top of page

Cybersecurity Risk Assessments

Identify and evaluate the risks to which your systems might be exposed, and prioritize the security measures needed to protect your company against cyber threats.


Security Architecture Design

Create a comprehensive blueprint of your company’s cybersecurity defences in a way that integrates your hardware, software, and processes to protect against potential threats.


Incident Response Planning (IRP)

Respond more quickly and effectively to cybersecurity incidents, minimizing damage and reducing recovery time and costs.


Third Party (Vendor) Risk Management

Manage the risks associated with outsourcing some of your business processes to third-party vendors, and ensure that those partnerships don’t expose your company to unnecessary security vulnerabilities.


Business Continuity Planning (BCP)

Help ensure your company can maintain essential functions during and after major disruptions (like cyberattacks or natural disasters).


Security Program Policies Development

This involves creating policies that define a company’s security standards, protocols, and expectations to guide behaviour and help enforce security measures throughout the organization.


Disaster Recovery Planning (DRP)

Restore your IT infrastructure and operations, following disruptive events, and expedite operational recovery to minimize downtime (data loss or revenue loss).


Secure Software Development Lifecycle (SDLC) Documentation

Integrate security best practices into every phase of your Dev team’s SDLC, from planning and design to implementation and maintenance. Make sure security is baked into your products from day-1, and not merely ‘bolted on’.

Security Program Service

IT Governance Framework Development

Develop a governance structure that aligns with your IT strategy with business objectives so that your IT systems operate within a set of defined rules and policies to support the business with cost-efficient practices.


Procedures & SOP Documentation

Create standard operating procedures (SOPs) and protocols. Achieve consistency and clarity in how tasks and processes are performed across the organization.


Risk Management Program Development

Develop strategies to identify, analyze, and manage risks across the organization, and mitigate potential impacts on the business.


IT Compliance Roadmap Creation

Develop a strategic plan that outlines the steps a company needs to take to meet specific IT compliance requirements and applicable laws and regulations.


Risk Assessment Reports

Document the plausible risks identified within your organization, evaluate the likelihood and impact of these risks, and recommend measures to mitigate them.


Executive Team & BoD Cyber Risk Report Development

Prepare comprehensive summary reports that are appropriately tailored for board members and executives to support strategic decision-making and risk management.


Change Management Controls Design

Design processes and procedures to manage changes in IT systems. Successful processes that are documented, measured, and well-understood are the successes that are consistently repeatable.


Business Impact Analysis (BIA) Reporting

Assess the effects of disruptions on business processes and functions. Prioritize recovery strategies and investments to achieve operational resilience.

Risk Management Development

Privacy Impact Assessments (PIAs)

Evaluate how a project or system handles personal data and identify ways to mitigate any potential privacy risks.


Canada Privacy Compliance
(e.g., PIPEDA, CASL)

If your business operates in Canada, at minimum, you’ll want to make sure your data privacy practices satisfy PIPEDA requirements. The other privacy laws applicable to your industry will change depending on your industry. We can help you figure that out.


Privacy by Design (PbD) Implementation

Integrate privacy at every stage of product development, ensuring that privacy considerations are embedded from the start and not just an afterthought.


United States Privacy Compliance
(e.g., CCPA, HIPAA)

The United States’ privacy law landscape is a patchwork of state-level laws rather than a single, overarching federal framework (like Canada or the UK). Each state can have its own rules about how personal information should be handled. We can help you avoid those unwanted missteps and pitfalls.


GDPR Compliance Assessments

If your business operates in the EU or UK, confirm whether your company’s practices are aligned with the EU's General Data Protection Regulation (GDPR) and highlight areas that need adjustment to avoid penalties.


Data Minimization Strategies

Only collect and retain operationally necessary data, comply with applicable privacy laws, and reduce your business’s risk of a privacy breach.


Privacy Program Policies Development

Create a robust corpus of privacy policies that detail how your organization collects, uses, shares, and protects personal data, moving toward a compliant state with relevant laws and regulations while fostering trust with consumers.


Data Protection Officer (DPO) as a Service

If it doesn’t yet make sense for your company to hire a full-time Data Privacy Officer (DPO), a fee-for-service DPO will help you navigate the tangly world of privacy laws and maintain compliance, but without the need for a full-time internal appointment.

Privacy Program Services

IS Internal Audit Program Charter

This document lays out why the audit is important, what powers auditors have, and what they are supposed to do. It also explains who is responsible for what, and how auditing fits into the bigger picture of company governance.


IS Internal Audit Execution Procedures

This is a step-by-step guide on how to carry out your system audits, covering everything from gathering data and analyzing it, to conducting interviews and tests.


IS Internal Audit Planning Procedures

These procedures outline how to organize audits, including assessing risks, deciding which parts of the business to focus on, and determining what resources are needed.


Reporting Procedures

These rules describe how to best present the valuable information that the audit checks discovered, suggest improvements, and share these insights with management and other important people involved.


Evidence Collection Procedures

These guidelines help ensure that all proof gathered during audits is handled carefully and kept safe, maintaining its truthfulness and secrecy.


Stakeholder Engagement Guidelines

These strategies aim to keep stakeholders informed and involved during audits, helping to maintain transparency and earn their trust.


Change Management Audit Guidelines

This framework helps auditors check that changes in IT processes don't negatively impact system security or performance.


Conflict of Interest Policy & Guidelines

This policy sets rules to avoid conflicts of interest, helping to keep the audit process independent and unbiased.

IS IA Program Development

Certified Information Privacy
Manager (CIPM)

Focuses on teaching students how to manage privacy in an organization; and develop and run a privacy program that meets applicable legal requirements within the jurisdictions in which they operate.


Certified Information Privacy Professional - United States (CIPP/US)

Focuses on U.S. privacy laws and regulations, preparing professionals to handle privacy issues in accordance with American legal requirements.


Certified Information Privacy Technologist (CIPT)

Equips IT and other technical professionals with the knowledge to embed privacy into technology platforms and processes, integrating privacy practices within an organization's technical functions and teams.


Certified Information Privacy Professional - Europe (CIPP/E)

Provides an understanding of European privacy laws and regulations, helping professionals ensure their company complies with GDPR and other privacy standards across the EU (European Union) bloc.


Certified Information Security Manager (CISM)

Designed for those who manage, design, and oversee an organization’s information security, focusing on governance and risk management.


Certified Information Systems Auditor (CISA)

For those who audit, control, and ensure the security of information systems, verifying that systems are managed and protected properly.


Certified in Risk and Information Systems Control (CRISC)

Geared towards IT professionals who identify and manage risks through the development of information systems controls, helping organizations meet business challenges.


Privacy & Security 101 (Intro Training)

Provides a basic introduction to privacy and security, tailored to your organization's needs. It covers essential concepts and practices to help employees understand and comply with privacy and security standards.

Employee Training

Business Continuity & Disaster Recovery (BCDR) Policy

A policy to guide the continuation of business operations under adverse conditions. A required document for many security standards, including ISO 27001  and SOC 2.


Data Privacy Policies (Internal)

Policies to comply with GDPR, CCPA, and PIPEDA, including data handling, processing, and consent practices.


Information Security Policy

A high-level policy governing the approach to information security management within the organization. A required document for many security standards, including ISO 27001  and SOC 2.


Access Control Policy

Establishes what measures you're taking to appropriately govern employee access to your company's various information and systems.


Incident Response (IR) Policy

A policy that details how your company will respond in case of a security breach. Required across most security and privacy standards for effective incident management.


Asset Management Policy

Defines the systematic approach to acquiring, operating, maintaining, upgrading, and disposing of assets cost-effectively while managing risks and performance throughout their lifecycle.


Risk Management Policy

A crucial component of an organization's overall risk management strategy. It outlines the company's approach to identifying, assessing, managing, and monitoring risks.


Human Resources Security Policy

Outlines the procedures for managing the entire employee lifecycle, from recruitment to retirement. The policy seeks to ensure that operating risks related to personnel are optimally managed.

Policy Development


Physical & Environmental Security Policy

Establishes measures to protect facilities, equipment, and resources from physical threats and environmental hazards, ensuring operational continuity and safety.


Data Retention & Disposal Policy

This document stipulates the criteria to determine how long data should be retained and the procedures for securely disposing of data once it is no longer needed.


Operations Management & Comms Policy

Governs how business operations and IT systems are managed and communicated to ensure efficiency, security, and compliance.


Data Encryption Policy

Outlines the standards and practices for encrypting data to protect its confidentiality and integrity during storage and transmission.


Change Management (CM) Policy

Establishes the process for managing changes to IT systems and infrastructure to minimize risk and disruption, and achieve repeatable success by using standardized workflows.


Data Breach Notification Policy

Defines the procedures for notifying affected parties (e.g., clients, investors) and authorities (e.g., regulators, police) in the event of a data breach, in compliance with legal requirements.


Supplier (Vendor) Security Policy

Sets security requirements and controls for third-party service providers ("suppliers", or "vendors") to protect your company's data and systems.


Information Technology (IT) Policy

This policy details the expectations for using and managing the company's IT resources and systems. It sets standards for the proper deployment, operation, and maintenance of IT.


Acceptable Use Policy (AuP)

Describes the acceptable and prohibited uses of the organization’s IT resources by employees or users to ensure security and compliance.


Remote Work Policy

Provides guidelines and security measures for employees working remotely to maintain data security and productivity outside the office.

bottom of page