
Home / IT Security / GRC & Compliance
Governance a small company can actually operate.
Policies people follow, a risk register that gets read, and audit-ready evidence for SOC 2, ISO 27001, CMMC, HIPAA and PCI DSS — without pretending we are your auditor or your lawyer.
We are engineers who write governance that maps to real controls. We are not a certification body and not your counsel.
A policy nobody follows is worse than no policy. It is documented proof you knew the right thing to do and didn't.
Most small-company security policies are downloaded templates with a logo swapped in. They describe controls the company does not run, which is exactly what sinks an audit and voids an insurance claim. We do the reverse: build the control, then document the control — so the paperwork describes reality.
Two boundaries we keep clearly. We are not auditors and cannot issue your certificate — an independent body does that. And we are not lawyers; regulatory interpretation belongs to your counsel. What we do is build the technical and organizational controls your obligations require, and produce evidence an auditor accepts.
Governance documents that are operated, not filed.
- Security policies
- Access control, acceptable use, data classification, encryption, remote work, vendor management — written to what you actually do, in language staff can follow.
- Risk register
- A living record of risks, owners, treatment decisions and review dates — the spine of any framework, and the first thing an auditor opens.
- Asset & data inventory
- What you hold, where it lives, how it is classified, and who is accountable. Almost every control depends on this existing.
- Incident & continuity plans
- The IR plan and business-continuity / DR plans the frameworks require — and that we would want you to have regardless.
- Vendor / third-party review
- A process for assessing the security of suppliers who touch your data, with the paper trail to prove you ran it.
- Evidence collection
- The unglamorous engine of every audit: mapping your controls to the framework and gathering the artifacts that prove they operate.
We prepare you for these. The audit or certificate comes from an independent party.
We never describe ourselves as “ISO 27001 certified” or “SOC 2 certified” — those apply to an organization and a defined scope, verified by an accredited auditor. We help you become certifiable and stand beside you through the audit. The claim on the certificate is yours to earn, not ours to lend.
Three sizes, depending on where you are.
Readiness gap analysis
Where you stand against a chosen framework, what is missing, and the work to close it — a fixed-scope first step.
Program build
We implement the missing controls and write the documentation to match, over a defined project.
Ongoing GRC
Risk register upkeep, evidence collection and control monitoring as a retainer, so audit-readiness is continuous, not an annual panic.
The two boundaries people check.
Are you auditors or a certification body?
No. We prepare the controls, documentation and evidence; the audit and the certificate come from an independent auditor or certification body. We can work alongside the one you choose.
Is this legal advice?
No. Regulatory interpretation belongs to your counsel. We build and document the technical and organizational controls your obligations require, and we say clearly when a question needs a lawyer.
A customer just sent you a security questionnaire. Now what?
That is usually where this starts. Tell us the framework you are being held to — or the questionnaire you cannot answer — and we will scope the readiness work.
Contact us- info@bstedge.com
- Response
- Within one business day
- Boundary
- Readiness, not audit or legal opinion