Blog · C.09 · Compliance Guide

How regulatory compliance consulting services can help your organisation

SOC 2, ISO 27001, PCI DSS, HIPAA, GDPR, FTC Safeguards, CMMC - the regulatory landscape compounds every year. What compliance consulting actually delivers, the mistakes that derail first-time audits, and how to right-size the engagement for where your programme is today.

SOC 2ISO 27001HIPAAPCI DSSGDPRCMMC
Frameworks: SOC 2 Type I & II · ISO/IEC 27001:2022 · PCI DSS v4.0 · HIPAA Security Rule · GDPR Article 32 · NIST CSF 2.0 · FTC Safeguards Rule · CMMC 2.0 · DORA · NIS2 Directive · HITRUST · CCPA Frameworks: SOC 2 Type I & II · ISO/IEC 27001:2022 · PCI DSS v4.0 · HIPAA Security Rule · GDPR Article 32 · NIST CSF 2.0 · FTC Safeguards Rule · CMMC 2.0 · DORA · NIS2 Directive · HITRUST · CCPA
// TL;DR

Regulatory compliance consulting helps organisations navigate the gap between "we should be compliant with X" and "we have an auditor-accepted certificate and a security programme that reflects it." The consulting engagement covers framework selection, gap assessment, policy and control design, evidence collection, audit preparation and remediation. Most first-time compliance programmes fail not from lack of effort but from wrong framework choice, underestimated scope, or evidence gaps discovered during the audit. This post maps the process from start to certification.

// 01 The 2026 regulatory compliance landscape

The number of security and privacy regulations with teeth has doubled in the last five years. Organisations that operate internationally, handle health data, process payments, serve government agencies, or sell to enterprise buyers typically face multiple simultaneous compliance requirements. Understanding which apply - and how they overlap - is the first step a compliance consultant provides.

SOC 2

For US SaaS and cloud services

American Institute of CPAs (AICPA) framework. Type I is a point-in-time design assessment; Type II covers a 6-12 month observation period. Required by most enterprise buyers as a vendor prerequisite. The Trust Services Criteria (Security, Availability, Confidentiality, Processing Integrity, Privacy) are mapped to your specific controls.

ISO 27001

For international and enterprise markets

ISO/IEC 27001:2022 is the internationally recognised ISMS standard. Required by EU enterprise buyers, government contracts in many countries, and organisations that need a globally recognised attestation. Annex A defines 93 controls; the 2022 revision added cloud security and threat intelligence controls. Certification is issued by an accredited certification body.

PCI DSS v4.0

For payment processing

Required for any organisation that stores, processes, or transmits cardholder data. PCI DSS v4.0 (March 2024 effective date) introduced customised implementation options and tightened several technical requirements including Req 11.4.5 segmentation testing and Req 6.4.3 for scripts on payment pages.

HIPAA

For US healthcare data

The HIPAA Security Rule applies to covered entities and their business associates handling electronic protected health information (ePHI). No certification body - compliance is assessed through internal programme documentation and, in the event of a breach, HHS OCR investigation. A risk analysis is the cornerstone required control.

GDPR / UK GDPR

For EU and UK personal data

Applies to any organisation processing personal data of EU or UK residents, regardless of where the organisation is located. Article 32 requires "appropriate technical and organisational measures" - interpreted as requiring encryption, access controls, and regular security testing. Fines up to €20M / 4% global revenue.

CMMC 2.0

For US defence contractors

Cybersecurity Maturity Model Certification for DoD contractors handling CUI (Controlled Unclassified Information). Level 2 requires third-party C3PAO assessment against NIST SP 800-171. Level 3 requires DCSA government assessment against NIST SP 800-172. Mandatory for new DoD contract awards.

// 02 What regulatory compliance consulting actually delivers

A compliance consulting engagement is not a documentation writing service - or rather, it shouldn't be. A consultant that only writes policies without assessing your actual environment will produce documents that don't match your controls and evidence gaps that surface during the audit. The engagement phases that matter:

Phase 01

Framework selection and scoping

Identify which frameworks apply based on your customers, geography, data types, and industry. Map overlapping controls to avoid redundant work. Scope the CDE (for PCI), the ISMS boundary (for ISO 27001), or the system boundary (for SOC 2) - wrong scoping at this phase is the most expensive mistake.

Phase 02

Current-state gap assessment

Map your existing controls against each framework requirement. Identify gaps, partial implementations, and controls documented on paper but not enforced in practice. The gap assessment output drives the remediation plan and the timeline to readiness.

Phase 03

Control design and implementation

Design controls that satisfy framework requirements and fit your technical environment. Policies need to describe what you actually do - not what a generic template says. Controls need to be implemented in your specific infrastructure - not copy-pasted from a competitor's approach.

Phase 04

Evidence collection workflow

Establish how evidence is collected, stored, and presented to auditors. For SOC 2 this means a 12-month evidence calendar. For ISO 27001 this means documented ISMS records. Poor evidence collection is the top reason Type II audits are delayed - evidence gaps discovered in week 10 of a 12-week observation period can push the certification date by months.

Phase 05

Penetration test coordination

Most frameworks require annual penetration testing. A compliance consultant without pen testing capability must coordinate with a pen tester - and the pen test findings must feed back into the compliance programme as control gaps. Consultants who treat the pen test as a checkbox and ignore the findings are setting you up for a qualified audit opinion.

Phase 06

Audit preparation and support

Pre-audit readiness review, auditor liaison, evidence room preparation, and on-call support during fieldwork. The difference between a clean audit opinion and a qualified one is often how well prepared the evidence room is - not how good the underlying controls are.

// 03 The five mistakes that derail first-time compliance programmes

Costly

Wrong framework chosen for the primary customer requirement

Pursuing ISO 27001 when your customers require SOC 2 Type II - or vice versa. The frameworks cover similar ground but produce different audit artefacts. An ISO 27001 certificate does not satisfy a SOC 2 questionnaire. Confirm what your enterprise buyers actually require before committing to a framework.

Costly

Scope that's too broad or too narrow

SOC 2 scope that includes every system in the organisation produces an unmanageable evidence burden. Scope that excludes the payment processing service from PCI scope produces an audit failure. Scope definition is the most consequential decision in the engagement - get it wrong and you either can't pass or you've certified something meaningless.

Avoidable

Policies that don't match actual practice

A password policy that mandates 16-character passwords while engineers are still using 8-character passwords will fail the audit when the auditor samples user accounts. Policies must describe what you actually do - or you must change practice to match the policy before the audit window opens.

Avoidable

Pen test findings not closed before audit submission

Auditors for SOC 2 CC7.1 and PCI DSS Req 11.4 review not just whether a pen test was performed but whether findings were remediated. Submitting a pen test report with open Critical and High findings - even if the test was performed within the required window - typically results in a qualified opinion or exception.

Avoidable

No evidence for the first half of the observation period

For SOC 2 Type II, the observation period starts when controls are first implemented. Organisations that implement controls in month 3 of a 12-month window then present 9 months of evidence - not 12. Auditors note the gap. Start the observation period only when your controls are fully operational and evidence collection has begun.

// 04 Right-sizing the engagement for your maturity level

SituationRight engagementTimelineWhat to expect
First-time SOC 2, no existing programmeFull readiness + Type I + Type II14-18 monthsPolicy library, control implementation, Type I (design), 12-month Type II observation
ISO 27001 for EU market entryISMS design + Stage 1 + Stage 2 audit9-12 monthsGap assessment, ISMS documentation, internal audit, certification body Stage 1 and 2
PCI DSS for payment launchSAQ vs ROC determination, gap assessment, remediation3-9 monthsScope determination, SAQ completion or QSA engagement, pen test, remediation
HIPAA programme for health dataRisk analysis, policy library, BAA review3-6 monthsRequired risk analysis, policy implementation, BAA template, workforce training
Multi-framework (SOC 2 + ISO 27001)Unified control framework + parallel audit12-18 monthsControls mapped to both frameworks simultaneously, single evidence collection workflow
CY

CyberFortify Research

Compliance Consulting Practice

CyberFortify's compliance consulting practice supports SOC 2, ISO 27001, PCI DSS, HIPAA and GDPR programmes - paired with the penetration testing required by each framework to produce genuinely audit-ready deliverables.

Ready to start your compliance programme?

CyberFortify's compliance consulting service covers framework selection, gap assessment, control implementation, pen testing, and audit preparation as a single integrated engagement - no coordination overhead between separate vendors.

Schedule a consultation → Compliance consulting →