Services
Beyond legal advice, we help organisations build the internal foundation that IT security compliance actually rests on: written policies, a control framework, a risk register, and the evidence trail an auditor will ask for. We do this as an independent third party — we assess and prepare, we do not certify. Certification (ISO 27001) is issued by an accredited certification body, and attestation (SOC 2) is issued by a licensed CPA firm; our job is to get you ready for that audit, not to replace it.
Readiness, not certification — what that means
Most organisations that fail an ISO 27001 or SOC 2 audit don't fail because their technology is weak — they fail because the paperwork doesn't exist, is inconsistent, or doesn't match what the organisation actually does day to day. We close that gap before an accredited auditor ever shows up.
Our process
ISO/IEC 27001
ISO/IEC 27001:2022 is the international standard for an Information Security Management System (ISMS) — a risk-based framework for how an organisation identifies, treats and monitors information security risk on an ongoing basis, not a one-time checklist. The 2022 version sets out 93 controls across four categories: organisational, people, physical and technological. Certification runs in two stages: Stage 1 reviews your documentation and scope; Stage 2 tests whether your controls actually work in practice. We prepare the ISMS itself — policies, the risk register, the Statement of Applicability, and an internal audit programme — so that both stages go smoothly when your accredited certification body runs them.
SOC 2
SOC 2 is an attestation framework, common in North America, built around the AICPA's Trust Services Criteria (security, availability, processing integrity, confidentiality, and privacy). A Type I report assesses whether your controls are suitably designed at a single point in time; a Type II report — the one most enterprise customers actually ask for — assesses whether those controls operated effectively over a period, typically three to twelve months. We help design the control set, draft the accompanying policies, and put in place the evidence-collection process your CPA firm will sample from during the audit period.
Certifications IT vendors are actually asked for
ISO 27001 and SOC 2 cover the general case, but selling into a specific market often means a specific — sometimes legally mandatory — certification on top. Here is the shortlist we see most often across the EU, US, Canada, China and Australia, plus NIST and sustainability, which increasingly sit underneath all of them.
| Certification / framework | Category | Where it matters most | What it proves |
|---|---|---|---|
| ISO/IEC 27001 | Security | Global baseline | Formal information security management system |
| SOC 2 (Type I/II) | Security / trust | US & Canada | Controls operating effectively over time |
| NIST Cybersecurity Framework 2.0 | Security framework | US-originated, globally referenced | Risk-based cybersecurity posture |
| FedRAMP (NIST SP 800-53) | Security / government | US federal cloud sales | Authorization to operate for US agencies |
| CMMC 2.0 (NIST SP 800-171) | Security / government | US Dept. of Defense supply chain | Controlled unclassified information handling |
| IRAP | Security / government | Australian government & cloud | Controls assessed against the ASD ISM |
| Canadian Program for Cyber Security Certification | Security / government | Canadian federal contracts | Baseline cyber hygiene (Level 1 self-assessed, Level 2 third-party) |
| China MLPS 2.0 / CCRC | Security / government | Mandatory in mainland China | Classified cybersecurity protection level compliance |
| EU Cyber Resilience Act (CE marking) | Product security | EU, phasing in 2026–2027 | Secure-by-design compliance for digital products |
| ISO/IEC 27701 | Privacy | EU / GDPR-adjacent markets | Privacy information management system |
| PCI DSS | Payments security | Global, wherever card data flows | Cardholder data protection |
| ISO 14001 | Sustainability | Global, EU & Australian procurement | Environmental management system |
| EU CSRD (assured sustainability reporting) | Sustainability | EU large companies & key suppliers | Externally assured sustainability disclosure |
Green widely required or expected · Amber increasingly requested or phasing in · Red mandatory/gating in its specific market. Indicative summary only, not a compliance guarantee.
The pattern by market: US federal and defence buyers effectively will not discuss a cloud contract without FedRAMP or CMMC 2.0; Australian government and public-sector cloud customers generally require an IRAP assessment; Canada is rebuilding its baseline through the Canadian Program for Cyber Security Certification (replacing the discontinued CyberSecure Canada), with Level 1 self-assessment live since 2025 and Level 2 third-party assessment piloting on defence contracts; China's MLPS 2.0 is not optional for any IT system operating on the mainland, foreign-owned entities included; and the EU is folding cybersecurity into product law itself — the Cyber Resilience Act turns it into a CE-marking requirement, phased in through 2027, on top of GDPR.
Sustainability now sits alongside security in vendor questionnaires. ISO 14001 is a common line item in EU and Australian procurement, and the EU's Corporate Sustainability Reporting Directive (CSRD) requires large EU companies — and, by extension, their significant suppliers — to publish externally assured sustainability disclosures, phasing in through 2028.
We assess which of these actually apply to your target markets and prepare the policy foundation; Dyanet builds and operates the technical controls underneath it.
Our IT partner: Dyanet
Policy is only half the job — the controls a policy describes have to actually be built, configured and monitored. That's where Dyanet, our IT partner, comes in: technical implementation, infrastructure hardening, access and monitoring tooling, and the day-to-day technical operation of the controls our policies define. We handle the legal and governance foundation; Dyanet handles the engineering. Together, clients get a single path from "we have no formal security programme" to "we are ready for our ISO 27001 or SOC 2 audit" — without having to stitch together a law firm and an IT vendor themselves.
Where this connects to our legal work
Compliance readiness and IT law aren't really separate problems — a SOC 2 control set and a GDPR/PIPL/DPDP data-processing obligation are often describing the same underlying risk from two different angles. See our IT, IP & Compliance section, and specifically Privacy & Government Restrictions, for the legal side of data protection across the US, EU, Pakistan, India, China, Russia and the Middle East.
IT, IP & Compliance
The legal side: IP, contracts, workforce classification, privacy and government restrictions, jurisdiction by jurisdiction.
Privacy & Government Restrictions
The data protection laws your ISMS or SOC 2 controls need to actually satisfy.
Ready to start?
Tell us which standard you're targeting, who's asking for it (a customer, an investor, a regulator), and roughly where your documentation stands today — we'll scope a gap assessment from there.
References
ISO — ISO/IEC 27001 · AICPA — SOC 2
We provide readiness assessment and policy preparation services; we are not an accredited ISO certification body and do not issue SOC 2 attestations. Certification and attestation must be obtained from an independent accredited body or licensed CPA firm. This page is general information, not a service guarantee — contact us to discuss your specific scope. ← Back to IT, IP & Compliance overview