THEQUESTIONSTHATMATTER.
These are the questions we hear most — from first conversations, from prospects evaluating their options, and from organisations that have never worked with a compliance partner before. We believe you deserve clear, honest answers before you ever speak to us.
Understanding Compliance For prospects who are new to the compliance journey and need clarity on what it actually involves.
Suggested questions:
- What is the difference between being certified and being compliant?
- Is compliance a one-time project or an ongoing commitment?
- How do I know which compliance framework my organisation actually needs?
- What happens if we get certified but cannot maintain compliance?
- Do we need compliance if we are a small company or a startup?
Sample Question &
Answers
Real answers to the questions that matter most. No fluff, no hedging — exactly what you would hear if you asked us directly.
This is the most common misconception we encounter. Many organisations approach compliance as a project — with a start date, an end date, and a certificate as the finish line. The reality is that certification is the beginning, not the end.
Every major framework — ISO 27001, SOC 2, PCI DSS, CMMI — requires ongoing maintenance: surveillance audits, continuous improvement, updated risk assessments, and evolving controls as your business changes. A framework that is built and forgotten will not survive its next audit cycle, and it will certainly not protect your organisation when a real challenge arrives.
We are upfront about this from the very first conversation because we would rather you understand the commitment before you begin than discover it after you have invested.
The right framework depends on three things: who your customers are, what industry you operate in, and where you are in your growth journey. If your customers are enterprise clients, they will likely require ISO 27001 or SOC 2. If you process card payments, PCI DSS is non-negotiable. If you are a defence contractor, CMMI may be relevant.
The honest answer is that many organisations pursue the wrong framework first — either because a sales team recommended it, or because a competitor had it. Our first engagement with any client starts with understanding what you actually need before we recommend anything.
It starts with what we call the first 30 days. Before a single framework document is opened, we invest time understanding your organisation — your people, your processes, your culture, and the gap between where you are and where you need to be.
From there, we build a structured plan that is specific to your business, not a template. We work alongside your team, not above them. We transfer knowledge as we go, so that by the time we step back, your organisation is genuinely stronger — not dependent on us to maintain what we built.
Because client confidentiality is not a policy for us. It is a practice. The organisations that trust us with their compliance posture are sharing deeply sensitive information about their internal operations, their gaps, and their vulnerabilities. Publishing that as a marketing asset — even anonymised — is something we consider a breach of that trust.
If you want to know what working with us is like, ask our clients directly. We are confident in what they will tell you.
Then we will tell you. Directly, and without softening it. Starting a certification process before your organisation has the foundational maturity to sustain it is one of the most expensive mistakes a company can make — not just financially, but in terms of the credibility of the outcome.
We would rather spend the first engagement helping you build that foundation than rush you into a certification that will not hold under scrutiny. Readiness is part of the work, not a prerequisite we assume.