Approach
A small number of things, for a small number of organisations — as a matter of judgement, not process.
There is one way in, and three areas in which we work. Every engagement is advice or independent assurance — none is sold as embedded hours, and none as legal opinion.
The diagnostic
A senior, independent read on where an organisation’s security and regulatory risk concentrates, and how its posture compares to the stakes it carries. Fixed in scope, and discreet. It is the considered beginning of a relationship, not a product — and we do not publish prices, because the right scope is a conversation, not a tariff.
Independent assurance
An honest, independent read for the board or audit committee on whether risk is genuinely understood and controlled — a position the accountable owner can defend to the board and the regulator. It is designed to back an organisation’s own security and technology leadership, not to sit over them.
Programme & ISMS oversight
When a gap surfaces — an ISO 27001 build, a remediation, a governance overhaul — we shape and steer the programme. Led, not staffed: senior ownership of direction, without renting a function.
Situations
The high-stakes moment — an incident, a regulatory finding, a transaction under diligence — where the accountable owner needs a credible answer quickly, from someone who has been in the chair. This can include bounded interim leadership through a defined transition: time-limited, and shaped to the situation, never a standing seat.
Within our remit
We advise on the security, governance and regulatory-readiness dimension of risk.
We do not give legal advice or sign statutory opinions; where a question is legal, we say so, and work alongside your own counsel. That boundary is not a limitation we apologise for — it is part of how we keep our advice trustworthy.
The right scope is a conversation, not a line item — and that conversation is the place to begin.