GRC — Recurring Service · NEW

Continuous Compliance Subscription

Once you're certified to ISO 27001, ADHICS, NESA, or PDPL, the real work begins: keeping the certificate. We make that effortless — quarterly internal audits, maintained evidence repository, audit attendance, monthly readiness dashboard.

AED 4,000 – 8,000 / month ISO 27001 LA-led 12-month minimum · cancel anytime after

Book a 20-min scoping call →

Jump to FAQ

What it is

An ISO 27001 (or ADHICS, NESA, PDPL) certificate is a snapshot. The day after the audit, the work that actually keeps you certified begins — internal audits, control monitoring, evidence collection, vendor reviews, corrective-action tracking, management reviews. Most SMEs underestimate this and spend the next 11 months drifting toward a panicked surveillance-audit week.

Continuous Compliance Subscription is an outsourced ISMS-maintenance function, led by an ISO 27001 Lead Auditor. We run the quarterly internal audits, keep your evidence repository current, monitor your controls, and sit with you when the certification body comes back for surveillance. Fixed monthly fee. No hourly billing. No surprises.

This is the same function a full-time ISMS Manager would perform — without the AED 250k+/year salary line.

What this is not

Not a path to certification. If you aren't already certified, start with our ISO 27001 Implementation engagement — this subscription begins after Stage 2.

Not the certification audit itself. The certificate is issued by an accredited certification body. We never combine implementer and auditor — ISO/IEC 17021 prohibits it, and so do we.

Not unlimited consulting hours. Up to 4 senior-consultant hours per month is included; beyond that we agree scope and quote separately.

Not a penetration-test or training plan. Annex A 8.8 pen tests and awareness training are separate engagements (subscribers get priority scheduling).

Who this is for

You're probably here because one of these is true:

1

You recently passed an ISO 27001, ADHICS, NESA, or PDPL audit and need to keep the program alive without hiring an ISMS Manager.

2

You're an SME (under 200 employees) without a full-time ISMS Manager or DPO and the founder is currently doing it on weekends.

3

Your last surveillance audit raised non-conformities and you need a structured cadence to prevent a repeat.

4

You operate multiple frameworks in parallel (e.g., ISO 27001 + ADHICS + PDPL) and need a unified maintenance program.

5

Your team passed certification with consultancy help and now realises nobody internally owns the evidence pack.

What you get every month

Up to 4 hours of senior consultant time — ISO 27001 Lead Auditor on every engagement.
Maintained evidence repository — controls, logs, attestations, vendor reviews kept current as your environment changes. No more last-minute screenshot hunts.
Monthly compliance dashboard — 1-page report covering posture, open risks, corrective actions, upcoming surveillance dates.
Slack / Teams channel for ad-hoc compliance questions — same-day response on weekdays.
Quarterly internal audits — mini-audit every 90 days against your applicable framework, with finding log + remediation tracking.
Audit attendance — when your accredited certification body comes for surveillance, we sit in the room with you.
Priority scheduling on penetration tests, training, and other engagements with the same named lead — continuity, not lottery.

How we deliver

01

Onboarding workshop

Week 1

2-hour kickoff. Inventory current evidence repository, ISMS scope, last audit findings, applicable frameworks, escalation contacts. Provision Slack/Teams channel.

02

Baseline health-check

Weeks 2 – 3

Mini-audit against your current framework. Identify drift since last surveillance. Establish remediation backlog and 90-day cadence.

03

Monthly check-in + dashboard

Recurring

60-minute call, evidence review, dashboard delivered, action items confirmed. Ad-hoc Slack questions answered same-day on weekdays.

04

Quarterly internal audit

Every 90 days

Sample-based control review, findings logged, corrective actions assigned with due-dates. Independent of self-attestation.

05

Annual management review

Month 11

Pre-surveillance dry-run, management-review minutes prepared, risk register refreshed, scope statement validated. Surveillance audit attended in-person or remote.

Cycle: 12-month rolling, renewing automatically unless cancelled with 30 days' notice. SLAs in writing.

Pricing — three tiers

Lite

AED 4,000/month

Single framework (ISO 27001 OR ADHICS OR PDPL), up to 50 employees.

What drives the tier choice

Number of frameworks under maintenance
Headcount in scope (more users = more access reviews + evidence)
Multi-site vs. single-site ISMS scope
Vendor-risk register volume (third-party reviews)
Sector-specific requirements (e.g., healthcare's ADHICS v2 cadence)

Commercial terms

Billing: Monthly in advance
Minimum term: 12 months
After minimum: Cancel anytime with 30 days' notice
Tier upgrade: Pro-rated, takes effect next billing cycle
Quote validity: 30 days
No surprise charges. Hours over 4/month require written approval.

Your cert-backed lead

Every subscription is led personally by an ISO 27001 Lead Auditor — never delegated to a junior or outsourced offshore.

ISMS Lead — ISO 27001 Lead Auditor

Manoj Prabhakaran

ISO 27001 Lead Auditor · GRC Mastery · CPTS · CDSA · Security+ · Azure Cloud Security

Focus: Quarterly internal audits, evidence-pack curation, surveillance-audit attendance, management-review preparation, multi-framework mapping (ISO 27001 + ADHICS + PDPL).

See the full team →

Frequently asked questions

Do we still need our own ISMS Manager?

For larger organisations (200+ employees), yes — we complement, not replace. For under 50 employees, we typically suffice as your outsourced ISMS function.

What happens if we fail a surveillance audit?

We don't let that happen — quarterly internal audits ensure no surprises. If a non-conformity arises during a real audit, remediation guidance is included at no extra cost.

Can we cancel?

After the 12-month minimum, you can cancel with 30 days' notice. Before then, only with cause (e.g., we fail to deliver against the SLA).

What's NOT included?

New certification work, scope extensions to new frameworks, penetration tests, and training engagements are separate at standard rates — though subscribers receive priority scheduling on all of those.

Which frameworks do you cover?

ISO 27001:2022, ADHICS v2 (UAE healthcare), NESA / UAE IA V2, UAE PDPL, and Dubai ISR v2. Other frameworks (PCI DSS, NIST CSF, SOC 2) on request — we'll quote separately if your subscription needs to span them.

How is this different from hiring a part-time consultant?

A consultant gives you billable hours; we give you outcomes — a maintained evidence repository, monthly dashboard, quarterly internal audits, and audit attendance, against a fixed fee. You don't track time; you track readiness.

Do you become the auditor too?

No — never. We are the implementer / maintainer. The certificate is issued by an accredited certification body (DNV, BSI, BV, Intertek, TÜV — your choice). ISO/IEC 17021 prohibits combining the roles, and we keep that line absolute.

You might also need

Already certified? Don't let it lapse.

Book a 20-minute scoping call. We'll review your current evidence repository, surface any drift, and give you a written quote within 48 hours.