Compliance & Risk Management Services

• SOC 2 Type II: Who requires it US enterprise B2B customers. Governing body AICPA (US accounting standard). Certification type Audit report (Type I or Type II). Timeline Type I: 2-4 months, Type II: 6-12 months. Cost range $30K-100K (audit + prep). Key requirements 5 Trust Service Criteria: Security (CC), Availability, Confidentiality, Processing Integrity, Privacy 64 control points. Scope Specific system/service in scope. Best for US SaaS companies selling enterprise.
• GDPR: Who requires it Any org processing EU personal data. Governing body EU regulators (each member state). Certification type Self-attestation + DPA regulatory review. Timeline 3-6 months for initial compliance. Cost range $15K-50K (assessment + implementation). Key requirements Lawful basis, data subject rights (access, erasure, portability), privacy notices, DPO (if required), DPIAs for high-risk processing, Article 32 security measures, breach notification (72 hours). Scope All systems handling EU personal data. Best for Any product with EU users.
• ISO 27001: Who requires it EU/international enterprise customers. Governing body ISO/IEC (international standard body). Certification type Third-party certification (annual audit). Timeline 6-12 months to first certification. Cost range $25K-80K (consulting + certification body). Key requirements ISMS (Information Security Management System), Statement of Applicability mapping 114 controls across 4 themes (Organisational, People, Physical, Technological), risk assessment (Clause 6), risk treatment plan. Scope Entire ISMS scope (can be defined narrowly). Best for European market, international enterprise, public sector.
• HIPAA: Who requires it US healthcare data handlers (PHI). Governing body US Dept. of Health & Human Services. Certification type Self-assessment + HHS OCR audit. Timeline 3-6 months for initial compliance. Cost range $15K-50K (assessment + implementation). Key requirements PHI safeguards: administrative (policies, training), physical (data centre), technical (access control, audit controls, encryption, integrity, transmission security), Business Associate Agreements (BAAs). Scope All systems handling PHI. Best for HealthTech, insurance, clinical platforms.
• PCI DSS: Who requires it Anyone storing/processing/transmitting payment card data. Governing body PCI Security Standards Council. Certification type SAQ for smaller merchants, QSA audit for Level 1. Timeline 3-6 months for SAQ-A/SAQ-D completion. Cost range $10K-30K (assessment + tools). Key requirements 12 requirements across 6 goals, annual pen test + quarterly ASV scan, SAQ (Self-Assessment Questionnaire) for smaller merchants, QSA audit for Level 1. Scope Cardholder data environment. Best for E-commerce, payment processors, SaaS billing.

SOC 2 Type I is a point-in-time assessment an auditor evaluates whether the described controls are suitably designed as of a specific date. It verifies design (the controls are designed correctly) but not operation (the controls have been operating consistently over time). SOC 2 Type II covers an observation period (typically 6-12 months) the auditor verifies that the controls were both suitably designed AND operating effectively throughout the period. Type II provides significantly stronger assurance than Type I because it demonstrates that controls are not just designed correctly but are actually followed consistently. Most enterprise customers accept a current Type I during the transition period while a Type II observation period accumulates. The long-term requirement for most enterprise relationships is an annual Type II report most large buyers will not renew vendor contracts without a current (less than 12 months old) SOC 2 Type II report.