SOC 2, ISO 27001 & ISO 42001 readiness

Compliance built for how your company actually works — not the other way around. We scope the right framework, implement the controls, and build evidence trails that make the audit predictable.

Why most compliance programs fail before the audit

Companies buy a GRC platform, assign it to the most overloaded engineer, and call it a compliance program. Six months later the platform is half-configured, policies are unreviewed templates, and the audit firm is calling. The problem is not the platform — it is the absence of someone who does the actual implementation work.

Frameworks we deliver

SOC 2 Type I and Type II — all Trust Services Criteria, end-to-end implementation and auditor coordination
ISO 27001 — ISMS design, Statement of Applicability, and certification body coordination
ISO 42001 — AI governance program for AI and ML companies (first-mover territory, minimal boutique competition)
Multi-framework with cross-framework control harmonization to reduce duplication and cost
HIPAA alignment within multi-framework Enterprise engagements

Pricing tiers

Launch

$9,000–$14,000

one-time · 45–70 hrs · 4–6 weeks

Overage: $185/hr

Gap assessment (SOC 2 or ISO 27001)
Framework selection recommendation with rationale
Prioritized 90-day remediation roadmap
10 foundational policies (customized, not templated)
Initial risk register
GRC platform basic setup (Drata or Vanta)
Audit readiness checklist and evidence tracker
Security questionnaire starter kit

Growth · Most popular

$18,000–$32,000

one-time · 100–160 hrs · Type I: 10–14 wks · Type II: 14–18 wks

Overage: $195/hr · Audit firm fee est. $15K–$40K (client-paid, separate)

Everything in Launch, plus:
SOC 2 Type I readiness — all Trust Services Criteria
Complete policy library (20+ policies, fully customized)
GRC platform full config + evidence workflow automation
Control implementation — hands-on, not advisory-only
Vendor inventory and initial risk tiering
Security awareness training baseline
1 tabletop exercise included (ransomware or breach)
Auditor coordination, RFI response, evidence review

Scale

$35,000–$60,000+

one-time · 180–300 hrs · 14–26 weeks

Overage: $225/hr · Audit firm + certification body fees separate

Everything in Growth, plus:
SOC 2 Type II or ISO 27001 full readiness and certification body coordination
ISMS design and implementation (ISO 27001)
Statement of Applicability (SoA) — ISO 27001
Advanced GRC config with custom control mapping
Penetration test coordination (test cost separate)
Post-audit remediation planning and management letter drafting
Multi-framework: SOC 2 + ISO 27001, or + ISO 42001, or + HIPAA
Cross-framework control harmonization
ISO 42001 AI governance program (AI/ML companies)
2 tabletop exercises included
Trust center setup (Vanta or Drata trust page)

Estimated total project cost

Starter: $30K–$55K total (includes platform + audit firm)
Growth: $50K–$100K total
Professional: $70K–$130K total
Enterprise: $95K–$200K+ total

Free SOC 2 readiness checklist

Download our practical SOC 2 readiness checklist — the same framework our team uses for every initial gap assessment.

Separate client costs

SOC 2 audit firm: approx. $15K–$40K
ISO 27001 certification body: approx. $8K–$20K
GRC platform license: approx. $10K–$30K per year

From audit-ready to enterprise-trusted.

The companies we work with do not just pass their audits. They close bigger deals, earn stronger customer trust, and sleep better when the headlines are bad.