HIPAA, SOC 2, HITRUST: audit-ready by design.
Three to four weeks. Map your current state against the framework, identify gaps, deliver the evidence pack the auditor actually asks for.
Why this engagement exists.
Compliance is rarely the technology problem teams expect. It's an evidence problem. The controls usually exist; the evidence often doesn't. We map your current state against the framework, identify gaps with prioritised remediation, and deliver the evidence pack auditors are looking for.
Deliverables, not promises.
Every engagement ships these artefacts. Nothing here is fluff. Each item is something your team will hold in their hands at the end.
Current-state assessment
Read of existing controls, evidence, and documentation against the framework.
Gap analysis
Where you stand vs the bar: explicit gaps, ranked by remediation effort.
Remediation plan
Prioritised plan with effort, owner, and target date for each gap.
Policy + procedure drafts
Drafts of the policies + procedures auditors need to see in writing.
Evidence pack
Controls, logs, screenshots, attestations, assembled into the evidence pack format auditors expect.
Auditor prep presentation
Walkthrough presentation + a briefing document so the audit week goes smoothly.
The process, step by step.
No mystery, no consultant theatre. This is how the work actually flows from kickoff to handover.
- Week 1
Discovery
Read of current controls, existing evidence, gap identification.
- Week 2
Gap analysis
Mapped against the framework. Findings prioritised by effort × risk.
- Week 3
Remediation + policies
Remediation plan + drafts of the policies and procedures auditors will look for.
- Week 4
Evidence pack + prep
Evidence pack assembled, auditor-prep presentation, briefing for the team.
The part teams underestimate is the observation window: for SOC 2 Type II, the prep is the short stretch, and the observation period that follows is measured in months, not weeks. We tell you the real end-to-end picture for your framework in the first week, and we never pad the estimate to win the work.
The questions that actually come up.
HIPAA (Privacy + Security Rules), SOC 2 (Type I + II), HITRUST CSF, ISO 27001, 42 CFR Part 2 for behavioral health. We can also map between them when you need to certify against multiple.
Related services
All servicesArchitecture Review
Two to three weeks. A senior architect reviews your system, finds the cracks before they cost you. Honest, actionable, no upsell.
AI Strategy & Roadmap
A 4-6 week engagement that takes you from "we should do AI" to a roadmap, an architecture, and a team plan you can defend in the next board meeting.
Self-Hosted CI/CD
Build, test, and deploy without your code, secrets, or PHI leaving your network. GitHub Actions self-hosted runners, Argo, Tekton: your choice.
Ready to scope Compliance Mapping?
A 30-minute call. We map your situation against the engagement, give you a real estimate, and tell you honestly whether we are the right team for this.