different
No Cookie-Cutter Approach
Your controls match your business. Not some generic template.
Actually Usable Policies
Policies your team will follow. Not 200-page novels nobody reads.
Audit-Ready Evidence
We set up evidence collection from day one. No scrambling at audit time.
Transparent Pricing
Fixed price for readiness. Monthly retainer for ongoing support. No surprises.
This Is For You If...
You lost a deal because you don't have SOC 2
Your investors are asking about compliance and you're not ready
You handle sensitive data (payments, health records, etc.)
You need compliance but can't afford Big 4 consulting prices
You want someone who explains things in plain English
Common Questions
How long does SOC 2 take?
4-6 months typically. Depends on where you're starting and how fast you can implement controls.
How much does it cost?
Readiness assessment: fixed price. Implementation: monthly retainer. Auditor fees are separate (usually $15K-$40K depending on scope).
Do I need Type I or Type II?
Type II. Almost everyone wants Type II (shows controls operating over time). Type I is rarely enough.
Can you recommend an auditor?
Yes. I work with several auditors who specialize in startups and SMBs. We'll find one that fits your budget and timeline.