RykerAudit
§ Services

Eight engagements,
performed seriously.

We do not offer twenty services badly. We offer eight, each engagement is staffed by a partner-grade lead from kickoff to issuance — the person you meet is the person who writes the report.

01
3 — 12 months

SOC 2 Type II

Trust Services Criteria, observed over time.

We perform Type I readiness, then Type II attestations across the Security, Availability, Confidentiality, Processing Integrity and Privacy criteria. Evidence is collected continuously across the observation window — not assembled in the final week.

Deliverables
  • Readiness assessment
  • Control narrative
  • Type II report
  • Bridge letters
02
6 — 9 months

ISO/IEC 27001

Certification, not just compliance.

Stage 1 documentation review, Stage 2 certification audit, and ongoing surveillance. Mapped to the 2022 revision of Annex A. We work alongside your ISMS owner, not around them.

Deliverables
  • Gap analysis
  • Stage 1 & 2 audit
  • Annex A mapping
  • Surveillance audits
Server room corridor lit by overhead light
Fig. 02 — Fieldwork, production environment
03
4 — 8 months

HIPAA & HITRUST

For systems carrying PHI.

Security Rule, Privacy Rule and Breach Notification assessments for covered entities and business associates. HITRUST i1 and r2 validated assessments where a higher bar is required by counterparties.

Deliverables
  • Risk analysis
  • Safeguard testing
  • HITRUST validation
  • Remediation plan
04
3 — 6 months

PCI DSS 4.0

Cardholder data, audited.

SAQ guidance for merchants, and Report on Compliance support for service providers. We hold the line on scope so the audit reflects what's actually in the cardholder data environment.

Deliverables
  • Scope definition
  • Gap remediation
  • RoC drafting support
  • Attestation of Compliance
Stack of bound audit reports on a desk
Fig. 03

The deliverable is a bound report — written to be read, cited, and defended.

05
4 — 7 months

NIST CSF & 800-53

For federal and federal-adjacent systems.

Cybersecurity Framework profile development and 800-53 control assessments for organisations contracting with, or selling into, the public sector. We map findings to FedRAMP and CMMC readiness where adjacent.

Deliverables
  • Current/target profile
  • Control assessment
  • POA&M drafting
  • FedRAMP gap memo
06
2 — 6 weeks

Penetration Testing

Adversarial, not theatrical.

Black, grey and white-box engagements against web applications, APIs, cloud estates and internal networks. Each test is led by an OSCP-certified operator and concludes with an executive narrative plus a developer-grade technical appendix.

Deliverables
  • Threat model
  • Manual exploitation
  • Technical findings
  • Retest of remediations
07
1 — 3 months

Vendor & Third-Party Risk

Audit the supply chain.

Independent assessments of critical vendors, subprocessors and acquisition targets. Used by procurement, security and M&A teams when an internal questionnaire is no longer enough to satisfy the board.

Deliverables
  • Vendor inventory
  • Tiered assessments
  • Remediation tracking
  • Board-ready summary
08
6 — 18 months

Virtual CISO

A senior voice on retainer.

Partner-level security leadership for organisations between full-time hires. We chair your security council, brief the board, and shepherd remediation between formal audit windows. Engagements are bounded — never open-ended.

Deliverables
  • Quarterly roadmap
  • Board reporting
  • Audit shepherding
  • Policy stewardship

Unsure which framework applies?

Tell us about the customers asking and the data you hold. We'll tell you what is required, what is theatre, and what you can defer.

Ask the question →