How We Run Engagements.
Every engagement follows the same structure. Fixed scope. Defined deliverables. Async-first. Here is exactly what happens from your first email to final handover.
Before the Engagement Starts.
We review your situation — team size, cloud setup, data types, and compliance trigger. No pitch. Pure qualification.
A written proposal with exact scope and deliverable list. You know what you receive before signing.
Onboarding pack shared. Collaboration platform agreed. First async request issued within 3 business days.
Example Engagement Walk-Through.
A complete view of a Foundation package — how phases, activities, and deliverables sequence in practice.
Minimal Calls. Maximum Output.
Each engagement has a defined maximum number of calls — set in the proposal and never exceeded. Everything else is handled asynchronously. Structured requests. 48-hour client response window. No recurring stand-ups. No weekly check-ins.
- No recurring calendar blocks for your team
- Structured async requests — we never ask the same question twice
- Every call has a pre-shared agenda and a post-call summary
- Timelines extend proportionally if client inputs are delayed
All Packages at a Glance.
| Service | Package | What it covers |
|---|---|---|
| ISO 27001 Readiness | Foundation | Gap assessment, ISMS scope, risk register, SoA, and 10–12 essential policies |
| ISO 27001 Readiness | Growth | Everything in Foundation plus 20–25 policies, risk treatment plan, and evidence tracker |
| ISO 27001 Readiness | Audit-Ready | Everything in Growth plus full documentation, audit-mapped evidence tracker, and internal pre-audit review |
| Internal Audit | Pre-Certification Audit | Full ISMS audit with findings report (Major/Minor/OFI) and corrective action tracker |
| Internal Audit | Annual Program | Risk-based annual audit coverage, quarterly cycles, annual report, and closure validation |
| TPRM | Starter | Vendor inventory, basic tiering, standard questionnaire, risk scoring, and summary report |
| TPRM | Growth | Formal tiering model, risk-tiered questionnaires, structured scoring, heatmap, and executive summary |
| TPRM | Program | Full tiering framework, deep-dive evidence review, weighted scoring, quarterly follow-up, and annual governance presentation |
| Security Awareness | Foundation | Core awareness session, knowledge quiz, completion report, and ISO-ready participation evidence |
| Security Awareness | Role-Based | Role-specific modules for all employees, developers, HR/finance, and leadership — with optional phishing simulation |
| Security Awareness | Continuous Program | Quarterly micro-learning, 2–4 annual phishing simulations, phishing rate tracking, and board-ready annual report |
What We Deliver. What We Don't.
- Editable Word/Excel artefacts
- Customised policies for your environment
- A named risk per line in your register
- A practical implementation roadmap
- An SoA with justified inclusions
- Clear handover with written next-step briefing
- Locked PDFs with no operational value
- Generic templates with your name pasted in
- Generic risk categories with no ownership
- Theoretical frameworks with no next steps
- A blank SoA for you to fill in
- Open-ended engagements that never close
After Handover, You Own Everything.
Editable formats
All deliverables in Microsoft Word and Excel.
Usage licence
Full licence for every customised artefact. Nexbridge retains methodology IP.
Clear next steps
Every engagement closes with a written briefing on what to do next.