Audit-ready in 12 weeks.

GRC built on the Aeges risk engine. ISO 27001 readiness without the platform tax — a working ISMS embedded into your Microsoft 365 tenant, not a binder on a shelf.

Process

1. Week 0 — Discovery & scope. A senior engineer maps your tenant, your contractual obligations, and your risk appetite. Out-the-other-side: a fixed scope, a fixed price, and a named lead.
2. Weeks 1–3 — Posture & gap analysis. Aeges runs read-only against your tenant. We produce a control-by-control gap map — what is in place, what is partial, what is missing.
3. Weeks 4–9 — Implementation. Senior engineers configure each Annex A control inside your environment. Identity, data, endpoints, logging, supplier — every domain handled by name, not by checklist.
4. Weeks 10–11 — Internal audit. A pre-certification internal audit walks every control end-to-end. Residual findings are closed before your audit body sees the tenant.
5. Week 12 — Audit handover. Evidence pack delivered, ISMS document control transferred, certification audit scheduled. We sit in for stage-1 and stage-2 if you want us there.
6. Ongoing — Surveillance support. Optional retainer for surveillance audits, control drift monitoring, and quarterly Aeges re-runs.

Outcomes

• A working ISMS embedded in your Microsoft 365 tenant — not a static document set.
• Reproducible, on-demand evidence for every Annex A control via Aeges.
• A certification audit handed off to JAS-ANZ-accredited bodies with no last-minute scramble.
• Senior engineers on-record for every implemented control — no junior consultant rotation.
• Control drift detected and closed before each surveillance audit, optional retainer.