It depends on the framework and the starting point. The initial assessment is scoped to your environment and delivers a clear picture of where you stand and what the program will require. The program build phase varies based on the framework, existing controls, and the organization's pace through remediation. SOC 2 Type II involves an auditor observation period for evidence collection, which is a fixed constraint set by the auditor. Federal frameworks vary by control scope and existing infrastructure maturity.
How It Works
- Home
- How It Works
From assessment to a program that works
Our Engagement Model
A Structured Approach, Adapted to Your Situation
Here is how a typical engagement runs. The phases are consistent. The scope, sequencing, and depth are adapted to what the organization actually needs.
1
Security Assessment & Roadmap
Understand where you stand
Cloud Architecture Review
We review your AWS, Azure, or GCP environment for security gaps and compliance blockers. Misconfigurations, encryption gaps, and access control issues are identified and documented before the program build begins.
Compliance Gap Analysis
We assess your current posture against the relevant framework requirements. The output is a clear map of what exists, what's missing, and what the gaps will cost you if left unaddressed.
Risk Assessment
Not all gaps carry equal weight. We prioritize based on actual risk to the organization and the audit environment, not by checklist order.
Prioritized Roadmap
You receive a clear, sequenced roadmap with timeline, dependencies, and resource requirements. The roadmap reflects your specific framework, your organization's stage, and what can realistically move in parallel.
Assessment Phase
Scope: Cloud review, gap analysis, risk assessment, roadmap delivery
Deliverable: Security assessment report and prioritized roadmap
2
Compliance Program Build
Build the foundation
Policy Development
We develop security policies that reflect how the organization actually operates. Information Security, Data Classification, Incident Response, and the other documents your framework requires. Written for an auditor, grounded in your actual environment.
Cloud Security Hardening
We remediate the findings from the assessment phase. Misconfigurations corrected, encryption implemented, IAM policies tightened. All changes are documented as audit evidence.
Technical Controls Implementation
We implement the technical controls your framework requires across your environment. CI/CD pipelines, secrets management, container hardening, and infrastructure configuration are common workstreams. The scope is determined by what the assessment surfaces and what your framework obligates.
Evidence Collection Setup
We establish the infrastructure for ongoing evidence collection from your cloud accounts, identity providers, and endpoints. The program needs to stay current, not just pass the first audit.
Program Build Phases
Early phase: Policy development, cloud security hardening
Mid phase: Technical controls, evidence collection setup
Final phase: Gap remediation, audit preparation
3
Ongoing Advisory
Monthly guidance and continuous monitoring
Monthly Security Reviews
We review your security posture monthly, assess emerging gaps, and provide strategic guidance.
Compliance Monitoring
Evidence collection runs continuously. We monitor for compliance drift, flag gaps before they compound, and support remediation before issues become audit findings.
Audit and Customer Support
When customers request security documentation or an audit window approaches, we help you respond accurately and completely. Security questionnaires, compliance summaries, and evidence packages prepared when you need them.
Strategic Advisory
New cloud services, infrastructure changes, personnel shifts, new requirements. We help you make security decisions that account for where the program needs to go, not just where it is today.
Monthly Review Includes
Security Posture: Compliance status, trend analysis
Risk Assessment: Emerging gaps, remediation priorities
Audit Readiness: Framework status, evidence currency
Strategic Guidance: Decisions tied to upcoming organizational changes
Ready to start with an assessment?
The assessment is where every engagement begins. It gives you an accurate picture of where the program stands and what it will take to meet your compliance requirement. Book a time to talk through your situation.
Common Questions
Frequently Asked Questions
How Long Does a Compliance Program Take to Build?
What Access Do You Need to Our Systems?
Read-only access only. For AWS, we use ReadOnlyAccess and SecurityAudit policies. For Google Workspace, the Reports API at read-only permission. For Okta, a read-only API token. We do not write to your systems or access customer data.
How Does This Work If We Already Have an Internal Security Person?
We work alongside them. The internal resource typically handles day-to-day security operations. We bring framework-specific depth, handle the compliance workstreams, and give them a more experienced partner to pressure-test decisions against. The engagement is designed to make the internal function more effective, not to work around it.
What Does the Ongoing Advisory Engagement Include?
Monthly security review calls, continuous compliance monitoring, evidence collection support, audit and customer documentation preparation, and strategic advisory on security decisions. The structure is flexible based on what the organization actually needs month to month.
How Is Pricing Determined?
Based on the scope of the framework, the complexity of the existing environment, and the engagement structure. We work in three ways: project-based for defined scopes with a clear deliverable (assessments, program builds, specific remediation workstreams); monthly retainer for ongoing advisory, compliance monitoring, and continuous coverage without carrying full-time headcount; and hourly advisory for clients with internal security teams who need experienced support on a specific question, control area, or audit preparation effort. Book a call and we'll give you a direct answer based on your situation.