What this looks like in practice.

Trigger. The company had a growing enterprise pipeline, but every deal over a certain size required ISO 27001 certification. Without it, deals stalled in procurement. The CTO was fielding security questionnaires personally, and the answers were inconsistent. Two large prospects had explicitly said "come back when you're certified."

Work. Started with a baseline assessment against ISO 27001 Annex A controls. Built the entire documentation set from zero: information security policy, risk assessment methodology, statement of applicability, and all supporting procedures. Ran the gap analysis, prioritised remediation by audit risk, coordinated with the chosen certification body, and managed the Stage 1 and Stage 2 audits end to end. The internal team handled their own technical remediations with guidance on what actually mattered for the auditor versus what could wait.

Result. Certified in 4 months from engagement start (single-site scope, narrow Annex A, certification body calendar permitting). Three enterprise deals that had been sitting in pipeline for 3+ months moved to contract within weeks of certification. The CTO stopped spending weekends on security questionnaires.

Trigger. Enterprise customers were sending detailed security questionnaires as part of their vendor assessment process. The company was failing or receiving "conditional pass" on roughly 60% of them. Each review consumed 15-20 hours of CTO and engineering time, and the responses were inconsistent across different reviewers. Two key renewals were at risk because the customer's security team flagged gaps in the previous year's responses.

Work. Audited all questionnaire responses from the previous 12 months to identify the recurring failure points. Built a structured response library covering the 200 most common questions, with evidence references for each answer. Established an internal evidence discipline: who owns each control area, where the proof lives, and how it stays current. Introduced a triage process so the right person answers each section instead of the CTO doing everything. Ran mock reviews against the two at-risk customers' known question sets before the actual renewal reviews.

Result. Pass rate went from roughly 40% to 95% within three months. CTO time spent on security reviews dropped by about 60%. Both at-risk renewals closed successfully. The response library now gets maintained by the team without external help. Individual result; your starting point and scope will differ.

Trigger. The board asked management for a compliance plan after NIS2 transposition discussions made it clear the company would likely fall under the directive's scope. Nobody internally had deep enough knowledge of the requirements to build a credible plan, and the consultancy quotes they received were six-figure projects with 6-month timelines. The board wanted answers in weeks, not months.

Work. Ran a focused gap analysis mapping their existing controls to the 10 NIS2 Article 21(2) cybersecurity risk-management measures, sized to their sector and headcount. Identified what was already covered, what had partial coverage, and what was missing entirely. Built a prioritised remediation roadmap organised into 30/60/90-day sprints, with named owners across IT, security, operations, legal, and product. Delivered an executive-ready briefing the management team presented directly to the board, including cost estimates per phase and a realistic timeline.

Result. Board-approved compliance plan delivered in 6 weeks. The company started the first implementation sprint immediately. Management went from "we don't know what NIS2 means for us" to having a concrete, budgeted plan with named owners for every action item.