Compliance & Governance
Achieve and maintain regulatory compliance without it becoming a full-time operational burden — or a programme that only functions in the weeks before an audit.
Compliance is not a project — it is an ongoing state. Organisations that treat it as one frequently face recurring audit findings, costly remediation cycles, and the expense of bringing in external help to get ready for each assessment. Astrexa builds compliance programmes that operate continuously: evidence is collected as work happens, controls are monitored rather than spot-checked, and the compliance function runs as part of normal operations rather than in parallel to them.
01
ISO 27001 Certification
We guide organisations through ISO 27001 from initial scoping and gap analysis through to certification, with a track record of clean audit outcomes. We build the Information Security Management System in a way that the organisation can maintain and operate independently — not one that requires permanent consultant involvement to sustain. Annexe A controls are implemented pragmatically, proportionate to the organisation's risk profile rather than applied uniformly regardless of relevance.
02
GDPR & Data Protection
We implement data protection programmes that meet GDPR requirements in practice, not just in documentation. This includes data flow mapping, Records of Processing Activities, subject rights management, consent infrastructure, third-party data processing agreements, and breach notification procedures. We work with your existing Data Protection Officer or provide that function where one is not yet in place.
03
Sector-Specific Regulatory Compliance
We have direct experience with regulatory requirements across financial services (FCA, MAS, APRA, PCI DSS), healthcare (HIPAA, NHS DSP Toolkit, HL7 FHIR), and government (Cyber Essentials, NIST CSF). Our programmes align controls to what regulators actually examine rather than applying generic frameworks that create compliance theatre without reducing the risk of regulatory action.
04
GRC Platform Implementation
We implement governance, risk, and compliance platforms — ServiceNow GRC, OneTrust, Vanta, Drata — that centralise evidence collection, control testing, audit management, and risk reporting. A well-implemented GRC platform dramatically reduces the time and effort required for each audit cycle, and provides continuous visibility into compliance posture rather than point-in-time snapshots.
05
Policy & Control Framework
We develop the policy frameworks and control libraries that underpin compliance programmes — written to be read and followed, not filed and forgotten. Policies are aligned to your actual operating environment and risk profile, reviewed on a defined cycle, and version-controlled with owner accountability. Control testing schedules are built into operations, not added as a pre-audit activity.
Our approach
How we deliver
Gap Analysis
Assess current state against the target framework and quantify the remediation needed.
Programme Design
Build the compliance programme structure — controls, policies, ownership, and evidence model.
Implementation
Deliver controls and documentation, integrated into normal business operations.
Certification
Support audit preparation, manage the audit process, and maintain post-certification.
Deliverables
What's included
Gap Analysis Report
Current-state assessment against target framework with prioritised remediation plan.
ISMS Documentation
Complete Information Security Management System documentation for ISO 27001.
Policy Framework
Comprehensive policy suite written for your operating environment and risk profile.
Control Library
Mapped control set with owners, testing schedule, and evidence requirements.
Audit Readiness Support
Pre-audit preparation, documentation review, and liaison with certification body.
Ongoing Compliance Monitoring
Continuous control monitoring and compliance posture reporting post-certification.
Get started
Ready to talk about Compliance & Governance?
Tell us what you're working on. We respond within one business day.