In The Field: Blended Framework Audit
One of our clients is an international non-profit in the sustainable commodities space.
They'd built their security management system around ISO 27001, and because they operate across the EU, they were also trying to line it up with the NIS 2 Directive.
The trouble was, nobody had ever gone in and independently checked how well they were actually doing against either one. That's what they brought us in for.
The obvious way to do that is to run two separate audits: one for ISO, one for NIS 2. Two lots of interviews, two reports, a lot of the same ground covered twice.
We didn't do that.
What we ran instead was a blended framework audit: one audit that checked their single management system against both standards at the same time, using the same evidence and the same conversations rather than doing it all twice. They got full coverage of both standards from one piece of work, for a fraction of the cost and hassle of running them separately.
To pull that off properly, we split the interviews into three streams running side by side: the technical side (the platform and how it's built), people and HR, and legal and management. A review of paperwork alone would have missed a lot of what we actually found.
Alongside those conversations, we went through their full set of policies and procedures in detail, and where we couldn't get a clear enough answer from an interview (especially anything to do with the cloud setup), we engaged their DevOps team directly on things like backups, encryption and how resilient the whole system actually was.
One thing shaped how we wrote everything up. The organisation had been through some leadership changes, and a lot of their security policies were sitting in draft, never formally signed off.
The substance was good, it just hadn't been approved yet. Given that, and how much real progress the team had made, we chose to write up every finding as an opportunity to improve rather than a formal failure.
We wanted something they'd actually act on, not something that punished them for being upfront with us about where the gaps were.
By the end, we'd reviewed 110 individual controls covering the whole of ISO 27001 and all 93 of its Annex A controls, plus a full mapping against every one of NIS 2's ten security requirements, all from that one piece of work.
We found 20 genuine opportunities for improvement, with another 19 linked back to avoid repeating ourselves, and five bigger findings at a policy level, each with clear guidance on how to fix it.
We also gave credit where it was due: proper penetration testing, encrypted and backed-up systems, multi-factor authentication everywhere, and a security awareness programme that people actually take part in.
Their own clients had started asking them to prove their own security was up to scratch. They can answer that properly now, with real evidence behind both frameworks instead of just a promise.
We've also built them a shorter, customer-facing version of the report, so they've got something ready to hand straight over the next time that question comes up.