Week 1–2: The Clarity Assessment
The Sprint starts with a diagnostic. Not a questionnaire you fill out yourself. A proper, hands-on assessment where we map every gap across your environment: identity and access management, endpoint security, backup and recovery, logging and monitoring, security policies, vendor risk, and offboarding procedures.
We look at what you have, what you think you have, and what's actually working. The difference between these three things is usually significant. Most companies overestimate their coverage by 40-60% because they confuse "we bought the tool" with "the tool is configured, monitored, and enforced."
Output: a prioritised remediation roadmap. Not a 200-page report that sits on a shelf. A clear, sequenced plan that tells you exactly what gets implemented, in what order, and why.
Week 3–4: Foundation controls
This is where the most impactful work happens. We implement the controls that stop 90% of security incidents: SSO enforced across all applications (no more password-only access to critical systems), MFA on every account that touches company data, device management (MDM) enrolled for all endpoints, and endpoint detection and response (EDR) deployed with 24/7 monitoring.
These four controls alone transform your security posture from "hope nothing happens" to "we would detect and contain an incident." Most breaches exploit one of these gaps — stolen credentials, unmanaged devices, or endpoints without detection capability. By week 4, those vectors are closed.
Week 5–8: Policy pack and evidence
This is the phase where most DIY security efforts die. Writing information security policies, building a risk register, documenting access reviews, setting up evidence collection — it's unglamorous, detail-heavy work that requires someone who's done it for dozens of companies, not someone figuring it out from a template for the first time.
We produce the full policy pack: information security policy, acceptable use policy, data classification policy, incident response plan, vendor management policy, access control policy, and business continuity plan. These aren't generic documents with your logo pasted on. They're written to reflect your actual environment, your actual tools, and your actual risk profile.
Simultaneously, we start collecting the evidence that auditors and enterprise buyers will ask for. Access review logs. Configuration screenshots. Policy acknowledgement records. The evidence pack starts building from day one of this phase — because compliance isn't about having policies, it's about proving you follow them.
Week 9–10: Advanced controls
With the foundation in place, we layer on the advanced capabilities: SIEM configuration with centralised logging and alerting rules tuned to your environment. Backup verification — not just "backups exist" but "we tested restoration and it works." Vulnerability scanning across your infrastructure and applications. Incident response procedures tested through a tabletop exercise. Vendor risk framework applied to your critical suppliers.
This phase moves you from "we have controls" to "we have controls that are monitored, tested, and documented." That's the difference between security that looks good on paper and security that actually protects you.
Week 11–12: Handover and transition
Everything gets documented. Every configuration, every policy, every procedure, every tool — documented in a format your team can reference and maintain. Your internal security owner gets briefed on what was implemented, how it works, and what their ongoing responsibilities are.
The evidence pack is transferred. If you're pursuing ISO 27001 or SOC 2 certification, you have everything the auditor will ask for. If you're moving to our managed services, the transition is seamless — we built the environment, we know every configuration, and we continue running it without a gap in coverage.
What you need to provide
Four to six hours per week from an internal champion. This person doesn't need to be a security expert — they need decision authority on policy approvals and the ability to grant us access to admin consoles. That's the total time commitment from your side.
We handle the implementation, the documentation, the configuration, and the project management. You handle the decisions that only someone inside your company can make: "Yes, this policy reflects how we want to work." "Yes, revoke that person's access." "Yes, approve this vendor risk rating."
That's it. We do the rest.
"90 days sounds fast until you see the plan. Then it sounds inevitable."