Compliance  ·  risk

Pass the audit
before it lands.

POPIA, ISO 27001, PCI-DSS, ITIL, COBIT, ISO 22301, and the rest. Gap analysis, remediation, certification, ongoing management. We do the work end to end, report included.

Cheaper to get compliant than to get caught.

The audit board

Ten controls. Three states. Click in.

What your control board looks like on day one of an engagement. POPIA + ISO 27001 controls, colour-coded by current state. Click any tile to see the gap and the fix.

4Missing

No evidence in place. Highest audit risk.

4Partial

Some controls in place, gaps remain.

2In place

Documented, implemented, evidence available.

Click any tile

Each tile is a real POPIA or ISO 27001 control we audit on first engagement. Red = missing, amber = partial, sage = in place. The shape of the matrix tells you where the audit risk lives before you read a single line.

Demo state · your matrix is built from your real evidence

What we cover

Six disciplines. End to end.

01

POPIA

POPIA Compliance

Fines run up to R10M per contravention. We audit your data practices, draft consent forms, write processing agreements, set retention schedules, build the breach-notification runbook.

02

ISO

ISO 27001 Certification

Opens doors that are otherwise closed. Gap analysis against all 93 Annex A controls, risk assessment, policy development, implementation, support through certification.

03

RISK

Risk Assessment

Information assets identified, threats mapped, likelihood + impact assessed. Ranked risk register that tells you where to spend the security budget first.

04

POLICY

Policy Development

Policies people actually follow. Information security, acceptable use, incident response, data classification, access control. Plain language, enforceable, framework-aligned.

05

AUDIT

Audit Preparation

Evidence collection, control testing, documentation review, mock-audit walkthroughs. Your team knows what to expect and what to show. The audit week is calm.

06

MAINTAIN

Ongoing Management

Compliance isn't a certificate you frame and forget. Annual reviews, control-effectiveness testing, policy updates, awareness refreshers. Someone is watching.

Frameworks

The headline three. Plus everything else IT touches.

Protection of Personal Information Act

POPIA

  • ·8 conditions for lawful processing
  • ·Information Officer registration with the Regulator
  • ·72-hour breach notification requirement
  • ·Data-subject access-request handling
  • ·Cross-border transfer adequacy assessments
  • ·Operator (processor) agreements required

Stakes

Up to R10M fine or 10 years imprisonment

Information Security Management System

ISO 27001:2022

  • ·93 controls across 4 domains
  • ·Risk-based approach to security
  • ·Statement of Applicability documented
  • ·Internal audit programme + management review
  • ·Continual improvement through corrective actions
  • ·3-year cycle with annual surveillance

Stakes

Increasingly required for tenders and enterprise contracts

Payment Card Industry Data Security Standard

PCI-DSS

  • ·12 requirements across 6 objectives
  • ·Network segmentation + firewall configuration
  • ·Cardholder data encrypted in transit and at rest
  • ·Vulnerability management + pen testing
  • ·Access control + authentication
  • ·Monitoring, logging, incident response

Stakes

Fines from card brands, loss of payment-processing ability

Also covered  ·  gap analysis, remediation, audit support

ITIL 4IT Service Management
COBIT 2019IT Governance & Audit
ISO 22301Business Continuity
ISO 9001Quality Management
ISO 31000Risk Management
NIST CSFCybersecurity Framework
SOC 2Service Org Controls
CIS ControlsSecurity Baseline
King IVSA Corporate Governance
GDPREU Data Protection

What we find every time

Five gaps in nearly every audit.

Gap 01

No data-processing agreements with third-party vendors

POPIA non-compliance. Vendors process PI on your behalf without a legal agreement governing how.

Gap 02

Backup tapes stored offsite with no encryption

Physical theft of backups = full data breach. No encryption means no protection if the tapes walk.

Gap 03

No formal access review process

Former employees still have active accounts. Contractors retained access after projects ended.

Gap 04

Incident response plan exists, waiting for its first tabletop

When a breach happens, your team reads the plan for the first time under pressure. That's a draft.

Gap 05

Personal data retention with no defined schedule

You're storing data you're legally required to have deleted. Bigger the breach, longer the tail.

How an engagement runs

Five stages, gap to certificate.

01

Gap Analysis

Current state against the target framework. Every control evaluated: implemented, partial, or missing. Clear picture of where you stand and how far you need to go.

02

Roadmap

Prioritised remediation with timelines, effort estimates, dependencies. Quick wins first, structural changes after. You know what costs what.

03

Implement

We do the work. Policies drafted, controls configured, procedures documented, staff trained. This is where most consultants stop.

04

Certify

Internal audit to validate readiness. Evidence packages compiled. Mock-audit walkthroughs. We stay in the room and handle the technical questions.

05

Maintain

Annual surveillance audits, control-effectiveness reviews, policy updates, regulation monitoring. We keep it alive so the certificate doesn't lapse.

Stop guessing where the gaps are.
See the board.

Free gap-analysis call. We map your current state against POPIA, ISO 27001, or PCI-DSS. Ranked remediation list follows.