Services | Giovanni Velasco — SOC 2, ISO 27001, ISO 42001, HIPAA, FedRAMP & CMMC Advisory

Services

Fixed-scope engagements for every stage of your compliance journey.

From a first gap assessment to full audit readiness and ongoing fractional security leadership — each engagement is scoped to the framework your customers and contracts actually require.

Most requested

SOC 2 Gap Assessment

A full evaluation of your current controls against the SOC 2 Trust Service Criteria, with a prioritized roadmap for what to fix before you engage an auditor.

What’s included

  • Control-by-control evaluation against Trust Service Criteria
  • Documented findings mapped to each control
  • Prioritized remediation roadmap
  • Auditor-readiness scoring
Book a discovery call →
End-to-end

SOC 2 Readiness Program

Complete preparation for your Type I or Type II audit — policy development, control implementation, evidence collection, and direct coordination with your auditor.

What’s included

  • Policy and procedure development
  • Control implementation support
  • Evidence collection system setup
  • Auditor selection and coordination
Book a discovery call →
Global standard

ISO/IEC 27001 Readiness

Certification readiness for the internationally recognized information security management system standard — built for companies selling into global and regulated markets.

What’s included

  • ISMS scope definition and risk assessment
  • Statement of Applicability (SoA) development
  • Control implementation against Annex A
  • Internal audit and certification body coordination
Book a discovery call →
AI governance

ISO/IEC 42001 (AI Management Systems)

Readiness for the AI management system standard enterprise buyers are starting to require from vendors building AI-enabled products — covering risk management, data governance, and responsible AI controls.

What’s included

  • AI system inventory and risk classification
  • AI Management System (AIMS) documentation
  • Control mapping for data governance and model risk
  • Readiness assessment ahead of certification
Book a discovery call →
Healthcare

HIPAA Gap Assessment

Identify gaps in your HIPAA Security Rule compliance before a covered entity asks for evidence — or before an audit uncovers them for you.

What’s included

  • Security Rule control evaluation
  • Business Associate Agreement (BAA) review
  • Risk analysis documentation
  • Remediation roadmap
Book a discovery call →
Government cloud

FedRAMP Gap Assessment

Readiness evaluation for federal government cloud authorization — identifying control gaps against NIST SP 800-53 before you engage a 3PAO.

What’s included

  • Control baseline evaluation (Low, Moderate, or High)
  • System Security Plan (SSP) gap review
  • Remediation roadmap ahead of 3PAO assessment
  • Authorization pathway guidance
Book a discovery call →
Phase 2 deadline Nov 2026

CMMC Readiness & Advisory

Gap assessment, System Security Plan, and POA&M support for DoD supply chain manufacturers preparing for CMMC Level 2 — including Mexico’s aerospace manufacturing corridor.

What’s included

  • NIST SP 800-171 control gap assessment
  • System Security Plan (SSP) and POA&M development
  • Policy development and evidence collection support
  • Remediation roadmap prioritized by contract risk
See the CMMC page →
Ongoing

vCISO Retainer

Fractional CISO leadership for companies that need senior security guidance without the cost of a full-time hire — activating any of the frameworks above as needed.

What’s included

  • Vendor security assessment response
  • Board and leadership reporting
  • Security program strategy and roadmap
  • On-demand access for audits and incidents
Book a discovery call →

Not sure which framework you need?

A 30-minute call is enough to map your customers’ requirements to the right starting point.