Compliance frameworks, multi-framework engagements.
Most engagements start with one framework. Few stay there. SOC 2 leads to ISO 27001 when European customers arrive. HIPAA leads to HITRUST when an enterprise health system asks. We stack frameworks cleanly so the second one is mostly evidence reuse, not a fresh program.
SOC 2 Readiness Assessment
Full Trust Services Criteria gap analysis with light pentest. The deeper version of the 2-week SOC 2 Sprint, scoped for teams with longer audit windows.
ISO 27001
International ISMS standard with Annex A controls, Statement of Applicability, internal audit, and recertification cycle. The framework most enterprise procurement asks for after SOC 2.
HIPAA Assessment
Security Rule administrative, physical, and technical safeguards. PHI inventory, business associate agreement hygiene, and breach notification readiness.
CMMC Readiness
NIST 800-171 controls mapped to CMMC 2.0 levels. CUI handling, assessment objectives, and third-party C3PAO preparation for defense industrial base contractors.
NIST CSF Assessment
Maturity scoring across the five functions: Identify, Protect, Detect, Respond, Recover. Cross-framework baseline that produces board-readable output.
One program, many badges.
Frameworks overlap by 60 to 80 percent. SOC 2 controls map to ISO 27001 Annex A controls, which map to NIST CSF subcategories, which map to HIPAA safeguards. We build one underlying control program, then map evidence to whichever certifications customers ask for. New framework, mostly the same controls, faster turnaround on each subsequent audit.
Ready when you are
Your next move starts with a 30 minute call.
If vCISO is not a fit, we will say so on the call and point you toward someone who is. If we are, we will scope a Sprint, the 90-Day Foundation, or a retainer right then.