Published Jul 2, 2026
Enterprise buyers, insurers, and regulators increasingly ask the same question: can you prove your security? For most SMEs the honest answer is "partly." This framework closes that gap and produces the evidence trail an audit needs.
── WHO THIS IS FOR ──
Companies that need to pass security questionnaires to close deals, prepare for a SOC 2 or ISO 27001 audit, or demonstrate GDPR compliance — without hiring a full security team.
── THE FRAMEWORK ──
1. SCOPE & TARGET
Confirm the framework(s) in scope (SOC 2 Type I/II, ISO 27001, GDPR) and the
systems, data, and people boundary being assessed.
2. GAP ANALYSIS
Assess current state against control domains:
• Access control & identity (MFA, least privilege, joiner/mover/leaver).
• Data protection (encryption at rest/in transit, retention, classification).
• Application & infrastructure security (secure SDLC, patching, config).
• Logging, monitoring & incident response.
• Vendor & third-party risk.
• Governance, policies & training.
Each control is rated: met / partial / missing, with evidence noted.
3. RISK REGISTER
Gaps become risks, scored by likelihood × impact, with an owner and a target
date. This is the artifact auditors and boards actually want to see.
4. REMEDIATION ROADMAP
Prioritized, sequenced, and costed:
• Now (0–30 days) — MFA everywhere, backups tested, incident-response plan,
access review, core policies.
• Next (30–90 days) — logging/monitoring, vendor reviews, SDLC controls,
staff training, evidence collection.
• Later (90+ days) — audit engagement, penetration test, continuous monitoring.
5. POLICY & CONTROL SET
A starter pack: information security policy, access policy, data protection &
retention policy, incident response plan, acceptable use, and a vendor
register — tailored to your business, not generic templates.
── SAMPLE OUTPUT (illustrative) ──
A 25-person SaaS company, assessed for SOC 2 Type II readiness:
• 62 controls assessed: 24 met, 21 partial, 17 missing.
• 9 high risks, 14 medium, the rest low.
• Highest risks: no centralized logging, inconsistent MFA, untested backups,
no formal incident response.
• Roadmap: audit-ready in ~4 months following the Now/Next/Later plan.
── WHAT YOU RECEIVE ──
• Gap analysis against your target framework.
• A scored risk register you maintain.
• A tailored policy & control set.
• A costed remediation roadmap and audit-readiness timeline.
Engagements typically range $10,000–$50,000 depending on scope and framework. The readiness assessment is independent of any remediation work — you own the findings.
Preparing for an audit or an enterprise security review? Book a scoping call.