Governance & Compliance

ISO & AI Security Audits. Certification that means something.

A certificate on the wall is only worth the rigor behind it. We get you ready for ISO 27001, SOC 2, ISO 42001, and more, building controls that actually work, so you pass the audit and earn the trust the badge is supposed to signal.

Plan your certificationSee the calendar ›
Why readiness

Most certification pain comes from treating the audit as a paperwork exercise the week before the assessor arrives. A control that exists only on paper fails the moment anyone looks closely.

We approach certification as building real security that happens to satisfy the standard, not the other way around. We assess where you stand, close the gaps with controls that work in practice, assemble the evidence, and walk with you through the assessment. The result is a certification you can defend and a security posture that is genuinely stronger.

The path to certified

From gap to certificate

A clear, staged route to certification, with the heavy lifting done as real security work rather than a last-minute scramble.

01

Scope & gap assessment

Define what the certification covers and measure your current state against the standard.

Start
02

Close the gaps

Build and implement the controls that are missing, as working security, not documents.

Build
03

Evidence & documentation

Assemble the policies, records, and proof the assessor will ask for.

Prepare
04

Internal audit

A dry run against the standard, so the real assessment holds no surprises.

Rehearse
05

Certification & beyond

Support through the assessment, then maintain the controls for the next cycle.

Certify
The calendar

Audit season, abolished

Certification fails as a yearly sprint and works as a calendar. Here is what a certified year actually looks like when the program runs continuously.

Compliance calendar · July 2026 to June 2027IllustrativeExternal auditInternal rehearsalEvidence cycleProgram
Jul 2026
Q3 evidence cycleControl owner check-ins
Aug 2026
Internal audit · ISO 27001
Sep 2026
Management reviewCorrective actions close
Oct 2026
ISO 27001 surveillance audit
Nov 2026
Q4 evidence cycleDR exercise
Dec 2026
SOC 2 observation window opens
Jan 2027
Q1 evidence cycleAnnual policy review
Feb 2027
Penetration test
Mar 2027
ISO 42001 gap re-assessment
Apr 2027
Internal audit · SOC 2 readiness
May 2027
Q2 evidence cycleManagement review
Jun 2027
SOC 2 Type II audit
Two external audits, two internal rehearsals, four evidence cycles, and the program work that feeds them, spread across twelve unremarkable months. The week before the assessor arrives looks like every other week, which is the entire point.
What we certify against

The standards that matter

From the established security standards to the new AI ones, we cover what your customers, Board, and regulators ask for.

SecurityISO 27001The international standard for an information security management system.
TrustSOC 2The attestation your customers ask for before they trust you with their data.
AIISO 42001The new AI management system standard for responsible, governed AI.
HealthHIPAASafeguards for protected health information in the United States.
PaymentsPCI DSSThe security standard for handling payment card data.
AI assuranceNIST AI RMFThe practical framework for managing AI risk across the lifecycle.
Part of the loop

Where audits sit in VIGILE

Prove and raise

Validate the controls, Enhance the program

ValidateISO & AI Security AuditsEnhance

Audits are the Validate and Enhance motions of VIGILE. We prove the controls meet the standard, and the readiness work raises the security floor for good, well past the assessment day.

See EU AI Act & ISO 42001 ›
FAQ

Top 10 questions, frequently asked

We get you ready and walk with you through the assessment. The actual certificate is issued by an accredited certification body, which must be independent. We do everything up to and around that: the gap assessment, the controls, the evidence, the internal audit, and support during the external assessment. Keeping those separate is what makes the certificate credible.

It depends on where you start and which standard. A team with mature controls might be ready in a few months; one starting from little may take longer to build the foundations. We give you a realistic timeline after the gap assessment, and we sequence the work so the highest-impact and longest-lead items start first.

Yes, and it is often efficient to. The standards share a lot of underlying controls, so building once and mapping to both avoids duplicated effort. We design the program around the full set of certifications you need, rather than running each as a separate project.

That is increasingly the question. ISO 42001 is the new management system standard for AI, and NIST AI RMF provides the practical risk framework. We prepare you for both, and the work connects directly to our EU AI Act readiness, so your AI compliance is one coherent program rather than scattered efforts.

Gap assessment against the standard, an ISMS scoped to your business, controls implemented with owners, internal audit, and management review, so the certification audit is a formality rather than a discovery.

No. The work runs remotely with scheduled working sessions. On-site time is reserved for audits and workshops where being in the room genuinely helps.

A few hours a week from named control owners during the program, concentrated around evidence collection and internal audit. The program is designed around your team's calendar, not the other way around.

Surveillance audits run annually and the ISMS has to stay alive between them. Continuous evidence collection keeps the system current, so each surveillance audit starts from proof rather than a scramble.

Fixed scope for the readiness program based on company size and standard count, with managed ISMS operation as an optional retainer afterward.

Validate runs the gap assessment, Guard and Implement put the controls and evidence pipeline in place, and Enhance keeps the ISMS maturing between audits.

ISO & AI Security Audits datasheetThe staged path to certified, the always-on compliance calendar, multi-standard control mapping, the evidence pipeline, and what surveillance years look like.
Download the datasheet

Related work

Service

EU AI Act & ISO 42001 Compliance

The ongoing AI compliance program the audit feeds into.

Learn more ›Service

Virtual CISO

The leadership to keep controls and evidence current between audits.

Learn more ›Service

Cyber Insurance Readiness

The same controls, framed for your insurer.

Learn more ›

Earn the badge, and the trust

Book a session with a Principal Engineer. We assess where you stand and map the path to certification.

Plan your certificationBrowse all services ›