Home / Solutions / Regulatory Compliance & GRC
Evidence from operations Compliance evidence that accumulates from the SOC, not from the audit scramble.

Compliance that runs on evidence, not promises.

Certifications aren’t earned in a two-week evidence drive. They’re earned every day a control operates, gets logged, and gets reviewed. Because AlecTech runs the SOC, the backups, the access reviews, and the vulnerability program, audit evidence is the byproduct of live operations — not a pre-audit reconstruction. SOC 2, ISO 27001, PCI-DSS, HIPAA, PIPEDA, Law 25, CyberSecure Canada: one evidence library, many frameworks, boring auditor visits.

Book a 15-min discovery call See what's included
CISA, CRISC, CIPP/C, ISO 27001 LA on staff
One evidence library across frameworks
Canadian-staffed, regulator-fluent
What you walk away with

A program that clears the audit and stays clear.

Certification is the milestone; maintaining it is the work. Every engagement produces a program that a surveillance auditor, a new insurer, or a client’s procurement office recognizes on sight — and keeps recognizing year over year.

1
Evidence library across frameworks
Single control inventory mapped to SOC 2, ISO 27001, PCI-DSS, HIPAA, and Canadian privacy regulations. One piece of evidence, many audit lines.
6 mo
First-time certification
Typical SOC 2 Type II or ISO 27001 readiness from engagement to audit-ready — down from the 12-18 months organizations spend going it alone.
0
Pre-audit evidence scrambles
Continuous control monitoring and evidence capture run by the same team operating the underlying systems. Surveillance audits become calendar events, not fire drills.
1
Accountable MSSP partner
Policy, evidence, operating control, and audit liaison under one roof. No hand-offs between an advisor, an ops team, and the auditor.
What's included

Twelve services, three mandates.

Certify runs the frameworks that carry a certificate or attestation. Comply covers the privacy and industry regulations that don’t end in a certificate but do end in regulator action. Operate keeps the program current between audits — which is the hard part.

Certify

Certifications & attestations

SOC 2 Type I & Type II

Trust Services Criteria scoping, readiness assessment, control design, evidence program, and audit operation through Type I and Type II. The attestation clients in Canada and the US now ask for before signing.

ISO/IEC 27001

ISMS design, Statement of Applicability, risk treatment, internal audit, and certification body engagement through Stage 1, Stage 2, and surveillance. Includes ISO 27002 control alignment.

PCI-DSS 4.0

Cardholder data environment scoping, segmentation review, SAQ or ROC preparation, and QSA liaison. Covers merchants and service providers through the 4.0 transition and new requirements taking full effect.

HIPAA

Security Rule and Privacy Rule program design, Business Associate Agreement management, and OCR-facing documentation for covered entities and business associates operating in or into the US healthcare market.

CyberSecure Canada

ISED CyberSecure Canada certification for SMBs — 13 baseline controls, program documentation, attestation, and ongoing evidence to maintain the mark. The federal-government-recognized SMB standard.

Comply

Privacy, regulators, insurers

Canadian Privacy Program

PIPEDA, Quebec Law 25, Alberta PIPA, BC PIPA, and Ontario PHIPA program design. Privacy Officer advisory, privacy notices, consent frameworks, PIAs, and regulator-facing response capability.

GDPR & International Privacy

EU GDPR Article 30 records, UK GDPR, CCPA/CPRA readiness, and cross-border data transfer mechanisms. For Canadian organizations selling into the EU, the UK, and California.

Industry-Specific Regulation

OSFI B-13 (financial), FINTRAC, IIROC, Controlled Goods Program, ITAR/EAR, and Law Society cyber obligations. Program design calibrated to the regulator your business actually reports to.

Cyber Insurance Readiness

Underwriter questionnaire navigation, control attestations, evidence packaging, and claim-readiness review. Insurers now underwrite on program maturity — evidence is what moves the premium.

Operate

Keeping the program current

Evidence Library & Continuous Monitoring

Control inventory, evidence capture automation, and continuous-monitoring dashboard. Evidence is collected by the team running the control — not retrofitted from screenshots taken the week before the audit.

Policy & Standards Management

Policy library development, periodic review cadence, approval workflow, attestation tracking, and exception management. The paper trail auditors actually accept, kept current between cycles.

Auditor & Regulator Liaison

Audit planning, fieldwork coordination, finding response, and ongoing regulator engagement. Turn auditor weeks into auditor days — and keep the regulator’s file uneventful.

Evidence from operations

Audit evidence is a byproduct of running the control. Not an exercise before the audit.

Most GRC work is a reconstruction exercise: controls live in a GRC tool, operations live somewhere else, and once a year someone harvests screenshots to prove the two ever met. Because AlecTech runs the SOC, the backups, the vulnerability program, the access reviews, and the IR retainer, the evidence is the operational artifact — the SOC ticket closing, the backup test passing, the quarterly access review completing. The auditor sees what the business actually does, not what a consultant claims.

  • Access reviews, patching records, backup restore tests, SOC alerts, and IR drills captured automatically
  • One control inventory mapped across SOC 2, ISO 27001, PCI-DSS, HIPAA, and CyberSecure Canada — write once, audit many
  • Surveillance audits become calendar events, not fire drills — evidence already exists
  • Insurer questionnaires drawn from the same live evidence library as the audit response
See framework coverage
1
Evidence library feeding every framework and questionnaire
0
Screenshot-harvesting weeks before the auditor arrives
100%
Controls with a named owner and review cadence
24/7
SOC generating operational evidence continuously
Certification paths

Four frameworks. Four typical paths.

Each framework has a characteristic shape: readiness duration, audit cycle, and evidence intensity. Planning the program around the right cycle, with evidence reused across frameworks, is where time and cost compress.

Trust Services

SOC 2 Type II

Trust Services Criteria for service organizations. Type I is point-in-time; Type II observes controls over 3–12 months. The attestation most enterprise customers now require.

Readiness 4–6 mo Cycle Annual
ISMS certification

ISO/IEC 27001

Certification-based ISMS with Statement of Applicability and documented risk treatment. Stage 1, Stage 2, then surveillance audits year 1 and 2, recertification year 3.

Readiness 6–9 mo Cycle 3-year
Cardholder data

PCI-DSS 4.0

Scoping around the cardholder data environment, SAQ or Report on Compliance, and QSA engagement. Merchant and service provider levels, with 4.0 requirements now fully in effect.

Readiness 3–5 mo Cycle Annual
Healthcare

HIPAA

Security Rule and Privacy Rule program for covered entities and business associates. No certificate, but OCR-facing documentation and BAA posture that a US healthcare partner recognizes.

Readiness 4–6 mo Cycle Ongoing

GRC is the paper. Operations are the proof.

A control framework is easy to write; harder to prove is still operating on a Tuesday in month 9. Pair GRC with the services that generate the evidence — MDR, vCISO, risk assessments, IR — and the auditor sees one program, not a collage. Same contract, same accountable team, same dashboard.

Pairs with
MDR & SOC

SOC tickets, detection coverage, and response metrics feed directly into SOC 2 CC6/CC7 and ISO 27001 A.12/A.16 evidence.
Pairs with
Virtual CISO

Named accountable leader, program charter, and board reporting that audit frameworks and insurers now both require.
Pairs with
Risk Assessments

Enterprise risk register, gap assessments, and quantified findings that feed the GRC program’s risk treatment plan.
Pairs with
Incident Response

IR retainer, tabletop exercises, and incident records — the audit evidence for "we rehearse" that auditors now insist on seeing.
Credentials, frameworks, and standards
Certified GRC practitioners and fluent framework specialists — the credentials your auditors and regulators recognize, applied to the frameworks your business actually reports against.
CISA
Certified Information Systems Auditor
CRISC
Certified in Risk & Information Systems Control
CIPP/C
Certified Information Privacy Professional — Canada
CIPM
Certified Information Privacy Manager
ISO 27001 LA
ISO 27001 Lead Auditor
CDPSE
Certified Data Privacy Solutions Engineer
SOC 2 Type II
ISO/IEC 27001 / 27002
PCI-DSS 4.0
HIPAA
NIST CSF 2.0
PIPEDA / Law 25
CyberSecure Canada
OSFI B-13
GDPR
Program lifecycle

From scope to surveillance in four phases.

Each certification follows the same sequence, whether it’s a first-time SOC 2 Type II or a three-year ISO 27001 cycle. Scope is tight; readiness is measured; audit is orchestrated; surveillance is a calendar item, not a scramble.

  • 01Weeks 1–4
    Scope & Readiness Framework scoping, gap assessment against target controls, evidence inventory, and a written readiness plan with owners, timelines, and budget signed off before remediation starts.
  • 02Months 1–6
    Design & Remediate Policy library development, control design, technical remediation, evidence-capture automation, and internal audit. Surface and close gaps before the external auditor ever sees them.
  • 03Audit cycle
    Evidence & Audit Audit planning, fieldwork coordination, evidence packaging, finding response, and certification-body or CPA liaison through Stage 1, Stage 2, or Type I/II attestation.
  • 04Year 2+
    Maintain & Expand Continuous monitoring, surveillance audit prep, policy review cycles, and framework expansion — adding ISO 27001 once SOC 2 is stable, PCI-DSS once a new product ships, and so on.

Every engagement is led by a named GRC lead — CISA, CRISC, or ISO 27001 LA credentialed — with a program coordinator running the operational cadence so leadership time is spent on judgment calls, not status work.

Standard deliverables: scope statement, control inventory, policy library, evidence library, risk register, internal audit report, audit-ready submission package, and a maintenance plan for surveillance.

Frameworks share the vast majority of their controls. Every control is captured once in the inventory and mapped across every framework in scope — so adding ISO 27001 to a SOC 2 program is weeks, not months.

Engagement models

Three shapes. Same operating rigor.

How the program is consumed depends on where the organization is. First-time certifications have a distinct shape. Ongoing programs with surveillance audits have a different cadence. Multi-framework operators need the crosswalk to hold. All three run on the same evidence library.

Model 1

First-Time Certification

Fixed scope · 4–9 months

End-to-end readiness and certification of a single framework: SOC 2 Type I then Type II, ISO 27001, PCI-DSS, HIPAA, or CyberSecure Canada. Includes policy library, evidence library, internal audit, and audit-body liaison.

Best for Organizations entering a new market, responding to a client RFP, or raising a funding round that requires attestation.
Model 2

Annual Program & Surveillance

Ongoing · quarterly cadence

Maintain certified status year over year: continuous evidence capture, policy review cycles, internal audit, surveillance audit prep, and auditor engagement. Monthly program check-in, quarterly control reviews.

Best for Organizations with existing SOC 2 or ISO 27001 certification who want the program to stay clean without building an in-house GRC team.
Model 3

Multi-Framework Program

Enterprise · multi-year

Unified GRC program across multiple frameworks: SOC 2 + ISO 27001 + PCI-DSS + HIPAA + privacy. One control inventory, one evidence library, one audit calendar, one named accountable leader.

Best for Scale-ups and mid-market organizations selling into regulated sectors across multiple geographies, or operating under multiple regulator regimes.
Industries we serve

Where the certificate is the ticket in.

GRC programs for sectors where certification isn’t a trophy — it’s the precondition to bid, close, or register. Regulated, audited, or procurement-facing.

Legal Firms

Legal Firms

Law Society cyber obligations, client-panel security questionnaires, ISO 27001 expectations from enterprise clients, and Law 25 / PIPEDA privacy program duties.
Financial Services

Financial Services

OSFI B-13, FINTRAC, IIROC, SOC 2, ISO 27001, and cyber insurance questionnaires — the certifications and attestations that registration and bank counterparty relationships now require.
Aerospace & Defense

Aerospace & Defense

Controlled Goods Program, ITAR/EAR, CMMC-aligned programs, and the prime-contractor security flowdowns that cascade to every tier of the supply chain.

Make the auditor’s next visit boring.

A 30-minute scoping call with a senior GRC lead — not a sales rep. We’ll walk through the framework pressure, the audit window that matters, and which engagement model actually fits. A fixed-price readiness proposal follows inside a week.

Book a 15-min call Or email info@alectech.ca