A seven-step method. AI speeds up the repetitive part; people do the analysis and validate everything. And an accredited body, independent of us, is the one that certifies. That independence isn't a limitation: it's what makes your certification valid.
The process
The same backbone for every standard; the content and timing change (see below).
We map where you are against the standard: we tell you honestly what you're missing and what you're not.
We define the scope (systems, data, sites) and assess risk. This is where we decide what's actually needed and what isn't.
We build policies, procedures and the Statement of Applicability. AI speeds up drafting; an expert reviews and validates every document.
We put the controls into practice: identity, access, Zero Trust, governance, hardening. Not just paper: real security.
We check internally before the external exam, so you don't reach the audit with surprises.
We take you to an accredited body's audit (ISO) or the CPA's work (SOC 2). They assess independently: we are not the body.
You get the certification (ISO) or attestation (SOC 2). Then we keep it alive: annual surveillance, periodic pentests, a maintained Trust Center, recertification in year 3.
Transparency on roles
We prepare, implement and bring you to the audit. But the certification is issued by an accredited body (ISO) and the attestation is signed by a CPA (SOC 2), not us. If your preparer were also your certifier, the certificate would mean little to an investor or auditor. Separating the roles is what makes it credible.
Human-Led, AI-Powered
AI does the repetitive part (document production, evidence collection, first analysis) and lets us work faster. People do the substantive work: analysis, pentests, decisions. Every deliverable goes through an expert's review before it reaches you.
See the servicesThe efficiency comes from AI on the repetitive part, not from shortcuts on quality.
It's our job, and we apply it to what you entrust to us.
We govern AI internally, consistent with what we preach (see ISO 42001).
No vague '~3 months'. We give real per-standard timelines, and we quantify them for your case in the gap analysis.
Preparation : typically 3-6 months
given adequate readiness
Exam / issuance : Stage 1 + Stage 2 audit by an accredited body
Cycle / maintenance : certificate valid 3 years
annual surveillance, recertification in year 3
Preparation : after readiness (control design, point-in-time)
Exam / issuance : CPA report
Cycle / maintenance : cyclical refresh
Readiness + observation period : typically 3-12 months
the observation period is what sets Type II apart
Exam / issuance : CPA report after the period
Cycle / maintenance : cyclical refresh
Preparation : similar to ISO 27001
AI Management System
Exam / issuance : audit by an accredited body
Cycle / maintenance : cycle similar to 27001
These are honest orders of magnitude, not promises. Real timing depends on how ready you already are: we tell you upfront in the gap analysis.
For a technical buyer, someone who says what they don't do is more trustworthy than someone who promises everything.
No, and that's a strength. ISO certification is issued by an accredited body; a SOC 2 attestation is signed by a CPA. We prepare and support you. Their independence is what makes your certificate valid in front of clients and investors.
Gap analysis, policies and documentation, real control implementation, internal audit and support through the external exam. Then, afterwards: maintenance, periodic pentests and Trust Center. All the work that leads to the standard, except signing it off, which is for an independent third party.
The speed comes from AI on the repetitive part (documentation, evidence collection, first analysis), not from shortcuts. People do the analysis and validate every deliverable. Faster and cheaper, yes; for show, no.
It depends on the standard and your readiness. ISO 27001: typically 3-6 months of preparation, then the body's audit and a 3-year cycle with annual surveillance. SOC 2 Type I after readiness; Type II requires an observation period (usually 3-12 months). We quantify it in the gap analysis: no made-up dates.
Yes. Protecting data is our job and we apply it to yours: controlled access, Zero Trust principles, and, on the AI side, deliverables are reviewed by experts, without exposing your data to improper use. We do it on ourselves too (see Trust Center).
That's why there's an internal audit and management review before the external exam: you arrive without surprises. If findings come up, we close them together. We can't guarantee the outcome, that would be false and would undermine independence, but we prepare you to genuinely pass.
Let's start with the method's first step: the gap analysis. We tell you honestly what you need and how long it takes. Gap analysis → tailored proposal → kickoff.