Regulatory compliance consulting helps organisations navigate the gap between "we should be compliant with X" and "we have an auditor-accepted certificate and a security programme that reflects it." The consulting engagement covers framework selection, gap assessment, policy and control design, evidence collection, audit preparation and remediation. Most first-time compliance programmes fail not from lack of effort but from wrong framework choice, underestimated scope, or evidence gaps discovered during the audit. This post maps the process from start to certification.
// 01 The 2026 regulatory compliance landscape
The number of security and privacy regulations with teeth has doubled in the last five years. Organisations that operate internationally, handle health data, process payments, serve government agencies, or sell to enterprise buyers typically face multiple simultaneous compliance requirements. Understanding which apply - and how they overlap - is the first step a compliance consultant provides.
For US SaaS and cloud services
American Institute of CPAs (AICPA) framework. Type I is a point-in-time design assessment; Type II covers a 6-12 month observation period. Required by most enterprise buyers as a vendor prerequisite. The Trust Services Criteria (Security, Availability, Confidentiality, Processing Integrity, Privacy) are mapped to your specific controls.
For international and enterprise markets
ISO/IEC 27001:2022 is the internationally recognised ISMS standard. Required by EU enterprise buyers, government contracts in many countries, and organisations that need a globally recognised attestation. Annex A defines 93 controls; the 2022 revision added cloud security and threat intelligence controls. Certification is issued by an accredited certification body.
For payment processing
Required for any organisation that stores, processes, or transmits cardholder data. PCI DSS v4.0 (March 2024 effective date) introduced customised implementation options and tightened several technical requirements including Req 11.4.5 segmentation testing and Req 6.4.3 for scripts on payment pages.
For US healthcare data
The HIPAA Security Rule applies to covered entities and their business associates handling electronic protected health information (ePHI). No certification body - compliance is assessed through internal programme documentation and, in the event of a breach, HHS OCR investigation. A risk analysis is the cornerstone required control.
For EU and UK personal data
Applies to any organisation processing personal data of EU or UK residents, regardless of where the organisation is located. Article 32 requires "appropriate technical and organisational measures" - interpreted as requiring encryption, access controls, and regular security testing. Fines up to €20M / 4% global revenue.
For US defence contractors
Cybersecurity Maturity Model Certification for DoD contractors handling CUI (Controlled Unclassified Information). Level 2 requires third-party C3PAO assessment against NIST SP 800-171. Level 3 requires DCSA government assessment against NIST SP 800-172. Mandatory for new DoD contract awards.
// 02 What regulatory compliance consulting actually delivers
A compliance consulting engagement is not a documentation writing service - or rather, it shouldn't be. A consultant that only writes policies without assessing your actual environment will produce documents that don't match your controls and evidence gaps that surface during the audit. The engagement phases that matter:
Framework selection and scoping
Identify which frameworks apply based on your customers, geography, data types, and industry. Map overlapping controls to avoid redundant work. Scope the CDE (for PCI), the ISMS boundary (for ISO 27001), or the system boundary (for SOC 2) - wrong scoping at this phase is the most expensive mistake.
Current-state gap assessment
Map your existing controls against each framework requirement. Identify gaps, partial implementations, and controls documented on paper but not enforced in practice. The gap assessment output drives the remediation plan and the timeline to readiness.
Control design and implementation
Design controls that satisfy framework requirements and fit your technical environment. Policies need to describe what you actually do - not what a generic template says. Controls need to be implemented in your specific infrastructure - not copy-pasted from a competitor's approach.
Evidence collection workflow
Establish how evidence is collected, stored, and presented to auditors. For SOC 2 this means a 12-month evidence calendar. For ISO 27001 this means documented ISMS records. Poor evidence collection is the top reason Type II audits are delayed - evidence gaps discovered in week 10 of a 12-week observation period can push the certification date by months.
Penetration test coordination
Most frameworks require annual penetration testing. A compliance consultant without pen testing capability must coordinate with a pen tester - and the pen test findings must feed back into the compliance programme as control gaps. Consultants who treat the pen test as a checkbox and ignore the findings are setting you up for a qualified audit opinion.
Audit preparation and support
Pre-audit readiness review, auditor liaison, evidence room preparation, and on-call support during fieldwork. The difference between a clean audit opinion and a qualified one is often how well prepared the evidence room is - not how good the underlying controls are.
// 03 The five mistakes that derail first-time compliance programmes
Wrong framework chosen for the primary customer requirement
Pursuing ISO 27001 when your customers require SOC 2 Type II - or vice versa. The frameworks cover similar ground but produce different audit artefacts. An ISO 27001 certificate does not satisfy a SOC 2 questionnaire. Confirm what your enterprise buyers actually require before committing to a framework.
Scope that's too broad or too narrow
SOC 2 scope that includes every system in the organisation produces an unmanageable evidence burden. Scope that excludes the payment processing service from PCI scope produces an audit failure. Scope definition is the most consequential decision in the engagement - get it wrong and you either can't pass or you've certified something meaningless.
Policies that don't match actual practice
A password policy that mandates 16-character passwords while engineers are still using 8-character passwords will fail the audit when the auditor samples user accounts. Policies must describe what you actually do - or you must change practice to match the policy before the audit window opens.
Pen test findings not closed before audit submission
Auditors for SOC 2 CC7.1 and PCI DSS Req 11.4 review not just whether a pen test was performed but whether findings were remediated. Submitting a pen test report with open Critical and High findings - even if the test was performed within the required window - typically results in a qualified opinion or exception.
No evidence for the first half of the observation period
For SOC 2 Type II, the observation period starts when controls are first implemented. Organisations that implement controls in month 3 of a 12-month window then present 9 months of evidence - not 12. Auditors note the gap. Start the observation period only when your controls are fully operational and evidence collection has begun.
// 04 Right-sizing the engagement for your maturity level
| Situation | Right engagement | Timeline | What to expect |
|---|---|---|---|
| First-time SOC 2, no existing programme | Full readiness + Type I + Type II | 14-18 months | Policy library, control implementation, Type I (design), 12-month Type II observation |
| ISO 27001 for EU market entry | ISMS design + Stage 1 + Stage 2 audit | 9-12 months | Gap assessment, ISMS documentation, internal audit, certification body Stage 1 and 2 |
| PCI DSS for payment launch | SAQ vs ROC determination, gap assessment, remediation | 3-9 months | Scope determination, SAQ completion or QSA engagement, pen test, remediation |
| HIPAA programme for health data | Risk analysis, policy library, BAA review | 3-6 months | Required risk analysis, policy implementation, BAA template, workforce training |
| Multi-framework (SOC 2 + ISO 27001) | Unified control framework + parallel audit | 12-18 months | Controls mapped to both frameworks simultaneously, single evidence collection workflow |