Independent GRC Advisory

Governance, Risk
& Compliance
Consultant

I help SaaS, fintech, and healthtech startups build compliance into their foundation from day one, so it closes enterprise deals, raises investor confidence, and protects their users.

Book a Consultation

Areas of Practice

Structured governance work for organisations that operate at risk

Risk Assessments

Structured identification, scoring, and prioritisation of risk across your organisation. Every asset catalogued, every threat mapped, every risk scored using a likelihood x impact matrix aligned to ISO 27001 and NIST CSF.

Governance Framework Design

ISMS foundations built to scale with your company, survive client audits, and align with the regulatory frameworks that apply to your environment.

Vendor Risk Management

Third-party risk mapping, vendor scoring, DPA and contractual gap analysis, and a monitoring structure for your entire vendor landscape.

Compliance Readiness

Gap analysis and audit preparation for ISO 27001, SOC 2, HIPAA, and GDPR. You learn exactly where you stand before your auditor does.

Policy Development

Security and compliance policies tailored to how your organisation actually operates. Not adapted from templates. Written to be used.

Security Risk Reporting

Executive-level risk summaries that translate technical findings into decisions your leadership team can act on without a compliance background.

Proprietary Methodology

The SHIELD Framework

SHIELD is a 6-stage compliance implementation methodology built specifically for early-stage startups and growth companies. It takes a company from zero compliance awareness to a functioning, audit-ready GRC programme in a structured, proportionate way.

Scope. Hazard Identification. Infrastructure of Controls. Evidence. Launch. Debrief.

Scope and Situational Awareness

Before any compliance work begins, I define the boundaries: what data the company handles, what systems are in scope, what regulations apply, and what is driving the compliance need.

Hazard Identification

A structured risk assessment that identifies assets, threats, vulnerabilities, and existing controls. Every risk scored using a likelihood x impact matrix. Output is a prioritised risk register.

Infrastructure of Controls

I design and document the control environment, selecting only the controls that are proportionate to the company's size, risk profile, and compliance target.

Evidence and Audit Readiness

I build an evidence collection system that defines what evidence is needed, who owns it, and how it is collected. This separates document-ready from genuinely audit-ready.

Launch and Continuous Improvement

A lightweight monitoring and review cycle that keeps the compliance programme current as the company grows. Regular risk register reviews, policy updates, and performance metrics.

Debrief and Strategic Roadmap

Every engagement ends with a plain-language summary and a prioritised roadmap for the next 90 days. The founder or CTO leaves with a clear picture of their compliance position.

Featured Engagements

Governance and risk work across SaaS, fintech, and healthcare

Healthcare SaaS

AlphaTech Inc.

Full-Scope ISMS Implementation

End-to-end ISMS design for a US-based healthtech SaaS company processing PHI for 340,000 patients. 36 interconnected governance artifacts built across ISO 27001:2022, HIPAA/HITECH, GDPR, CCPA, and NIST CSF 2.0.

ISO 27001HIPAAGDPR

View Full Case Study →

Fintech

LiStDan Finance

End-to-End GRC Risk Assessment

Full-cycle risk assessment for a digital payments platform processing transactions for 100,000 active users. Twelve deliverables across ISO 27001:2022, NIST CSF v1.1, and GDPR completed in 30 days.

ISO 27001NIST CSFGDPR

View Full Case Study →

SaaS

CloudSync Operations

SOC 2 Type I Readiness Programme

SOC 2 readiness engagement for a B2B workflow platform stalled on three enterprise contracts. TSC mapping, gap analysis, policy development, and control documentation across Security, Availability, and Confidentiality.

SOC 2Gap AnalysisControl Design

View Full Case Study →

Compliance built right costs less than compliance built twice

If your company is preparing for an enterprise deal, an audit, or an investment round, the time to build your compliance foundation is before the pressure arrives.

Book a Consultation

About

Diagnose first.
Document everything.
Test before you treat.

GRC Philosophy

How I approach every engagement

Good GRC work is not just technically sound. It has to be understood by everyone it affects. A risk register that only a compliance officer can read has already failed half its job.

I approach every engagement by studying the organisation deeply before recommending anything, then translating complex risk and compliance findings into clear, actionable documents that real teams can use.

"Diagnose first. Document everything. Test before you treat."

That principle came from anatomy. It applies in every GRC engagement.

Background

Built from a different starting point

GRC was not a fallback. It was a deliberate choice. When I encountered it, I recognised immediately that it matched how my brain actually works: systems thinking, structured analysis, translating complexity into decisions people can act on.

I committed fully from day one, finished my training cohort as the best student, and have not stopped building since. Every project in my portfolio was built with deliberate depth, not generated to fill a page.

The anatomy advantage

My background is Human Anatomy. That training gave me a specific way of thinking: you do not prescribe before you diagnose, you document everything, and you never communicate findings in a language the patient cannot act on. I brought that exact mental model into GRC, and it changed the quality of my work.

🌍

Available Worldwide

I work fully remote with clients across the US, UK, Europe, and beyond. Time zones are not a barrier. If your organisation needs structured GRC work, location is not a reason to say no.

🇺🇸 United States 🇬🇧 United Kingdom 🇨🇦 Canada 🇳🇬 Nigeria 🇪🇺 Europe 🌐 Anywhere

Book a call, wherever you are →

Industries

Where this work is most needed

SaaS

SaaS companies face SOC 2 pressure from enterprise customers and investor due diligence. I help them build the compliance foundation that closes deals, not just passes audits.

Fintech

Digital payment platforms and financial services carry significant regulatory and third-party risk. I build risk assessment frameworks and vendor monitoring structures proportionate to their actual exposure.

Healthtech

Health data carries obligations that most generic compliance approaches underestimate. My anatomy background gives me a real clinical lens on patient data, PHI handling, and the downstream risks.

See the work before you book the call

The portfolio documents full-scope engagements with real deliverables. Start there to understand what a working compliance programme looks like.

Services

GRC advisory built for companies that operate at real risk

Every engagement follows the SHIELD Framework, a 6-stage methodology designed for startups and growth companies. The goal is not a folder of documents. It is a working compliance programme.

7 to 10 business days

Risk Assessment and Risk Register

Structured identification, scoring, and prioritisation of organisational risk. Every asset catalogued, every threat mapped, every vulnerability assessed. Each risk scored using a likelihood x impact matrix aligned to ISO 27001 Clause 6 and NIST CSF.

Deliverables

Asset identification and scoping
Threat and vulnerability register
Risk Register (ISO 27001-aligned)
Risk Treatment Plan
Executive Risk Summary

Frameworks

ISO 27001NIST CSF

7 to 10 business days

Vendor Risk Management

For organisations handling user data through external processors, vendors are one of the highest-risk areas in any GRC programme. This service maps your third-party landscape, scores each vendor by risk level, identifies DPA and contractual gaps, and builds a monitoring structure.

Deliverables

Vendor inventory and classification
Vendor risk scoring matrix
DPA and contractual gap analysis
Due diligence questionnaire
Vendor monitoring framework

Frameworks

ISO 27001NIST CSF GV.SCGDPR Art. 28

7 to 10 business days

Compliance Gap Analysis

A current-state assessment against your target compliance framework. Before spending on a formal audit or certification programme, you need to know exactly where your gaps are, how critical each one is, and what to fix first.

Deliverables

Scoping session and discovery call
Current-state assessment report
Gap Analysis with risk ratings
Prioritised compliance roadmap

Frameworks

SOC 2ISO 27001HIPAAGDPR

10 to 14 business days

Governance Documentation

The governance backbone of your compliance programme. This service builds the full documentation suite that defines how information security is managed, governed, and evidenced. Every document is tailored to how your organisation actually operates.

Deliverables

ISMS scope and context document
Information security policy
Roles and responsibilities matrix
Statement of Applicability

Frameworks

ISO 27001:2022SOC 2 TSCNIST CSF

10 to 14 business days

Policy Development

Core security and compliance policies written for your organisation. Not adapted from templates. Each policy reflects how your team actually works, uses systems, handles data, and responds to incidents. Policies that read like legal boilerplate get filed and ignored. These get used.

Deliverables

Information Security Policy
Access Control Policy
Incident Response Policy
Business Continuity Policy
+ 4 more policies

Frameworks

ISO 27001SOC 2HIPAAGDPR

Flagship

4 to 6 weeks

SOC 2 Readiness Programme

The flagship engagement. SaaS companies preparing for their first SOC 2 Type I audit need more than a gap analysis. They need the full compliance infrastructure in place before the auditor arrives. This programme takes a company from zero to audit-ready across the Trust Services Criteria that matter for their business.

Deliverables

TSC scoping and criteria mapping
Gap analysis against SOC 2
Full policy suite development
Control design and documentation
Evidence collection guide
Weekly check-in calls

Frameworks

SOC 2 TSCAICPA Trust Services

Not sure which service fits?

Book a 30-minute call. I will ask the right questions, tell you what your actual gaps are, and recommend the engagement that makes sense for where your company is right now.

Book a Call

Featured Engagements

Governance work you can read in full

Each case study is documented in full, with deliverables, methodology, findings, and reasoning. Not summaries. The actual work.

Healthcare SaaS

AlphaTech Inc.

Full-Scope ISMS Implementation

AlphaTech Inc. is a US-based healthtech SaaS company processing PHI for 340,000 patients across 12 states, with AWS cloud infrastructure and active data exposure in the UK and Canada. The engagement required building an ISMS from the ground up, covering ISO 27001:2022 governance design, HIPAA/HITECH compliance, GDPR and CCPA privacy documentation, and a 9-component modular incident response programme.

The Gap

No formal information security structure. Patient-adjacent data handled without documented controls, no risk assessment process, and no business continuity plan. The organisation would have failed any enterprise security questionnaire at the start of the engagement.

Approach

Every artifact was built as part of a coherent, cross-referenced compliance system rather than a collection of isolated documents. Every control maps to a clause. Every decision has documented reasoning.

ISMS artifacts

Risks assessed

HIGH risks

Policies in scope

PHI processors

340k

Patients in scope

ISO 27001:2022HIPAA/HITECHGDPRCCPANIST CSF 2.0

View Full Case Study →

Fintech

LiStDan Finance

End-to-End GRC Risk Assessment

LiStDan Finance is a California-based digital payments platform processing real-time transactions for 100,000 active users on Azure-hosted infrastructure, with eight third-party vendor relationships in scope. The full-cycle risk assessment covered the complete data processing landscape and third-party ecosystem across three major frameworks in a 30-day engagement.

The Gap

Zero controls fully compliant at assessment date across 36 total findings. The vendor landscape was undocumented, DPA gaps were widespread, and no formal risk management process existed across every assessed domain.

Approach

The SHIELD Framework was applied across all six stages, from scoping through to the strategic debrief. The assessment was methodical: scope first, then hazard identification, then control infrastructure mapping, then evidence review.

Total findings

Deliverables

Vendors assessed

30d

Duration

Frameworks

100k

Users in scope

ISO 27001:2022NIST CSF v1.1GDPRVendor RiskSHIELD Framework

View Full Case Study →

SaaS

CloudSync Operations

SOC 2 Type I Readiness Programme

CloudSync Operations is a B2B workflow automation platform with 85 employees on AWS. Three enterprise procurement processes were stalled, each requiring SOC 2 Type I before the contract could progress. The engagement was scoped for Security, Availability, and Confidentiality Trust Services Categories.

The Gap

No SOC 2 programme existed. The security team had implemented technical controls informally but nothing was documented, evidenced, or mapped to the Trust Services Criteria. One deal had already been lost.

Approach

TSC scoping and criteria mapping came first, followed by gap analysis across all 33 Common Criteria. Policy development, control design, and evidence framework were built in parallel to compress the timeline without cutting corners on quality.

TSC categories

Criteria assessed

Policies developed

Controls documented

Evidence owners

5wk

Duration

SOC 2 Type IGap AnalysisPolicy DevelopmentControl Design

View Full Case Study →

Ready to build this for your organisation?

Book a call and we can talk through your current compliance position, what you actually need, and how to structure the engagement.

Book a Consultation

Contact

Start with a conversation

If you have a compliance question, a specific project in mind, or you just want to understand what your gaps are, reach out. No proposals until we have talked.