Audit and Compliance

Compliance work is not about ticking boxes fast enough to satisfy an auditor. Done properly, it maps what a framework actually requires onto how your organisation works, identifies the gaps that matter, and produces documentation that reflects reality rather than what someone hoped was true at the time of writing. The difference shows up the moment a regulator or a client's procurement team reads past the cover page.

I work with organisations navigating NIS2, the Polish KSC (Krajowy System Cyberbezpieczeństwa), and ISO 27001 — both initial implementations and periodic reviews. That means gap assessments against the relevant control set, risk treatment decisions grounded in your actual threat landscape, and the full documentation package: policies, procedures, risk registers, asset inventories, and the supporting evidence an audit requires. Nothing is templated and renamed; the documents are written for your environment, not a hypothetical one.

For organisations under NIS2 or KSC obligations, the regulatory clock is not abstract. I can help you understand where you sit against the directive's requirements, prioritise the controls that close the most exposure first, and produce the incident response and supply chain security documentation that regulators look for specifically. If you've already been through an audit and received findings, I can work from those directly.

Engagements are scoped to what you actually need. Some clients want end-to-end implementation support; others have an internal team that needs a gap assessment and a documentation review to cross the finish line. Either way, the output is something you can use — not a hundred-page report that goes in a drawer while the real problems stay unaddressed. If you're not sure where you stand yet, that conversation costs nothing.