Home/ Services/ Certifications & Audits

02 Compliance

Compliance built like infrastructure — not paperwork that ages.

We deliver complete certification programs for the frameworks your enterprise customers and regulators ask about — designed so the evidence holds up between audits, not just on audit week.

FrameworksISO · SOC 2 · PCI · GDPR · NIS2

Timeline3–9 months

EngagementFixed-fee program

Lead auditorsCISA · ISO 27001 LA

01 Overview

Frameworks engineered as systems, evidence produced once and reused.

The compliance market has trained organisations to expect a six-figure invoice for a binder. We do the opposite: build a single control framework, then map it once across ISO 27001, SOC 2, PCI, GDPR and NIS2. You write controls once and answer twelve customer questionnaires without rework.

Onidef leads each program with a CISA-certified senior auditor and an ISO 27001 Lead Auditor working in tandem with your engineering and security teams. We do not parachute in junior consultants on rotation.

The work is sequenced: a candid gap assessment first, then a control framework that fits your real operating model, then evidence collection automated where credible. Internal audit dry-runs precede every certifying-body visit so there are no surprises in the audit room.

After certification, we stay through surveillance audits and any incident reviews — the work does not end at the certificate. Your auditor relationship becomes a quiet, ongoing one rather than a six-week panic.

02 Program structure

Six phases, fixed scope, predictable milestones.

Your team always knows what is happening this week, next week, and on audit day. No surprises, no scope creep, no last-minute evidence requests.

01 · DISCOVER

Gap assessment

Three- to four-week structured review against the chosen framework. We deliver a redacted readiness report, a remediation backlog, and a credible date for certification.
02 · DESIGN

Control framework design

A single ISMS or trust-services framework engineered for your stack and team size — mapped once, presented across each framework you need. Light on policy, heavy on operational reality.
03 · IMPLEMENT

Control implementation & tooling

We pair with your engineers to ship the controls — access reviews, change management, vendor management, encryption posture, logging — automated where possible, with evidence pipelines that produce themselves.
04 · OPERATE

Operating-period evidence

For Type II / surveillance audits we run alongside your team through the operating period, sampling evidence weekly and intervening before drift becomes a finding.
05 · AUDIT

Internal audit & certifying-body liaison

We perform the internal audit, coordinate with the external auditor or certifying body, and project-manage the audit window so your team is not derailed for a quarter.
06 · MAINTAIN

Surveillance & continuous improvement

After certification, we hold the program. Quarterly reviews, surveillance audit support, control updates as your environment shifts. The certificate stays valid without becoming a tax on the rest of the year.

03 Deliverables

Artefacts that survive an auditor and serve sales the next day.

Every output is designed to be reused. The same evidence pack answers a SOC 2 auditor, a customer security questionnaire, and a procurement review.

Gap assessment report

Plain-English baseline. Control-by-control state, sized remediation backlog and a credible certification date.

Control framework

A single ISMS — policy, procedures, register of evidence — mapped across every framework you need. Maintained, not handed off.

Evidence library

A structured, versioned library of audit artefacts. Reusable across audits, customer reviews and internal investigations.

Internal audit pack

Pre-audit dry run with documented findings. The certifying-body visit is the second time you walk through the controls, not the first.

External audit liaison

We coordinate with the auditor, hold the timeline, and answer questions on your behalf so your engineers can ship.

Customer trust pack

A short, public document and a private long-form pack — the answers to 80% of inbound security questionnaires, written once.

04 Frequently asked

The questions every team asks before starting a program.

If yours is not here, write to us. We will answer it in writing within one business day.

How long does ISO 27001 or SOC 2 actually take?

For a Series-A to Series-C software company starting from no formal program: ISO 27001 takes 4–7 months, SOC 2 Type I in parallel, and SOC 2 Type II completes 6 months after Type I once the operating period is observed. Larger or more regulated organisations take longer — we will give you a calibrated date after the gap assessment.

Do you also act as the certifying body?

No, and we never will. We are the consulting partner that prepares your environment and runs internal audits. The external audit is performed by an accredited body — we recommend two or three, and we have working relationships with them, but you choose. Separation of duties is the point.

How is this priced?

Fixed-fee per program, with three milestone payments tied to delivery: gap assessment, readiness, certification. We will quote after a short scoping call.

Can you do multiple frameworks at once?

Yes, and you should. Roughly 70% of controls overlap. We design the framework once and map to each — the marginal cost of an additional certification is small after the first.

What is your relationship with compliance automation platforms?

We are tool-agnostic. If you already use a compliance platform (Vanta, Drata, Sprinto, Secureframe), we work with it. If you do not, we will recommend one or build evidence pipelines directly in your existing stack — sometimes the cheapest option is a few well-written scripts.

What if our auditor finds something?

If a real finding emerges, we own the remediation plan, hold the timeline, and re-present it for closure. If a finding is wrong on the facts, we draft the formal response on your behalf. Either way, you are not negotiating with an auditor alone.