Blog

Practical guidance on ISO 27001, SOC 2, ISO 42001, GDPR and penetration testing for scaling software companies.

  • How Many Companies Are ISO 42001 Certified?

    Public announcements from certification bodies and newly certified companies suggest that only around 350 organisations worldwide held ISO 42001 certificates by spring 2026. The standard was published in December 2023, so the certified population is still small, growing fast, and heavily weighted towards technology companies. Being certified today still puts an organisation in the earliest…

  • ISO 27001 for Startups Without a Security Team

    A startup can certify to ISO 27001 without a dedicated security team. The standard is risk-based and scales to your size, so a 20-person company certifies a narrow scope, assigns existing people to the required roles, and runs a focused set of controls. A consultancy and a compliance platform cover the work headcount would otherwise…

  • How to Prepare for Your First SOC 2 Audit

    Preparing for your first SOC 2 audit means scoping the report, choosing which Trust Services Criteria apply, running a readiness assessment, then collecting evidence that your controls work in practice. SOC 2 is an AICPA attestation performed by a licensed CPA firm, not a certification. Most of the effort is preparation, not the audit. How…

  • AI Governance for CTOs: What to Build Before You’re Asked

    AI governance is the operating system you put around the AI you build or use: a record of where AI is deployed, an assessment of the risk and impact each system carries, a named human accountable for decisions, and monitoring that catches problems once a model is live. It turns ad-hoc AI use into something…

  • Penetration Testing for Startups: When, What and How Much

    A startup usually needs a penetration test once it handles customer data or is asked to prove its security in a sale or audit. A pen test simulates real attacks to find exploitable weaknesses in your applications, network and cloud, then rates each finding by severity so you know what to fix first. When does…

  • ISO 27001 vs SOC 2: Which One Does Your Startup Need?

    ISO 27001 and SOC 2 both prove to buyers that you handle data responsibly, but they are different instruments. ISO 27001 is an international certification awarded by an accredited body; SOC 2 is an attestation report written by a licensed CPA firm. Which you need is driven mainly by where your buyers are and what…

  • GDPR Compliance for Small Businesses: What Actually Applies

    GDPR applies to a small business the moment it processes the personal data of people in the EU, regardless of headcount or turnover. Size affects how much paperwork you keep and whether you need a data protection officer, not whether the law applies. Most small firms need a lawful basis, a privacy notice and basic…

  • ISO 27001:2022 Explained: Structure, Controls and Certification

    ISO/IEC 27001:2022 is the current version of the international standard for an information security management system (ISMS). Published in October 2022, it reorganised Annex A into 93 controls under four themes and added 11 new controls. The 2013 version is retired; 2022 is the version organisations now certify against. What ISO 27001:2022 is ISO/IEC 27001…

  • What is a SOC 2 Audit?

    A SOC 2 audit is an independent examination of how a service organisation manages customer data against the Trust Services Criteria. Carried out by a licensed CPA firm under AICPA standards, it results in an attestation report, not a certificate, that buyers use as evidence your security and privacy controls are designed and operating properly.…

  • SOC 2 Type 1 vs Type 2: Which Report Do You Need?

    A SOC 2 Type 1 report attests that your controls are suitably designed at a single point in time; a Type 2 report attests that those controls operated effectively over a period, commonly three to twelve months. Most buyers eventually want Type 2, but a Type 1 is a faster first step that proves your…