SERVICES
What we do at Arclight.
Every engagement is led personally by Anthony Addison. No account managers. No junior consultants. Direct access to a CISSP-certified practitioner with 15+ years in GRC, compliance, and security leadership.
01 — GRC PROGRAM DESIGN
Build the program right the first time.
Most compliance programs are built reactively. Controls get added when auditors flag gaps, policies get written the week before a review, and risk registers collect dust. Arclight builds programs designed to hold up — from the first assessment through the next three years of growth.
We start with a current-state assessment mapped against your chosen framework (NIST CSF, ISO 27001, SOC 2, or custom), identify control gaps with risk-ranked findings, and build the policy suite, control library, and evidence architecture your program needs.
What’s included:
- ✓Current-state gap assessment
- ✓Framework mapping (NIST, ISO, SOC 2)
- ✓Policy and procedure library
- ✓Control implementation roadmap
- ✓Risk register + scoring model
- ✓Board-ready reporting templates
SOC 2 milestones:
- ✓Scope definition + TSC selection
- ✓Gap assessment against AICPA criteria
- ✓Control buildout + evidence templates
- ✓Type I or Type II readiness
- ✓Auditor selection + liaison
- ✓Post-audit remediation support
02 — SOC 2 READINESS
Audit-ready without the agency overhead.
SOC 2 is not a checkbox. Companies that treat it as one end up with reports full of exceptions, evidence that doesn’t hold up to scrutiny, and auditors who come back the next year with longer finding lists. We build for the long run: controls that are implemented correctly, evidence that is collected consistently, and narratives that reflect how your environment actually operates.
Not sure which service you need?
Book a free 30-minute call. We’ll scope your situation and tell you exactly what your program needs.