More than vendor-led security, less than a full enterprise consulting engagement. Every engagement is fixed-fee, expert-led, and scoped tight.
Fractional CISO leadership delivered on a monthly retainer. Board reporting, security governance, vendor risk reviews, compliance roadmap, and an experienced security voice in your management meetings. For SMEs that need expert security oversight without the cost of a full-time hire.
A point-in-time evaluation of your security posture against ISO 27001, NIST CSF, or PDPA. You receive an executive summary, a prioritised risk register, and a 12-month remediation roadmap. Fixed scope, fixed fee, 3โ4 week delivery.
A structured path to certification against ISO 27001, SOC 2, or PCI-DSS. Gap analysis against the target standard, a prioritised remediation plan, policy and documentation support, and guidance through the certification audit itself. For SMEs whose enterprise customers or investors now require proof of certification.
Independent assessment of the security posture of your suppliers, outsourcing partners, and critical vendors. Security questionnaires, risk scoring, contractual control recommendations, and an ongoing vendor risk register. Because your security is only as strong as your weakest supplier.
Board and C-suite tabletop exercises that test executive decision-making under pressure. Custom scenario design, facilitated session, after-action report focused on governance, communications, and escalation gaps. For boards that want to know how they'll perform before it counts.
Operational tabletops for IT, SOC, and incident response teams. Multiple technical scenarios in a single session โ phishing, ransomware, supply-chain compromise, cloud misconfiguration. Tests playbook execution, runbook gaps, and multi-team coordination.
External, internal, web application, or cloud penetration testing performed by certified engineers using CREST and NIST SP 800-115 methodology. You receive an executive report, a technical report, and a free retest of remediated findings within 60 days.
Pre-paid digital forensics and incident response capacity with SLA-backed response times. Monthly hours can be drawn down for proactive readiness work (log review, IR playbook updates, threat hunts) or held in reserve for incident response when you need it.
Operational Technology and ICS security: IEC 62443-aligned assessment, IT/OT segmentation review, ICS/SCADA security architecture, OT asset inventory, and security advisory for IT/OT convergence projects. For manufacturers and infrastructure operators that can't afford OT downtime.
Tell us what's keeping you up at night. We'll recommend the right starting point โ even if it isn't us.
Get a scoping callClick any framework above to see what it is, who it applies to, and how Ace Direction works with it.
Book a free 30-minute discovery call. We'll tell you whether one of our nine service lines fits โ and if it doesn't, we'll tell you what does.
Book a discovery call