Cybersecurity Audit & Compliance

Find the gaps before someone else does, then close them on a written programme.

Book a security auditSee what we cover
Security analyst reviewing system logs and audit findings on a multi-pane terminal
  • 100+Audits delivered
  • 5Frameworks covered
  • 30 daysAudit-to-report
  • IndependentNo conflict of interest
What an engagement covers

Six disciplines, scoped to your environment.

You pick the scope; we run the engagement. Every output is written, evidenced, and prioritised so the next 90 days of remediation work is obvious.

Security audit

Configuration review of identity, network, endpoint, cloud, and data tiers. Mapped to a recognised framework. Output: gap register with severity and effort estimates.

Penetration testing

External, internal, web application, wireless, social engineering. Black-box, grey-box, or white-box, your choice. CREST-aligned methodology.

Compliance gap analysis

Mapped to ISO 27001, GDPR, NIST CSF, PCI DSS, or HIPAA. Current-state assessment, gap register, and a target-state roadmap with effort and budget.

Vulnerability management

Automated scanning, risk prioritization, patch coordination, monthly remediation reports. Continuous after the initial audit, optional ongoing service.

Threat hunting & incident review

Retrospective review of historical telemetry to find dwell-time threats. Live incident response engagements available; we have run several USA breaches.

Policy & procedure

Information security policy, acceptable use, incident response, business continuity. Written for your business, not boilerplate. Ready for audit and board sign-off.

Compliance frameworks

Six frameworks we have shipped end-to-end.

We have taken USA clients through full certification on each of the frameworks below, including evidence packs, certifying-body coordination, and post-certification surveillance.
ISO 27001
NIST CSF
GDPR
PCI DSS
HIPAA
SOC 2
Frameworks we audit against

Six frameworks, in detail.

For each framework, here is what we assess, the evidence we collect, and the gaps we expect to find on a first engagement. Scope is tailored to your environment, the assessment surface stays consistent so nothing slips through.

ISO 27001

Information Security Management System against the Annex A control set. We have taken USA clients through full certification, not just gap-analysis theatre.

  • ISMS scope and risk assessment review
  • Annex A control implementation and operating effectiveness
  • Statement of Applicability (SoA) review and rationale
  • Internal audit programme and management review evidence
  • Corrective action and continual improvement records
  • Certifying body coordination (BSI, DNV, BV) end-to-end

NIST CSF

USA Information Assurance Standards (T1-T5). Mandatory for critical-sector entities, expected by federal regulators, and increasingly referenced in private-sector tenders.

  • NIST CSF control catalogue mapping (T1-T5)
  • Compliance level assessment and gap report
  • Sector-specific control alignment (CII, government)
  • Evidence pack build-out for regulator submission
  • Continuous monitoring controls review
  • Annual surveillance and re-attestation support

GDPR

EU General Data Protection Regulation for USA businesses with EU customers, EU staff, or EU-residency data. The compliance bar is the same, the enforcement is real.

  • Data Protection Impact Assessment (DPIA) review
  • Records of Processing Activities (RoPA) build-out
  • Lawful-basis mapping and consent capture audit
  • Subject access and erasure request workflow review
  • Cross-border transfer mechanisms (SCCs, BCRs)
  • Breach notification readiness and response

PCI DSS

Payment Card Industry Data Security Standard for any business that processes, stores, or transmits cardholder data. Levels 1-4, scoped to your annual transaction volume.

  • Cardholder data environment (CDE) scoping and segmentation
  • Twelve PCI DSS requirement areas and 300+ controls
  • Network segmentation review and ASV scanning
  • Tokenization and encryption-at-rest review
  • Internal vulnerability scanning and quarterly external scans
  • SAQ or RoC preparation with QSA coordination

HIPAA

Health Insurance Portability and Accountability Act mapping for international healthcare groups operating in the United States. Privacy and Security Rule controls plus Breach Notification.

  • Protected Health Information (PHI) data-flow mapping
  • Privacy Rule control assessment
  • Security Rule administrative, physical, and technical safeguards
  • Business Associate Agreement (BAA) inventory and review
  • Breach notification readiness and response
  • Workforce training and policy attestation evidence

SOC 2

Service Organisation Controls Type 1 and Type 2 readiness for SaaS and tech companies selling into enterprise customers. Trust Services Criteria across security, availability, confidentiality.

  • Trust Services Criteria scoping (security, availability, confidentiality)
  • Control design effectiveness (Type 1) review
  • Control operating effectiveness (Type 2) over the audit period
  • Subservice organisation and complementary user controls
  • Evidence-collection automation and continuous monitoring
  • CPA firm coordination through to attestation
Why GR IT for security

Four reasons clients pick us for the audit.

Security audits are easy to buy, hard to buy well. Here is what separates a useful engagement from a PDF that lives in a drawer.

Frameworks we have shipped

ISO 27001, GDPR, NIST CSF, PCI DSS, HIPAA. We have taken clients through full certification, not just compliance theatre.

Independent of vendors

We do not resell a security stack we are trying to push. Findings name the gap, not the product. You buy what you need, not what is in our catalogue.

Reports your board reads

Executive summary, technical detail, remediation roadmap, budget. Two-tier deliverable: 5-page board pack and full evidence appendix.

Certified team

Engineers hold CISSP, CEH, CISM, ISO 27001 LA. The team that runs your engagement is named in the SOW, not a junior subcontractor.

Audit process timeline

Five phases, one written deliverable trail.

Every audit engagement runs the same five-phase plan. Each phase has a defined output and a sign-off gate before we move on, no surprises at the end.
  1. 01
    Phase 1· 1 week

    Scoping & Planning

    Define audit scope, objectives, and methodology. Rules of engagement signed before any work starts.

    • Initial consultation and stakeholder map
    • Scope definition with in-scope and out-of-scope assets
    • Compliance requirements review
    • Audit plan with resource allocation
    • Timeline and milestone calendar
  2. 02
    Phase 2· 1-2 weeks

    Information Gathering

    Collect documentation, interview stakeholders, and understand the current control environment.

    • Document collection (policies, procedures, runbooks)
    • Architecture analysis and data-flow diagrams
    • Stakeholder interviews and control owners identified
    • Asset inventory aligned to audit scope
    • Control identification mapped to framework
  3. 03
    Phase 3· 2-3 weeks

    Assessment & Testing

    Conduct security testing, vulnerability scanning, and control evaluation against the framework.

    • Vulnerability scanning across in-scope assets
    • Penetration testing aligned to CREST methodology
    • Control effectiveness testing with evidence capture
    • Configuration review and policy compliance check
    • Access control and security monitoring review
  4. 04
    Phase 4· 1 week

    Analysis & Reporting

    Analyse findings, prioritise risk, and prepare the executive and technical reports.

    • Finding analysis with CVSS scoring
    • Risk assessment and gap register
    • Executive summary (board-ready)
    • Technical appendix with full evidence chain
    • Remediation recommendations on a 90/180/365 day plan
  5. 05
    Phase 5· Ongoing

    Remediation Support

    Support implementation of fixes, re-test remediated findings, hand off into continuous monitoring.

    • Remediation planning and effort estimation
    • Implementation guidance for control owners
    • Progress tracking against the roadmap
    • Re-testing of fixed findings
    • Continuous monitoring handover
Industries we audit

Audit profiles by sector.

Six sectors with the most regulatory weight in the United States. Scope and framework varies, the discipline does not.

Financial services

SEC, NYDFS Part 500, regulated lenders, insurance brokers. ISO 27001, PCI DSS where cardholder data is in scope, regulator-specific frameworks.

Healthcare & clinics

HIPAA-regulated healthcare facilities (hospitals, clinics, dental practices). PHI handling, patient-data DLP, HIPAA mapping for international groups, NIST CSF where applicable.

Retail & e-commerce

Card-present, card-not-present, multi-channel. PCI DSS scoping (level 1-4), tokenization advice, segmentation review, ASV scanning.

Professional services

Law firms, accountancies, consultancies. Confidentiality controls, document management security, M&A diligence support, GDPR for international clients.

Education

Schools, universities, training providers. Student-data protection, exam system integrity, parental consent, vendor management for ed-tech.

Critical infrastructure

Logistics, utilities, large hospitality. NIST CSF framework alignment, OT/IT segmentation, business continuity, incident response readiness.

What we assess

Eight assessment areas, grouped by domain.

Every engagement covers the eight areas below. Depth varies by framework and scope, but the assessment surface stays the same so nothing slips through unaudited.

Technical Controls

  • Network Security
    Firewall rules, segmentation, intrusion detection
  • Application Security
    Web app vulnerabilities, code security, API security
  • Data Protection
    Encryption, classification, backup and recovery
  • Access Controls
    User permissions, authentication, authorization

Operational Controls

  • Incident Response
    Procedures, response plans, communication paths
  • Security Policies
    Documentation, awareness training, enforcement
  • Third-Party Risk
    Vendor assessments, supply-chain risks
  • Physical Security
    Data-centre access, environmental controls
Independent audit vs in-house attestation

Why the audit needs to be independent.

Self-attestation works for some controls; for the ones that matter, you need a second pair of eyes. Honest comparison:
Feature
In-house attestation
Your IT team
Independent audit
External, evidenced
Conflict of interest
Auditing your own team's work creates incentive to soften findings.
Yes (structural)No
Acceptable for ISO 27001 audit
Acceptable for board sign-off
LimitedYes
Penetration testing depth
You cannot pen-test what you built.
Self-blind spotsIndependent perspective
Framework certification readiness
Regulatory submissions
Often rejectedAccepted
Cost
Internal time onlyFrom USD 25,000 per engagement
Audit types and industry solutions

Ten engagement shapes by audit type and sector.

Pick by what you need to prove and to whom. Audit type defines the depth of testing; the industry maps regulator and framework expectations into the engagement scope.

  • Internal Security Audit

    Access control review, policy compliance, internal network assessment, user activity monitoring.

  • External Security Audit

    External vulnerability scan, web app testing, DNS security review, email security assessment.

  • Application Security Audit

    Source code review, OWASP Top 10 testing, API security testing, authentication testing.

  • Cloud Security Audit

    Cloud configuration review, IAM policy assessment, data storage security, cloud service security.

  • Banking & Finance

    PCI DSS, ISO 27001, local banking regulations. Protect financial data and meet strict regulator requirements.

  • Healthcare & Medical

    HIPAA, patient-data protection, medical-device security. Secure patient records and meet healthcare compliance.

  • Government & Public Sector

    NIST CSF framework, national security standards. Meet government security expectations and protect citizen data.

  • Retail & E-commerce

    PCI DSS, customer data protection, GDPR. Secure payment processing and customer information.

  • Education

    Student-data protection, FERPA mapping for international groups. Protect student records and exam systems.

  • Technology Companies

    SOC 2, ISO 27001, product security. Demonstrate security to enterprise customers and partners.

Key benefits

What an audit programme delivers, in numbers.

These are the outcomes our audit clients see in the first 12 months after a fixed-fee engagement. Aggregated across the active book, not cherry-picked.
95%
Risk reduction

Critical and high findings closed within the 90-day remediation window.

Full
Compliance

ISO 27001, GDPR, NIST CSF, PCI DSS, HIPAA, SOC 2 covered end-to-end.

24-48h
Critical-finding response

Active compromise or exposed data flagged within hours, not at report delivery.

100%
Certified team

CISSP, CEH, CISM, ISO 27001 LA on every named engagement team.

Detailed
Remediation plans

90/180/365 day roadmap with effort estimates and budget guidance.

Ongoing
Surveillance support

Post-certification surveillance and continuous control attestation.

How an engagement runs

From scoping call to remediation roadmap.

Every engagement runs the same path. Documented, evidenced, deliverable on a fixed timeline.
  1. 1

    Scoping

    1 week

    Discovery call, scope document, NDA, SOW, signed engagement letter. Rules of engagement defined for testing. No work starts until both sides have signed.

  2. 2

    Fieldwork

    2-4 weeks

    On-site and remote testing per the methodology. Evidence captured, configurations reviewed, controls tested. Daily standups during pen tests; weekly during audits.

  3. 3

    Reporting

    1-2 weeks

    Executive summary, technical findings, evidence appendix, remediation roadmap. Internal QA before delivery. Live read-out session with stakeholders.

  4. 4

    Re-test

    Within 60 days

    You remediate. We re-test the fixes. Findings closed in writing. Open items go to the next quarterly review or stay in your risk register with target dates.

We engaged GR IT for an ISO 27001 readiness audit and a penetration test. The findings were honest enough to be uncomfortable and useful enough to give us a clear 9-month roadmap. We certified on the first attempt and the auditor specifically called out the quality of the gap remediation evidence.
Frank Bennett
Head of Risk & Compliance · Wall Street-regulated asset manager
ISO 27001 certified on first attempt
Common questions

Cybersecurity audit & compliance, frequently asked.

Further reading

Resources for security and compliance leads.

IT AMC

Continuous baseline security as part of an Annual Maintenance Contract: endpoint protection, patch management, MFA enforcement, threat detection.

Learn more

Managed IT Services

Full operational ownership including security operations: 24/7 monitoring, EDR, quarterly penetration testing, vCIO security advisory.

Learn more

Book a security audit

Tell us your sector, framework target, and current posture. We scope the engagement and propose a fixed-fee, fixed-timeline programme.

Learn more
Ready to start?

Book a scoping call.

Three-minute form. Our security team gets back the same business day to schedule a 30-minute scoping call. No obligation, no auto-billed retainer.

Book a security auditSee Managed IT