How We Work

Reviewer model

Reviews are conducted by senior practitioners with operational resilience, business continuity, or enterprise risk backgrounds. Reviewer details are provided on booking confirmation.

We do not provide generic, tool-generated output. Every finding is synthesized by a senior practitioner, ensuring that reports are grounded in operational reality rather than automated scans.

Where relevant, a second reviewer provides specialist input on supplier readiness or regulatory context. This is included in the standard engagement — not an add-on.

Lead Reviewer · Principal

Leads the session and authors the report. Senior practitioner with operational resilience and enterprise risk background.

Reviewer details provided on booking confirmation.

Second Reviewer · Supplier Readiness

Provides specialist input on supplier assessment and NIS2 supply chain obligations where relevant to scope.

Reviewer details provided on booking confirmation.

Method

The review method is structured — not free-form. Each domain has allocated time, standardised coverage, and defined outputs. The pre-session questionnaire ensures the session time is spent on decisions and gaps, not data gathering.

Findings are graded by risk and remediation effort. The report prioritises actions — not just identifies gaps. Every finding has a recommended next step.

Reports follow a consistent structure so they are comparable across reviews and legible to third parties — insurers, enterprise clients, regulators.

Frameworks referenced

NCSCBaseline controls reference

National Cyber Security Centre — Cyber Essentials, CAF

ISO 22301BCP structure and terminology

Business Continuity Management Systems

NIS2Supply chain obligations, Article 21

EU Network and Information Security Directive 2

DORAICT risk management reference

Digital Operational Resilience Act (EU financial sector)

PAS 555Governance framing

Cyber Security Risk Governance and Management

What we do not do

Clarity about scope is part of the product. The Review is an operational resilience assessment — not a technical audit, not a certification exercise.

✕Penetration testing or technical vulnerability scanning

✕ISO 27001 or SOC 2 certification preparation

✕Legal or regulatory compliance sign-off

✕Software implementation or tool configuration

✕Ongoing managed service or retainer engagement

We can signpost specialist providers for any of the above where relevant.

NIS2 & regulation — common questions

Does the Review make us NIS2 compliant?

No. The Review documents your current posture and identifies gaps against NIS2 supply chain obligations. It is evidence of a structured assessment — useful for demonstrating due diligence. Compliance determinations rest with the relevant national authority.

Is the report accepted by enterprise procurement teams?

Reports are structured to be shared directly with enterprise procurement, legal teams, and insurers. We cannot guarantee acceptance by any specific organisation — that depends on their own assessment criteria. The report provides the same structured evidence as an internal due diligence document.

Do you cover DORA?

DORA (the Digital Operational Resilience Act) applies to financial entities and their ICT service providers. Where relevant to scope, we reference DORA obligations in the regulatory context section of the report. If DORA is a primary driver of your review, confirm this at scoping stage.

What about ISO 22301?

We reference ISO 22301 as a framework for business continuity management structure and terminology. The Review is not an ISO 22301 audit and does not prepare organisations for certification. If certification is your goal, a specialist auditor is the appropriate route.

Six principles

Evidence over assertion

Findings are grounded in documentation, process, and demonstrated practice — not self-reported confidence. If it is not written down and practised, it is not a control.

Usefulness over completeness

A 40-page report no one reads is not a deliverable. Every output is scoped to be actionable by the organisation that commissioned it.

Independence is the product

We do not sell the remediation. We have no incentive to find more gaps than exist, or to obscure the ones that do. The review is the engagement.

Plain language throughout

Findings are written for operations leads, MDs, and board members — not security professionals. Jargon obscures; it does not add rigour.

Proportionate to the organisation

A 12-person professional services firm is not a bank. Recommendations are sized for the organisation, its sector, and its actual risk surface.

No certification, no software, no retainer

One engagement. One report. Ongoing relationships by choice — not by contract structure. We do not create dependency.

Begin a Review

A structured 90-minute session, written report, and follow-up call. €2,400 fixed fee.

Get started Free Readiness Check first