Goal: Assess current controls against NIS2 or DORA using ISO 27001 mapping.

Map existing controls and policies to NIS2 or DORA via an ISO 27001 assessment.

Identify and prioritise gaps with effort estimates and named owners.

Secure executive sponsorship and define management accountability.

Document scope, critical assets, data flows, and risk context.

Goal: Implement high-impact controls, establish governance, deploy compliance automation, and publish the policy pack.

Implement MFA, PAM, centralised logging, and automated backups with restore testing.

Set up vulnerability scanning and remediation workflows.

Integrate Vanta (or similar) to continuously collect evidence from Microsoft 365, Azure, AWS, etc.

Draft and publish policies for security, risk, incident response, ICT third parties/suppliers, BC/DR, access control, and change management.

Goal: Prove controls work in practice—train people, manage third-party risk, enable detection & response, and exercise plans under load.

Deliver role-based training for leadership and control owners; track completion.

Perform supplier/ICT due diligence and maintain a third-party risk register with ratings and exit strategies.

Run continuous monitoring with detection use cases and triage runbooks; define MTTD/MTTR targets.

Conduct tabletop drills, DR tests, and penetration or vulnerability testing.

Directive specifics: NIS2 supply-chain security and incident reporting playbook; DORA operational resilience testing and TLPT readiness (where applicable).

Goal: Demonstrate compliance and lock in operations.

Assemble a mapped evidence repository (directive requirements ↔ ISO 27001 controls).

Run management review on performance, risks, and compliance status.

Obtain executive/board sign-off on residual risks, budget, and objectives.

Establish ongoing cadence: metrics dashboards, quarterly supplier reviews, change control board, periodic testing, and compliance monitoring.