All Services
Compliance & Audit Services

Identity Controls Readiness for SOC 2, ISO 27001, DORA & More

Auditors are focusing on identity. Most organisations cannot show control-to-evidence mapping for privileged access, MFA coverage, or account lifecycle management. We fix that — before your audit, not during it.

Read-only assessment    Audit-ready evidence output    Delivered in days, not months

Book a Scoping Call View Sample Report

What Auditors Are Finding

Identity controls are now a primary focus for SOC 2, ISO 27001, DORA, and NIS2 auditors. Common audit failures include:

  • No documented evidence of MFA coverage across all administrator accounts
  • Privileged accounts that cannot be mapped to a named individual and business justification
  • Legacy authentication protocols still enabled with no exception-management process
  • No evidence of periodic access reviews for privileged and standing roles
  • Service accounts and application identities undocumented and unrotated
  • Conditional access policies with broad exclusions not captured in a risk register

The Cost of a Finding

An identity-related finding in a SOC 2 audit or regulatory review is not just a checkbox issue. It can:

  • Delay or fail your SOC 2 Type II report
  • Trigger regulatory escalation under DORA or NIS2
  • Increase your cyber insurance premium or narrow your cover
  • Block enterprise contract awards that require compliance evidence

Fixing issues before an audit costs a fraction of what remediation during or after an audit costs.

Compliance Services

Featured Service

Regulatory Alignment Accelerator

Comprehensive identity control mapping to NIS2, DORA, and ISO 27001. This engagement maps your actual identity controls to specific regulatory requirements, scores the strength of your existing evidence, produces a gap register, and provides an audit-exposure summary — showing your auditor exactly what you have and where you stand.

NIS2 DORA ISO 27001 SOC 2

What You Receive

  • Control-to-evidence mapping document
  • Evidence-strength scoring (high / partial / missing)
  • Gap register with prioritised remediation steps
  • Audit-exposure summary — a clear picture of residual risk
  • Remediation roadmap with realistic timelines
  • Review call with our specialist on findings
Book a Scoping Call

MFA & Conditional Access Assurance

MFA coverage is one of the first things auditors, insurers, and regulatory bodies ask about. This engagement performs a detailed review of your MFA and conditional access configuration — identifying exclusions, legacy authentication exposure, and exception risks across Entra ID, Active Directory, and Okta.

Outputs are formatted for auditors, insurers, and governance stakeholders — not just your technical team.

Entra ID Active Directory Okta Legacy auth detection

What You Receive

  • MFA coverage report (by user type, role, and platform)
  • Conditional access policy review with gap analysis
  • Legacy authentication protocol exposure report
  • Exception and exclusion register
  • Evidence package suitable for auditors and insurers
  • Prioritised remediation steps
Book a Scoping Call

Cyber Essentials Identity Controls Readiness

Cyber Essentials and Cyber Essentials Plus increasingly scrutinise identity controls — particularly admin account separation, MFA on internet-facing services, and access control boundaries. This engagement validates your posture against these expectations before your assessment, reducing the risk of a failed certification.

Cyber Essentials Cyber Essentials+ Admin separation

What You Receive

  • Admin separation validation (local vs domain vs cloud)
  • MFA coverage check for internet-facing services
  • Cloud identity boundary assessment
  • Conditional access logic review
  • Readiness rating with remediation priorities
Book a Scoping Call

Framework Coverage

Specific controls addressed in every compliance engagement

SOC 2

CC6.1 Logical Access, CC6.2 Authentication, CC6.3 Authorisation, CC7.1 System Monitoring

ISO 27001

A.9 Access Control, A.9.2 User Access Management, A.9.4 System Access, A.12 Operations Security

DORA / NIS2

Access control requirements, privileged access management, authentication strength, incident detection capability

Cyber Essentials

User access control, admin account separation, MFA on internet-facing services, access boundary validation

Audit Coming Up?

Tell us your framework, your timeline, and your environment. We'll scope an engagement that gets you ready — with evidence your auditor will accept.

Book a Scoping Call All Services