03 / 06Compliance

OC 2, ISO 27001, and PCI DSS

Readiness programmes for regulated Canadian environments, mapped to the controls auditors actually check.

  • ISO 27001 Lead Auditor
  • SOC 2 Type II
  • Bill C-26 Aware
// THE WORK

Three pillars. One operator.

One team designs the controls, builds them, and packs the evidence your auditor reads.

  1. 1

    SOC 2 readiness

    We build SOC 2 Type II programmes across all five trust criteria, then evidence every control.

    to audit-ready
    12 wk
  2. 2

    ISO 27001

    We stand up your ISMS, close Annex A gaps, and prepare you for the certification audit.

    controls evidenced
    100%
  3. 3

    PCI DSS

    PCI DSS We scope your cardholder data environment, close v4.0.1 gaps, and get you QSA-ready.

    to QSA-ready
    3 to 4 wk
// THE PROOF

Audit-ready. Evidence-first.

A passing programme isn't a binder of policies, it's live controls with evidence mapped to every requirement.

// BY THE NUMBERS

Real engagement numbers.

Across regulated Canadian environments.

  1. SME-COMP-SOC2

    12 wk

    Median time to audit-ready

  2. SME-COMP-CTRL

    100%

    Controls evidenced at audit

  3. SME-COMP-C26

    3 to 4 wk

    Bill C-26 readiness check

// IN PRODUCTION

Auditors leave with answers, not findings.

The architecture itself is the evidence. We assemble the binder the way the auditor reads it, so fieldwork becomes a walk through answers already in hand rather than a treasure hunt.

SMEnode · Engineering principle
  • ISO 27001 Lead Auditor
  • SOC 2 Type II
  • Bill C-26 Aware
  • Canadian Data Resident
// THE DEEP DIVE

Compliance, made operational.

The long-form context behind the work. Written by the engineer who runs the engagement, not a marketing team.

What readiness means.

Compliance readiness is the gap between your current operating reality and the controls an auditor will accept as evidence. SMEnode delivers the matrix that names every control, its current state, the remediation owner, and the date by which it lands. SOC 2 Type II, ISO 27001, and Bill C-26 each have their own evidence shape, and we work to the shape your auditor expects.

The build side, not the judge.

Audit firms judge. They cannot also build the controls they will judge, that is the independence rule. SMEnode is the build side. We close the gaps, prepare the evidence packs, and walk your auditor through the rationale on day one. The auditor still passes or fails you, but they arrive with a binder rather than a treasure hunt.

Who Bill C-26 touches.

The Critical Cyber Systems Protection Act (CCSPA), once in force, designates four sectors: federally regulated telecom, finance, energy, and transportation. If your operating company or your subsidiary falls inside those sectors, expect mandatory incident reporting, designated operator obligations, and minimum control baselines. Even adjacent vendors will face pass-through requirements through customer contracts.
Control checklist
// THE METHOD

How a readiness programme runs.

Evidence-first, mapped to the controls your auditor actually checks, with no paperwork theatre. We are the build side, not the judge, so we close the gaps and assemble the evidence the way the auditor reads it. Each step below moves you from current state toward a binder that passes. SOC 2, ISO 27001, and Bill C-26 each have their own evidence shape, and we work to the one your specific auditor expects.

  1. Step 01

    Scope and gap report

    We name every in-scope control, its current state, and the evidence shape your framework demands. SOC 2, ISO 27001, and Bill C-26 each get the binder their auditor expects.

  2. Step 02

    Sequenced remediation

    A remediation plan with named owners and dates. We close the gaps that block the audit first, then the ones that make the next surveillance uneventful.

  3. Step 03

    Evidence packs

    Control evidence assembled the way the auditor reads it, not a treasure hunt. Policies, logs, and screenshots mapped one-to-one against the control matrix.

  4. Step 04

    Walk the auditor through

    We sit in on day one, walk the rationale, and stay on call through fieldwork. The auditor still passes or fails you. They just arrive with answers in hand.

// QUESTIONS

Compliance questions, answered straight.

The questions we hear before a first readiness call. Every answer is written by the lead auditor who runs the programme.

No, and that is deliberate. Audit firms judge; they cannot independently build the controls they judge. We are the build side. We close the gaps, prepare the evidence packs, and walk your auditor through the rationale. The auditor still passes or fails you, keeping the independence rule intact.

Median time to audit-ready runs about twelve weeks, depending on how many controls already have evidence. We scope every in-scope control, name its current state and remediation owner, then close gaps in sequence. By the time the auditor arrives, the binder is built rather than a treasure hunt.

The Critical Cyber Systems Protection Act designates four sectors: federally regulated telecom, finance, energy, and transportation. Operators in those sectors face mandatory incident reporting and minimum control baselines. Adjacent vendors often inherit pass-through requirements through customer contracts. A readiness check runs three to four weeks.

Yes. We scope the ISMS, build the Annex A controls, and run the internal audit so the next surveillance is uneventful. SOC 2, ISO 27001, and Bill C-26 each have a different evidence shape, and we work to the shape your specific auditor expects rather than a generic template.

A control matrix mapped one-to-one against the framework, evidence packs assembled the way the auditor reads them, and a sequenced remediation record. You also get us on call through fieldwork. The deliverable is an audit that passes, not a shelf of documents nobody opens again.

LET'S CONNECT

A senior engineer replies within an hour, 24/7.