How long does ISO 27001 certification take?

ISO 27001 certification typically takes six to twelve months for a mid-sized organisation, depending on the current state of your information security management system. The process involves a gap assessment, implementing the required controls, an internal audit, and a two-stage external audit by an accredited certification body. Organisations with existing security frameworks in place tend to move through the process faster.

What is DORA and which financial firms must comply?

DORA, the Digital Operational Resilience Act, came into force in January 2025 and applies to financial entities operating in the EU, including banks, insurers, investment firms, payment institutions, and their critical ICT third-party providers. It requires firms to demonstrate operational resilience across five pillars: ICT risk management, incident reporting, resilience testing, third-party risk management, and information sharing.

What does a GDPR audit involve?

A GDPR audit reviews how your organisation collects, stores, processes, and shares personal data against the requirements of the UK GDPR or EU GDPR. It covers lawful basis for processing, privacy notices, subject access request processes, data retention policies, third-party processor agreements, and breach notification procedures. The output is a gap report with prioritised remediation steps.

What is NIS2 and who does it apply to?

NIS2 is the EU Network and Information Security Directive, which EU member states were required to transpose into national law by October 2024. It applies to organisations in sectors designated as essential or important, including healthcare, energy, transport, banking, financial market infrastructure, digital infrastructure, and managed service providers above certain size thresholds. NIS2 requires risk management measures, incident reporting within 24 hours, and supply chain security controls.

What is PCI DSS and which businesses need it?

PCI DSS, the Payment Card Industry Data Security Standard, applies to any organisation that stores, processes, or transmits payment card data. This includes retailers, hotels, restaurants, healthcare providers that take card payments, and their technology providers. The standard has twelve top-level requirements covering network security, access control, encryption, vulnerability management, and monitoring. Non-compliance can result in fines and loss of card processing rights.

Audits & Compliance

Know where you stand. Stay ahead of the rules

Regulation is expanding fast. We guide businesses through ISO 27001, DORA, NIS2, GDPR, and beyond, closing gaps, building evidence, and keeping you audit-ready long after we've left.

Get in touch Our Services →

The compliance reality

Compliance is not optional.
The question is how prepared you are.

Regulation is tightening across every sector. These numbers reflect what organisations face when compliance is under-resourced.

of organisations fail their first compliance audit attempt

Inadequate preparation and undocumented controls are the most common reasons businesses don't pass first time

of compliance failures stem from poor policy enforcement, not malicious action

Most breaches and audit findings trace back to process gaps and undocumented controls rather than deliberate wrongdoing

of businesses say compliance complexity has increased significantly in the last 3 years

NIS2, DORA, AI Act, and evolving GDPR enforcement have added substantial new obligations across most sectors

of SMEs have never had a formal IT or security audit

Without independent review, control gaps go undetected and accumulate quietly until a regulatory event or breach forces the issue

How we can help

Audit and compliance services
built for real businesses

We work alongside you to close gaps, build evidence, and get you to a position where auditors find nothing to raise. Every engagement is scoped around your actual obligations.

ISO 27001 Implementation & Certification

ISO 27001 is the gold standard for information security management. We guide you through the full journey: gap analysis, risk assessment, control implementation, documentation, internal audit, and preparation for certification, working with your chosen certification body. You leave with a certified ISMS, documented controls, and the evidence package your auditor expects.

GDPR & Data Protection Compliance

GDPR enforcement is active and fines are significant. We build or audit your data protection programme end-to-end: lawful basis mapping, Records of Processing Activities, DPIAs, data subject rights procedures, breach notification processes, and Data Protection Officer support. You leave with a completed RoPA, documented lawful basis mapping, and breach notification procedures ready to use.

PCI DSS Assessment & Compliance

If your business handles card payments, PCI DSS compliance is non-negotiable. We conduct gap assessments against the current PCI DSS standard, identify scope boundaries, help implement the required controls, and prepare you for your QSA assessment or Self-Assessment Questionnaire. You leave with a gap assessment report, a remediation plan, and a completed SAQ or QSA readiness package.

Internal IT & Security Audits

An internal audit by an independent team is one of the most effective ways to find gaps before regulators or attackers do. We conduct structured audits of your IT controls, access management, configuration baselines, patch status, and operational procedures, producing a structured findings report with risk-rated, prioritised recommendations your team can act on immediately.

Penetration Testing & Vulnerability Assessments

Many compliance frameworks require evidence of regular penetration testing. We conduct scoped network, application, and social engineering assessments, producing findings in both technical and executive formats. Our tests are designed to surface real risk. You get risk-rated findings in technical and executive formats, with a prioritised remediation plan your team can act on.

Risk Assessment & Risk Register

Formal risk management is central to ISO 27001, NIS2, DORA, and most other compliance frameworks. We run risk identification workshops, build and maintain your risk register, score and prioritise risks consistently, and produce the risk treatment plans that auditors expect to see. You leave with a scored risk register, documented treatment plans, and the evidence auditors expect to see.

Policy & Procedure Development

Compliance lives and dies on documentation. We write, review, and update the full policy suite that frameworks require: information security policy, acceptable use, access control, incident response, business continuity, data retention, and more. You leave with a complete policy suite your staff will read and your auditors will accept without query.

Compliance Gap Analysis

Before you can close gaps, you need to know where they are. We conduct structured gap assessments against your target framework: ISO 27001, Cyber Essentials, NIST, NIS2, DORA, or bespoke regulatory requirements, mapping your current state to each control. You leave with a prioritised remediation plan, effort estimates, and a clear map of exactly what needs to change.

Regulatory Compliance (NIS2, DORA, FCA)

Sector-specific regulation is growing in scope and enforcement. We help financial services firms meet FCA and DORA obligations, healthcare organisations meet data protection requirements including DSPT, and businesses in critical infrastructure comply with NIS2. You leave with a controls mapping, gap remediation plan, and a regulator-ready evidence pack.

Audit Preparation & Readiness Reviews

An external audit should never be a surprise. We run pre-audit readiness reviews that replicate the assessor's process, interviewing staff, reviewing evidence, testing controls, and identifying anything that would result in a finding. We then work with you to close issues before the auditor arrives. You leave with closed gaps, a clean evidence package, and your team prepared for every stage of the assessor's process.

Supplier & Third-Party Compliance

Your compliance obligations don't stop at your boundary. We help you assess and manage third-party compliance risk, reviewing supplier security questionnaires, auditing critical vendors, and drafting data processing agreements. You leave with a supplier assurance programme, a third-party risk register, and reviewed DPAs in place.

Continuous Compliance Monitoring

Achieving compliance is only half the challenge, maintaining it is where most organisations struggle. We put in place the ongoing monitoring, evidence collection cadence, and management reporting that keeps your compliance posture current between audits, You get a compliance posture report, a populated evidence library, and board-ready dashboards showing your status at any point in the cycle.

Why Cyvra

Compliance consultancy that gets you certified and keeps you there

We stay involved through implementation, evidence collection, and audit. Passing the assessment is the goal, not producing the document. We measure success by your certificate, not our deliverables.

Our team is certified across ISO 27001, CISSP, CISM, PCI DSS and CCSP

Independent and vendor-neutral, we audit to find real gaps, not to sell products

Proven track record guiding businesses to ISO 27001, PCI DSS and GDPR compliance

Clear reporting your board can understand, no jargon, no padding

Deep experience across healthcare, financial services, and hospitality sectors