Consulting Services

Corevia Advisory

Risk Assessment & Management

The Problem

A growing fintech had no formal risk process. Security decisions were reactive, budget requests lacked justification, and the board had no visibility into threats.

My Approach

Conducted stakeholder workshops to identify assets and threats. Built risk register using 5×5 scoring matrix. Established risk appetite with the board. Created automated dashboards.

Methods Used

  • Asset inventory and data flow mapping
  • Threat modelling workshops
  • Likelihood × impact scoring
  • Risk treatment planning with RACI
  • Monthly risk review cadence

Deliverables

Risk register, risk appetite statement, treatment plans, board reporting template

Policy & Procedure Development

The Problem

An SME pursuing enterprise clients had no security documentation. They were failing due diligence checks and losing deals to competitors with mature policies.

My Approach

Assessed business context and regulatory requirements. Developed proportionate policy suite aligned to ISO 27001. Created practical procedures staff could actually follow.

Methods Used

  • Gap analysis against ISO 27001 Annex A
  • Stakeholder interviews for process understanding
  • Plain-English policy drafting
  • Approval workflow design
  • Staff communication and rollout

Deliverables

Information Security Policy, Acceptable Use Policy, Incident Response Procedure, Data Classification Scheme, Access Control Policy

Compliance & Audit Support

The Problem

A SaaS company needed SOC 2 Type II but had scattered evidence, undocumented controls, and no audit experience. Their enterprise sales pipeline depended on certification.

My Approach

Mapped existing controls to Trust Service Criteria. Identified gaps and prioritised remediation. Built evidence repository with clear control descriptions. Prepared staff for auditor interviews.

Methods Used

  • Control mapping to SOC 2 TSC
  • Gap analysis with remediation roadmap
  • Evidence collection and organisation
  • Control description documentation
  • Mock audit walkthroughs

Deliverables

Control matrix, evidence repository, Statement of Applicability, remediation tracker, audit preparation guide

Security Awareness Programme

The Problem

Organisation had 28% phishing click rate after a near-miss incident. Staff saw security as IT's problem. No formal training existed beyond annual compliance tick-box.

My Approach

Designed engaging programme with monthly themes. Introduced phishing simulations with progressive difficulty. Created positive reporting culture rather than blame.

Methods Used

  • Baseline phishing simulation
  • Role-based training modules
  • Monthly awareness campaigns
  • Gamified reporting incentives
  • Metrics tracking and reporting

Deliverables

Training curriculum, phishing simulation programme, awareness materials, metrics dashboard

Vendor Risk Management

The Problem

Company used 40+ SaaS tools with no oversight. A supplier breach exposed customer data. No one knew which vendors had access to what, or their security posture.

My Approach

Inventoried all vendors and classified by data access. Developed tiered assessment approach. Created ongoing monitoring process and contract security requirements.

Methods Used

  • Vendor inventory and data mapping
  • Risk tiering (Critical/High/Medium/Low)
  • Security questionnaire programme
  • Contract clause templates
  • Annual reassessment schedule

Deliverables

Vendor register, risk assessment questionnaire, contract security addendum, monitoring checklist

Security Questionnaire Response

The Problem

Sales team spending 2+ weeks on each enterprise security questionnaire. Responses inconsistent, evidence hard to find, and deals stalling in procurement.

My Approach

Analysed common questions across SIG, CAIQ, and custom questionnaires. Built response library with pre-approved answers and linked evidence. Trained sales on self-service.

Methods Used

  • Question pattern analysis
  • Response library development
  • Evidence repository linking
  • Sales enablement training
  • Continuous improvement process

Deliverables

Response library (200+ answers), evidence repository, questionnaire playbook, sales training materials

Approach

  1. 1. Discovery — Understanding your organisation's context and objectives
  2. 2. Assessment — Evaluating current state against frameworks
  3. 3. Strategy — Developing tailored recommendations
  4. 4. Delivery — Providing practical, actionable deliverables

Interested in GRC consulting services? Get in touch to discuss your requirements.

Contact me →