Advisory

We help to structure access in a maintainable and auditable way: 

• Defining role-based and, where relevant, attribute-based access models
• Mapping business processes to entitlements and critical applications
• Establishing role owners and approval workflows

We ensure that access aligns with job function, not convenience - reducing both operational effort and audit findings.

We help you design or enhance supplier-assessment processes that balance depth with efficiency. 

Typical steps include: 

• Pre-contract due diligence on financial stability, information security, and regulatory compliance
• Standardised assessment templates based on ISO/IEC 27001 Annex A, NIST CSF, and DORA criteria
• Risk scoring and tiering to ensure proportionality
• Approval workflows that integrate business, risk, and legal perspectives
• Where necessary, we perform independent third-party reviews or assist in validating supplier controls through ISAE 3402, SOC 2, or ISO certifications

Failures in the JML process are among the most common root causes of auditing issues. 

We design and test end-to-end processes that guarantee timely, complete, and evidence-based provisioning: 

• Integration between HR systems, directory services (e.g., Azure AD, Entra ID), and IAM tooling
• Clear validation steps with four-eyes approval for high-risk access
• Defined monitoring intervals for external and temporary users 

Where automation isn't feasible, we ensure manual controls remain traceable and testable - a hallmark of credible assurance.

Privileged accounts represent the highest-impact risk. 

We help clients define PAM frameworks that meet the spirit of standards such as NIST 800-53 and ISO 27001 Annex A 5.15: 

• Temporary, time-boxed elevation of rights
• Dual approval workflows
• Centralised logging, recording, and review of privileged sessions

We also benchmark your PAM setup against peers and regulatory expectations, balancing control with operational practicality.

Visibility is key. 

We help design or review identity-centric monitoring using SIEM integrations and periodic access-review dashboards. 

Typical deliverables include: 

• Automated reconciliation between actual and authorised accounts
• Exception handling procedures and escalation rules
• Dashboards for compliance, IT, and risk teams, ensuring everyone shares one source of truth

We perform design and operating-effectiveness reviews of IAM controls - aligned with DORA Article 9, ISAE 3402, or internal auditing requirements. 

Our testing focuses on evidence quality, traceability, and frequency. 

We also help define sampling strategies and documentation templates so that future audits can be performed consistently and efficiently.