Service area · Cumplimiento & GRC

GRC & compliance with defensible audit-ready evidence

We implement and operate frameworks such as DORA, NIS2, ENS and ISO 27001 with a practical approach: governance, risk, operational controls, policies and procedures, and evidence designed for audit. We align the work with committees, resilience/continuity, and the supply chain (critical third parties).

What’s included Impact evaluator FAQ

Request an assessment Browse all services

Execution quality

“Security that runs”: operations + governance + auditability. We don’t stop at diagnosis: we close gaps, verify, and produce defensible evidence.

Enterprise

Coverage

8x5 · 16x5 · 24/7

By criticality & SLA

Evidence

Audit-ready

Control → record → review

Execution

Remediation

+ re-validation

Talk to an architect → Fast response · no commitment

Regulatory impact evaluator (indicative)

Indicative (not legal advice). Designed to avoid “claiming applicability” and instead estimate likely frameworks by jurisdiction, sector, size and role (regulated / provider).

Important: actual applicability depends on legal definitions, activities, thresholds (e.g., NIS2), jurisdictions and contracts. Use it to prioritize the next step and prepare evidence.

DORA NIS2 ENS ISO 27001 GDPR

Primary jurisdiction Sector (main activity)

Company size (employees) Role in the supply chain

Critical / essential services (operations/business) Relevant dependencies (cloud/MSP/third parties) Significant personal data processing Multi-country operations (or multi-EU) Government/public contracts (Spain/EU) Financial customers (bank/insurance/payments) (if provider)

This estimation is used to prioritize work (assessment/roadmap). It does not replace legal analysis.

Result

We show indicative likelihood by framework + the most useful next step to produce evidence.

Impact level (operations / audit)

—

Complete the form to see the explanation.

Approach

Does not claim applicability

Most likely frameworks (indicative)

—

Recommended next step

Complete the evaluator to get recommendations.

Typical deliverables (audit-ready)

Requirement → control → evidence map (traceability).
Controls catalog / SoA with owners and review cadences.
Risk-based roadmap (quick wins + milestones).

Review it in 30–45 min?

We’ll return a minimal scope, quick wins, and a short plan to build defensible evidence.

Request session

Response within 24h · no spam

FAQ (GRC & Compliance)

Is this for real audits or just documentation? ▾

It’s audit-oriented: each control maps to evidence (record), review cadence, an owner, and traceability (requirement → control → evidence).

What if we are an ICT provider or a critical third party? ▾

We cover supply-chain impact: provider classification, SLAs/controls, evidence, reporting and contractual obligations—especially relevant under DORA/NIS2 depending on your role and customer type.

What do we need to start? ▾

A 30–45 min scoping session: jurisdictions, critical services, third parties, key customers and existing documentation. From there we define quick wins and a roadmap.

What GRC & Compliance covers in practice

DORA consulting: governance, ICT risk, operational resilience, reporting and ICTL.
NIS2 readiness: classification (essential/important), measures and compliance plan.
ENS (Spain): implementation, categorization, statement of applicability and audit.
ISO 27001: ISMS, SoA, risk assessment, policies, procedures and internal audit.
Third-party management: critical supplier assessment, evidence, SLAs and traceability.
Audit evidence: repository, ownership, review cadences, KPIs and tracking.

If your challenge is “comply and prove it”, we work with evidence and traceability: control → procedure → record → review → committee/audit.

What’s included in this service area

Gap assessment y plan de adecuación
Políticas, procedimientos y evidencias
Gestión del riesgo TIC y terceros
Soporte a auditorías y comité de seguridad

How we work (from assessment to evidence)

Step 1

Gap & alcance

Evaluación inicial vs marco objetivo (DORA/NIS2/ENS/ISO) y alcance real.
Step 2

Roadmap & quick wins

Plan de adecuación priorizado por riesgo, esfuerzo y dependencias.
Step 3

Implantación & evidencias

Políticas, procedimientos, controles y evidencias listas para auditoría.
Step 4

Gobernanza & seguimiento

KPIs, comités, revisiones, terceros y mejora continua del sistema de gestión.

Services in this area

Talk to an expert →

Cumplimiento & GRC

DORA

Gobierno y resiliencia TIC: terceros, pruebas, reporting y controles para DORA.

View details

Cumplimiento & GRC

ENS

Implantación y adecuación al ENS: análisis de brechas, medidas y acompañamiento hasta auditoría.

View details

Cumplimiento & GRC

ISO 27001

Diseño e implantación de SGSI, SoA, riesgos y preparación para certificación ISO 27001.

View details

Cumplimiento & GRC

NIS2

Evaluación, plan de adecuación y evidencias prácticas para cumplir NIS2 sin fricción operativa.

View details

Is this service area a fit for your case?

We’ll run a short assessment to define scope, priorities, and a realistic roadmap.

Request an assessment Browse the full catalog