Every step has a deliverable and a point where you decide whether to continue.
A 30-minute conversation to work out if there's a fit and what the right starting point is. Not a sales pitch. Not a discovery session that leads to a six-figure proposal. Just an honest conversation about what's happening in your business right now.
I'll ask about what triggered this, who owns the problem today, and what happens if nothing changes in the next 90 days. You'll get an honest answer on whether I can help and what the right next step looks like.
A fixed-fee assessment with a defined scope that gives you a clear picture of where you stand and what to prioritise. This is not a vague "discovery phase" that takes months and produces a slide deck. Pick the one that matches what's driving the urgency: ISO 27001 / SOC 2 Readiness, Cloud Cost Review, or Customer AI Readiness.
Delivery is 5 to 10 business days depending on type. You get a written report with a prioritised 90-day action plan, named owners, and a clear decision point. The Cloud Cost Review carries a 2x-savings-or-refund guarantee. The Customer AI Readiness has a 45K variant where I personally handle up to two customer AI questionnaires in the first 90 days.
After the baseline, I sit down with you and review everything together. You see exactly where you stand, what the gaps are, and what it would take to close them. Then you decide what happens next.
There's no pressure to continue. If the baseline shows you can handle things internally, that's a good outcome. If it makes sense to work together ongoing, I'll scope that clearly. If you need a focused sprint on a specific deliverable, I'll define that instead.
If ongoing work makes sense, it takes one of two forms: a Standard or Executive Retainer for continuous senior IT, security, and AI leadership, or an Execution Sprint for specific deliverables. Both scale to your needs.
The retainer covers IT governance, security ownership, compliance coordination, cloud oversight, AI policy, vendor management, and executive reporting. Bi-weekly leadership sessions plus async availability. Scope and fee agreed in the scoping call, with quarterly commitment as the preferred frame. Execution Sprints are focused deliveries for things like certification prep, NIS2 rollout, AI governance implementation, or cloud migration governance.
First 90 days
Concrete artefacts, not slide decks. If any of these aren't in your tenancy by the stated day, the engagement isn't running the way it should.
Asset and systems inventory. Risk register, populated with named owners. Policy baseline (information security policy, acceptable use, access control). Stakeholder map for board, customers, auditors. One working customer security questionnaire answered end-to-end.
Statement of Applicability if the target is ISO 27001. Gap register with severity and effort estimates. Incident response runbook tested in a tabletop exercise. Vendor risk workflow live. First quarterly board pack drafted.
Remediation sprints running for the top three gaps. Evidence collection cadence in place. Management review meeting run at least once. Decision point with the executive team on continuing, scaling up, or handing off.
30 minutes is usually enough to see whether there's a useful starting point and which engagement shape fits.
Typically responds within 24 hours