AlvorAdvisory

02The keystoneKeystone

Decide what good looks like before a single control is built.

The highest-leverage decision in the engagement. We design one control set for your organisation and map it across every framework you answer to, so a single control evidences ISO 27001, SOC 2, and NIST CSF at once. Get the design right and everything downstream is faster to build, cheaper to evidence, and easier to defend.

Book a consultation See the full lifecycle

Zero Trust · NIST SP 800-207One control set, every frameworkISO 27001 · SOC 2 · NIST CSF

The engagements

Six ways to design the target state.

Each is a design engagement in its own right. Take the full architecture, or commission a single focused design.

Alvor Advisory · ArchitectAR-01

Target-State Security Architecture

Decide what good looks like before a single control is built.

You walk away with

Target-state architectureSecure by Design patternsReference diagrams

Program-wideScopedTypically 4–8 weeks

Scope of workp. 2

Includes

Reference design across cloud, identity, and Zero Trust (NIST SP 800-207)
The target state defined in reusable, proven patterns
Secure by Design patterns your engineers can build against
The design mapped to every framework you answer to

Best for organisations building or rebuilding the program deliberately.

Scope this engagement

Alvor Advisory · ArchitectAR-02

Unified Control Framework

Design the control set once and evidence every standard at once.

You walk away with

Unified control setCross-framework mappingControl specifications

Program-wideScopedTypically 3–6 weeks

Scope of workp. 2

Includes

A single control set designed for your organisation, anchored on the NIST SP 800-53 control catalogue
Cross-framework mapping across ISO 27001, SOC 2, and NIST CSF, aligned to the current ISO 27001:2022 Annex A structure
Control specifications precise enough to build and test against

Best for teams answering to more than one standard.

Scope this engagement

Alvor Advisory · ArchitectAR-03

Security Strategy and Roadmap

A sequenced, costed path from where you are to the target state.

You walk away with

Sequenced roadmapCosted delivery plan

Program-wideScopedTypically 3–5 weeks

Scope of workp. 2

Includes

Initiatives prioritised and sequenced in the right build order
Costed delivery planning with dependencies made explicit
A plan your board and your delivery team can both read

Best for leaders who need a defensible plan and budget.

Scope this engagement

Alvor Advisory · ArchitectAR-04

Operating Model and Policy Framework

Decide who owns what, and write it down.

You walk away with

Operating modelPolicy and standards setDecision rights and RACI

Program-wideScopedTypically 3–5 weeks

Scope of workp. 2

Includes

Roles, responsibilities, and decision rights defined
Risk strategy, oversight, and board reporting on NIST CSF 2.0's Govern function
A policy and standards framework that holds together
Governance that survives a departure

Best for programs that live in one person's head today.

Scope this engagement

Alvor Advisory · ArchitectAR-05

Identity and Zero Trust Architecture

A focused design for identity, access, and Zero Trust.

You walk away with

Identity and access reference designZero Trust target architectureSecrets governance model

Function: Identity & accessScopedTypically 4–6 weeks

Scope of workp. 2

Includes

IAM and PAM design on a Zero Trust footing (NIST SP 800-207)
Human and machine identity in one model: workload identity, service accounts, and secrets governance
Identity threat detection and response built into the identity fabric
Access model, segmentation, and a migration path from where your estate is today

Best for teams modernising identity as the new perimeter.

Scope this engagement

Alvor Advisory · ArchitectAR-06

AI Governance and Control Architecture

An AI control plane, designed before adoption hardens into habit.

You walk away with

AI control-plane designAI policy and guardrail setISO 42001 readiness map

Function: AI governanceScopedTypically 3–6 weeks

Scope of workp. 2

Includes

An AI governance framework anchored to ISO/IEC 42001 and the NIST AI RMF
Guardrails for data, models, and pipelines your engineers can build against
Acceptable-use, procurement, and third-party AI controls
Mapped into the same unified control set as the rest of the program

Best for organisations putting AI into products or workflows.

Scope this engagement Read the full page

The catalogue, mapped

One flagship. Five ways to go deeper.

Inner orbit · program-wideOuter orbit · targetedSelect a node to open its report

The blueprint you walk away with

One control framework, designed once and mapped across every standard you answer to, so a single control evidences ISO 27001, SOC 2 and NIST CSF at once.

01Target-state architecture
02Remediation roadmap
03Control specifications
04Secure by Design patterns
05Compliance program blueprint

The decision is yours

With the blueprint in hand you can build with us, hand it to a partner, or direct your own team. The design is yours either way.

Previous trackAssessKnow exactly where you stand, and what to fix first.Next trackBuildStand the controls up, integrate them, and prove they work.

AlvorAdvisory

Start where it makes sense for you.

A short conversation is the fastest way to scope Architect and see where it fits across the lifecycle.

Book a consultation Back to the advisory

Decide what good looks like before a single control is built.