AlvorAdvisory

Assess · Compliance readiness

ISO 27001 and SOC 2 readiness, measured before you commit.

A fixed-fee gap assessment against the standard you are heading for, control by control, with the distance to certification made explicit and a remediation path you can hold. We take you to assessor-ready; the certificate is issued by an independent body, by design.

Book a consultation All engagements

Scope and price agreed in writing before any work. No obligation.

ISO/IEC 27001:2022 · SOC 2Control-by-control evidence readIndependent of your assessor

Three places teams start from.

A deal depends on certification

A customer or market has made ISO 27001 or SOC 2 a condition of doing business, and you need an honest read on the distance before you promise a date.

An audit went badly, or nearly did

A failed stage, a string of nonconformities, or a surveillance audit that felt like luck. The readiness read finds the gaps before the assessor does, on your timeline rather than theirs.

Two standards, one budget

You answer to ISO 27001 and SOC 2 together and refuse to run two parallel compliance projects. The crosswalk makes one control set evidence both.

What you are commissioning

The engagement, as a term sheet.

One named engagement from the Assess track backs this page, scoped to one named standard per pass and priced in writing before any work begins.

Assess trackFixed-feeTypically 2–3 weeks

Compliance Readiness Assessment

See the exact distance to certification before you commit to the audit.

Best for teams heading into a first certification or surveillance audit.

Includes

Gap assessment of the program against one named standard: ISO 27001, SOC 2, or a sector regime
Control-by-control review of what is in place against what the standard requires
An honest read on the time and effort to certification

Deliverables

Readiness reportGap-to-certification registerRemediation priorities

The standardised assessments are fixed-fee. Every other engagement is scoped and priced in writing before you commit, from a one-off review to a managed service.

The method

What a readiness read involves.

The current standard, not the old one

ISO 27001 work runs against the 2022 revision: the management-system clauses plus Annex A's 93 controls in their current four themes. SOC 2 work runs against the Trust Services Criteria you actually scope, from the mandatory Security criteria outward, with the Type I versus Type II decision made deliberately rather than by default.

Distance made explicit

You leave with a gap-to-certification register: which controls are evidence-ready, which exist but cannot be proven, which are absent, and an honest read on the time and effort to close each. No glide-path optimism.

Design once, evidence twice

Findings are cross-mapped between ISO 27001, SOC 2, and NIST CSF 2.0, so a control you fix for one standard is captured as evidence for the others. Teams pursuing both standards should never pay for the overlap twice.

The bright line

We take you all the way to assessor-ready and stop. The certificate or attestation is issued by an independent body: we build the posture, your assessor judges it. That separation is what makes the result count.

The path

From readiness to audit day.

Readiness is the first move on a defined path, and every step on it is a separate decision that stays yours.

1Readiness: the gap-to-certification register, fixed-fee
2Remediation: gaps closed under Build, by us or your team
3Audit preparation: evidence assembled and rehearsed against the published criteria of your standard, before your assessor arrives

Questions

What teams ask about this engagement.

How long until we can certify?

It depends on the distance, and the readiness assessment exists to stop anyone guessing. You receive an honest read on the time and effort to certification as a deliverable, typically after two to three weeks of assessment work.

SOC 2 Type I or Type II?

Type I attests your controls' design at a point in time; Type II attests they operated over a period, usually three to twelve months, and is what most customers ultimately ask for. Many teams sequence a Type I while the Type II observation window runs. We help you choose deliberately against what your customers actually require.

Do we need ISO 27001 or SOC 2?

Usually whichever your customers ask for: SOC 2 dominates North American buyer due diligence, ISO 27001 carries more weight in Europe, Australia, and government adjacent markets, and scale-ups selling globally increasingly hold both. The crosswalk means choosing one first does not strand the work.

Can you also certify us?

No, and that is by design. Certification must come from an accredited, independent body; a firm that builds your posture and then judges it would compromise exactly the assurance you are buying. We prepare you and stand beside you through the audit.

What if the readiness assessment finds we are far away?

Then it has done its job early and cheaply. The register tells you exactly what to close and in what order, and you decide who closes it: your team, a partner, or us under Build. Nothing about the assessment commits you to more.