GRC

Boutique GRC Advisory for India's High-Growth Technology Companies.

Fixed-scope. Founder-led. Async-first. ISO 27001, TPRM, and Security Awareness — built to withstand scrutiny.

Book a Fit Call Explore Services ↓

Serving B2B SaaS, Fintech, and Healthtech startups · India HQ · Remote-first delivery

Annex A · Coverage Map
Illustrative
ISO 27001:2022 has 93 Annex A controls across 4 domains. A live engagement maps every one.
Met Partial Gap
Annex A Controls
+
Policies Produced
0%
Coverage
Compliance Terrain

One ISMS. Many Regulatory Edges.

We build your ISO 27001 core as the backbone — and map it out to the frameworks and regulators your customers and auditors actually ask about.

ISO 27001 :2022 Core BACKBONE
Regulatory Framework

DPDP Act, 2023

India's digital personal data protection law. We map ISO 27001 Annex A controls — governance, access, encryption, breach response — to DPDPA obligations so you can evidence compliance without rebuilding anything.

Primary Overlap
Annex A.5.33, 5.34, 6.3
Typical Trigger
Customer contract · regulator notice
Engagement Rhythm

From First Email to Final Handover.

Scroll through the rhythm of a typical engagement.

01 · INTAKE

Fit Call

15–45 minutes. We review scope, stage, compliance trigger, and whether our model is the right fit. No pitch. No obligation.

intake_form.pdf scope_notes.md
02 · PROPOSAL

Written Proposal

A fixed-scope proposal issued in writing within 3 business days. Deliverables, timeline, and call count all named up front.

proposal_v1.pdf deliverable_list.xlsx
03 · KICKOFF

Onboarding & First Request

Onboarding pack shared. Collaboration space confirmed. First async request issued — and we never ask the same question twice.

onboarding_pack.pdf evidence_request_1.xlsx
04 · DISCOVERY

Gap Assessment & Risk Register

Structured findings mapped to ISO 27001:2022 clauses. Risks captured with likelihood, impact, and named owners.

gap_assessment.docx risk_register.xlsx
05 · BUILD

Policies & SoA

Customised policies drafted to your environment. Statement of Applicability built with justified inclusions and exclusions.

policy_suite.zip statement_of_applicability.xlsx
06 · HANDOVER

Closeout & Next Steps

Editable deliverables, usage licence, and a written next-steps briefing. You own the artefacts. We hand over cleanly.

handover_brief.pdf usage_licence.pdf
What We Do

Four Practice Areas. Eleven Packages. One Delivery Standard.

ISO 27001:2022 Documentation & Readiness

A Nexbridge GRC Advisory Service

Structured readiness programs for startups preparing for first certification or formalising security governance.

Foundation
Gap assessment, ISMS scope definition, risk assessment workshop, risk register, Statement of Applicability, and 10–12 essential policies.
Growth
Everything in Foundation, plus 20–25 policies, a detailed risk treatment plan, evidence tracker, and a readiness review session.
Audit-Ready
Everything in Growth, plus full documentation (30+ policies), an audit-mapped evidence tracker, internal pre-audit review, and certification readiness checklist.

ISO 27001:2022 Internal Audit

A Nexbridge GRC Advisory Service

Independent internal audit aligned to ISO/IEC 27001:2022 — before certification or annually post-certification.

Pre-Certification Audit
Audit plan, document review, remote evidence verification, stakeholder interviews, findings report (Major/Minor/OFI), and corrective action tracker.
Annual Internal Audit Program
Annual audit planning, risk-based control sampling, rotational ISMS coverage, evidence review, stakeholder interviews, annual audit report, corrective action tracker, closure validation, and management briefing.

Third-Party Risk Management (TPRM)

A Nexbridge GRC Advisory Service

Structured vendor security assessments for fintech, SaaS, and healthcare companies handling sensitive data.

Starter
Vendor inventory, basic tiering, standard security questionnaire, limited evidence review, risk scoring, vendor risk summary report, and remediation tracker.
Growth
Formal vendor tiering model, risk-tiered questionnaires, evidence-based review for critical vendors, structured scoring methodology, risk heatmap summary, remediation tracker, and executive summary report.
Program
Full vendor tiering framework, risk-based assessment of critical and high-risk vendors, evidence deep-dive, weighted scoring model, quarterly remediation follow-up, annual vendor risk summary, and governance review presentation.

Security Awareness Training

A Nexbridge GRC Advisory Service

Practical security awareness programs for SaaS, fintech, and healthcare teams — remote-first, measurable outcomes, not checkbox training.

Foundation
Core awareness session covering security fundamentals, phishing awareness, data handling basics, and incident reporting — with knowledge quiz, completion report, and ISO-ready participation evidence.
Role-Based
Foundation session for all employees, plus role-specific modules for developers, HR & finance, and leadership — with role-specific quizzes and optional phishing simulation.
Continuous Awareness Program
Training calendar design, quarterly micro-learning modules, 2–4 annual phishing simulations, phishing rate tracking, refresher training for repeat clickers, completion tracking, quarterly risk summary, and annual board-ready management report.

All engagements are fixed-scope and deliverable-driven. Scope confirmed in writing before signing. No retainers, no surprises.

Shape Your Engagement
Shape Your Engagement

Tell Us Your Situation. We'll Show You the Fit.

A simple mapping from your stage and trigger to the Nexbridge package that actually fits. Not a calculator. A conversation starter.

1Company Stage
2What's driving this?
3Docs & evidence today
4Horizon
Recommended Engagement
ISO 27001 · Foundation
Readiness package — for first-time ISO teams

A clean, fixed-scope readiness build. Gap assessment, ISMS scope, risk register, Statement of Applicability, and 10–12 essential policies — customised to your environment.

You'll walk away with
  • Gap Assessment Report mapped to ISO 27001:2022 clauses
  • ISMS Scope Document
  • Risk Register with named owners
  • Statement of Applicability with justifications
  • 10–12 customised essential policies
Discuss This Engagement
What You Receive

Every Engagement Ships Auditable Artefacts.

Not presentations. Not advice. Structured, editable documents your team can own and your auditors can rely on.

ISO 27001 Gap Assessment Report
Structured findings mapped to ISO 27001:2022 clauses — gaps, priorities, and remediation inputs.
Word · PDF
Risk Register
Risk inventory with likelihood, impact, treatment approach, and named owners.
Excel
Statement of Applicability
Full Annex A control selection with inclusion/exclusion justification.
Excel
Information Security Policy Suite
10–30 essential ISO-aligned policies, customised to your environment.
Word
Vendor Risk Assessment Report
Third-party risk scorecard — gaps, scores, and treatment recommendations per vendor.
Word · Excel
Internal Audit Findings Report
Major/Minor/OFI findings with corrective action tracker and closure validation.
PDF · Excel
Nexbridge retains methodology and templates as proprietary IP. Every client receives a fully customised, usage-licensed version — not a shared template.
Who We Are

Founder-Led Means the Person You Hire Is the Person Who Delivers.

Nexbridge GRC Advisory is a founder-led, remote-first GRC practice. We are not a large firm. Every engagement is delivered directly by the founding team — not subcontracted, not delegated to a junior consultant. We bring hands-on experience across ISO 27001:2022 implementation, PCI DSS auditing, TPRM, and DPDPA readiness to every project we take on.

Fixed Scope, Every Time

Deliverables, scope, and timeline confirmed in writing before signing. No scope creep. No surprises.

Remote-First, Async-Driven

Minimal calls. Structured requests. Maximum output. Designed to demand as little of your time as possible.

"We do not run open-ended retainers. We do not subcontract your engagement. Every deliverable is produced by the founding team — that is the commitment."— Nexbridge GRC Advisory
Scope Boundaries

Honest About What We Don't Cover.

We Do
  • Fixed-scope, deliverable-driven engagements
  • Prepare you to be audit-ready
  • Customised governance documentation
  • Independent internal audits
  • TPRM assessments and vendor risk scorecards
  • Security awareness with measurable outcomes
We Don't
  • Open-ended retainers without defined scope
  • Guarantee ISO certification
  • Implement technical security controls
  • Act as outsourced CISO
  • Provide legal advisory services
  • Host LMS platforms or run automated scanning tools
Frequently Asked

Questions We Get Asked.

No. Certification is granted by accredited certification bodies. We prepare you to be audit-ready — that is what we control.
Founder-led delivery, remote-first model, fixed scope, and minimal meeting overhead. You pay for outcomes, not hours.
Yes. We start with a gap review and adapt scope accordingly.
We work with your existing stack — Google Drive, Notion, Jira, Excel. No forced tool adoption.
Delays caused by client-side evidence gaps extend the timeline proportionally. Scope changes are handled via a written change order.
Yes, via scoped add-ons and compliance mapping workshops for RBI, IRDAI, and DPDP Act requirements.
Yes. We use a partner model for VAPT where required.
Get Started

Book a 15-Minute Fit Call.

Tell us about your situation. We'll assess scope and whether our model fits your stage. No obligation. Clear next steps.

We reply within 2 business days. Your details stay with the founding team.