Compliance Consulting
From ISO 27001 certification to PCI DSS annual assessments — we help you meet your compliance obligations without building an internal team to do it.
Schedule a Free ConsultationCompliance and security are not the same thing. Being certified doesn't mean you're secure, and being secure doesn't mean you'll pass an audit. Both matter — and conflating them leads to either wasted effort or a false sense of assurance.
We approach compliance practically: figure out which requirements actually apply to your business, identify the gaps honestly, and build a plan that satisfies the auditor without creating overhead your team can't sustain. Compliance that nobody maintains is worse than no compliance program at all.
Frameworks we work with
ISO/IEC 27001:2022
The international standard for information security management systems. The 2022 revision reorganized Annex A into 93 controls across four themes — organizational, people, physical, and technological — and added 11 new controls covering threat intelligence, cloud security, and data masking. We guide organizations through the full certification cycle: gap analysis, ISMS design, risk assessment, Statement of Applicability, internal audit, and certification audit support.
PCI DSS v4.0
The Payment Card Industry Data Security Standard, now at v4.0 — the only active version since March 2025. Required for any organization that stores, processes, or transmits payment card data. This covers virtually every resort, hotel, and retail business in the Maldives. We assist with scoping, gap analysis, remediation, and preparation for a Qualified Security Assessor (QSA) assessment or Self-Assessment Questionnaire (SAQ) completion.
GDPR
The EU General Data Protection Regulation applies to any organization processing personal data of EU residents, regardless of where the organization is based. For Maldives resorts hosting European guests — which is most of them — GDPR obligations are real. We help with data mapping, lawful basis documentation, privacy notices, data subject rights procedures, and processor agreement reviews.
SOC 2 Type 2
Required or expected by enterprise customers of technology companies and managed service providers. SOC 2 Type 2 assesses controls over a 6–12 month observation period across five Trust Services Criteria: Security (mandatory), Availability, Processing Integrity, Confidentiality, and Privacy. We help with readiness assessments, control design, evidence collection systems, and audit preparation.
NIST Cybersecurity Framework 2.0
A widely adopted framework for security program structuring and risk communication. NIST CSF 2.0 (released February 2024) added a sixth function — Govern — covering organizational context, risk strategy, supply chain risk, and oversight. Useful as a baseline for organizations without a mandated compliance requirement that want a structured, recognized security program.
CIS Controls v8
18 control families covering the most important security actions, organized into three implementation groups by organizational size. CIS Controls v8 maps directly to NIST CSF, ISO 27001, and PCI DSS — useful as a bridging framework when multiple compliance obligations exist simultaneously.
How a compliance engagement works
Scoping and requirements mapping
Identify which frameworks actually apply to your organization. Many businesses are over-scoping (applying requirements that don't apply) or under-scoping (missing obligations they do have). Getting scope right before anything else prevents wasted effort.
Gap analysis
Structured assessment of your current controls against each applicable requirement. We document what's in place, what's partially implemented, and what's missing — with evidence, not just self-assessment checklists.
Risk assessment
ISO 27001 and SOC 2 both require a formal risk assessment. We conduct or guide this process: asset identification, threat and vulnerability analysis, likelihood and impact scoring, and treatment decisions (accept, mitigate, transfer, avoid).
Policy and procedure development
We develop or review the policy library required by each framework: information security policy, acceptable use, access control, incident response, business continuity, and vendor management. Policies are written to be maintainable, not just audit-passable.
Remediation support
Prioritized roadmap for closing gaps, with implementation guidance. We help your team implement controls correctly — not just document that they should exist.
Audit and certification support
Evidence collection, auditor liaison, management review facilitation, and corrective action tracking. We stay engaged through the audit, not just the preparation.
What you receive
Gap analysis report
Control-by-control compliance status mapped against applicable frameworks. Each gap documented with evidence and remediation priority.
Risk register
Formal risk register with identified assets, threats, vulnerabilities, likelihood/impact scores, risk owners, and treatment decisions.
Policy library
Complete set of security policies and procedures tailored to your organization and the frameworks you're targeting.
Compliance roadmap
Phased plan with effort estimates, dependencies, and milestones aligned to your audit timeline.
Statement of Applicability
ISO 27001 SoA documenting which Annex A controls apply, which are excluded, and the justification for each. Required for certification.
Audit evidence package
Organized evidence portfolio ready for external auditors: policies, logs, test results, and management review records.
Who this is for
- → Resorts and hospitality businesses processing card payments who need PCI DSS compliance
- → Businesses with European guests or customers who have GDPR obligations they haven't addressed
- → Organizations pursuing ISO 27001 certification to win enterprise clients or demonstrate security credentials
- → Technology companies and MSPs whose enterprise customers require SOC 2 Type 2 reports
- → Financial institutions navigating multiple overlapping regulatory requirements
- → Any organization facing an upcoming audit with an unclear picture of where they actually stand
Not sure which frameworks apply to you?
Start with a free consultation. We'll map your obligations honestly and tell you what's actually required — before you commit to anything.
Schedule Free Consultation