Services

Beyond legal advice, we help organisations build the internal foundation that IT security compliance actually rests on: written policies, a control framework, a risk register, and the evidence trail an auditor will ask for. We do this as an independent third party — we assess and prepare, we do not certify. Certification (ISO 27001) is issued by an accredited certification body, and attestation (SOC 2) is issued by a licensed CPA firm; our job is to get you ready for that audit, not to replace it.

Readiness, not certification — what that means

Most organisations that fail an ISO 27001 or SOC 2 audit don't fail because their technology is weak — they fail because the paperwork doesn't exist, is inconsistent, or doesn't match what the organisation actually does day to day. We close that gap before an accredited auditor ever shows up.

Our process

1. Gap assessmentCompare current state against the target standard's control set.
2. Policy draftingWrite the governance policies the standard requires — access control, incident response, vendor management, and more.
3. Control implementationWork with Dyanet to turn policy into deployed technical controls.
4. Evidence & internal auditBuild the evidence trail and run an internal audit before the real one.
5. Hand-off to the accredited auditorYou engage an independent certification body (ISO 27001) or licensed CPA firm (SOC 2) — we prepare you for them, we are not them.

ISO/IEC 27001

ISO/IEC 27001:2022 is the international standard for an Information Security Management System (ISMS) — a risk-based framework for how an organisation identifies, treats and monitors information security risk on an ongoing basis, not a one-time checklist. The 2022 version sets out 93 controls across four categories: organisational, people, physical and technological. Certification runs in two stages: Stage 1 reviews your documentation and scope; Stage 2 tests whether your controls actually work in practice. We prepare the ISMS itself — policies, the risk register, the Statement of Applicability, and an internal audit programme — so that both stages go smoothly when your accredited certification body runs them.

SOC 2

SOC 2 is an attestation framework, common in North America, built around the AICPA's Trust Services Criteria (security, availability, processing integrity, confidentiality, and privacy). A Type I report assesses whether your controls are suitably designed at a single point in time; a Type II report — the one most enterprise customers actually ask for — assesses whether those controls operated effectively over a period, typically three to twelve months. We help design the control set, draft the accompanying policies, and put in place the evidence-collection process your CPA firm will sample from during the audit period.

Certifications IT vendors are actually asked for

ISO 27001 and SOC 2 cover the general case, but selling into a specific market often means a specific — sometimes legally mandatory — certification on top. Here is the shortlist we see most often across the EU, US, Canada, China and Australia, plus NIST and sustainability, which increasingly sit underneath all of them.

Certification / frameworkCategoryWhere it matters mostWhat it proves
ISO/IEC 27001SecurityGlobal baselineFormal information security management system
SOC 2 (Type I/II)Security / trustUS & CanadaControls operating effectively over time
NIST Cybersecurity Framework 2.0Security frameworkUS-originated, globally referencedRisk-based cybersecurity posture
FedRAMP (NIST SP 800-53)Security / governmentUS federal cloud salesAuthorization to operate for US agencies
CMMC 2.0 (NIST SP 800-171)Security / governmentUS Dept. of Defense supply chainControlled unclassified information handling
IRAPSecurity / governmentAustralian government & cloudControls assessed against the ASD ISM
Canadian Program for Cyber Security CertificationSecurity / governmentCanadian federal contractsBaseline cyber hygiene (Level 1 self-assessed, Level 2 third-party)
China MLPS 2.0 / CCRCSecurity / governmentMandatory in mainland ChinaClassified cybersecurity protection level compliance
EU Cyber Resilience Act (CE marking)Product securityEU, phasing in 2026–2027Secure-by-design compliance for digital products
ISO/IEC 27701PrivacyEU / GDPR-adjacent marketsPrivacy information management system
PCI DSSPayments securityGlobal, wherever card data flowsCardholder data protection
ISO 14001SustainabilityGlobal, EU & Australian procurementEnvironmental management system
EU CSRD (assured sustainability reporting)SustainabilityEU large companies & key suppliersExternally assured sustainability disclosure

Green widely required or expected · Amber increasingly requested or phasing in · Red mandatory/gating in its specific market. Indicative summary only, not a compliance guarantee.

The pattern by market: US federal and defence buyers effectively will not discuss a cloud contract without FedRAMP or CMMC 2.0; Australian government and public-sector cloud customers generally require an IRAP assessment; Canada is rebuilding its baseline through the Canadian Program for Cyber Security Certification (replacing the discontinued CyberSecure Canada), with Level 1 self-assessment live since 2025 and Level 2 third-party assessment piloting on defence contracts; China's MLPS 2.0 is not optional for any IT system operating on the mainland, foreign-owned entities included; and the EU is folding cybersecurity into product law itself — the Cyber Resilience Act turns it into a CE-marking requirement, phased in through 2027, on top of GDPR.

Sustainability now sits alongside security in vendor questionnaires. ISO 14001 is a common line item in EU and Australian procurement, and the EU's Corporate Sustainability Reporting Directive (CSRD) requires large EU companies — and, by extension, their significant suppliers — to publish externally assured sustainability disclosures, phasing in through 2028.

We assess which of these actually apply to your target markets and prepare the policy foundation; Dyanet builds and operates the technical controls underneath it.

Our IT partner: Dyanet

Policy is only half the job — the controls a policy describes have to actually be built, configured and monitored. That's where Dyanet, our IT partner, comes in: technical implementation, infrastructure hardening, access and monitoring tooling, and the day-to-day technical operation of the controls our policies define. We handle the legal and governance foundation; Dyanet handles the engineering. Together, clients get a single path from "we have no formal security programme" to "we are ready for our ISO 27001 or SOC 2 audit" — without having to stitch together a law firm and an IT vendor themselves.

Where this connects to our legal work

Compliance readiness and IT law aren't really separate problems — a SOC 2 control set and a GDPR/PIPL/DPDP data-processing obligation are often describing the same underlying risk from two different angles. See our IT, IP & Compliance section, and specifically Privacy & Government Restrictions, for the legal side of data protection across the US, EU, Pakistan, India, China, Russia and the Middle East.

Ready to start?

Tell us which standard you're targeting, who's asking for it (a customer, an investor, a regulator), and roughly where your documentation stands today — we'll scope a gap assessment from there.

References

ISO — ISO/IEC 27001 · AICPA — SOC 2

We provide readiness assessment and policy preparation services; we are not an accredited ISO certification body and do not issue SOC 2 attestations. Certification and attestation must be obtained from an independent accredited body or licensed CPA firm. This page is general information, not a service guarantee — contact us to discuss your specific scope. ← Back to IT, IP & Compliance overview