Mission Overview
We are seeking consulting support to guide Swift's internal team through the unification of existing compliance frameworks under a centralized ISO 27001-aligned Information Security Management System (ISMS). The objective is to streamline and integrate multiple regulatory and certification requirements into a cohesive, scalable compliance program.
Frameworks in Scope
ISO 27001 — Foundation of the unified ISMS (policies being consolidated)
ISO 9001 — Compliant
ISO 42001 — Alignment with EU AI Act
GDPR — Compliant (+ country-specific addendums like BDSG Germany)
Cyber Essentials Plus — Compliant
SOC 2 — Compliant for Cloud Services (certificate expiring end of March, audit pushed during policy unification)
EU Cyber Resilience Act (CRA) — Custom framework for mapping and tracking required controls
EU Data Act — Controls to be added within CRA framework
Key Responsibilities
Expert guidance on ISO 27001 implementation and integration with all targeted frameworks
Strategic and legal advisory for GDPR alignment and country-specific addendums (e.g., BDSG in Germany)
Practical interpretation and roadmap development for upcoming EU regulations (CRA, Data Act, AI Act)
Support for mapping and optimizing controls within Drata GRC platform, including cross-framework alignment
Gap assessments, policy and control reviews, QA oversight of internal implementation
Audit readiness and external certification preparation
Vendor Management: onboarding and vetting several hundred vendors through formal procurement and risk assessment process (due diligence, risk classification, documentation, ISMS/GRC integration into Drata)
Operational Playbook Development: collaborating with internal teams to develop consistent, actionable playbooks aligned with unified compliance policies and technical runbooks
Client Context
Global business operations — compliance needed across all regions
GRC platform: Drata (consultants may connect via SSO with additional security controls)
Internal team: 5-10 people (currently 2 leads with management support)
Solid compliance footing achieved by separate groups; now unifying under single ISMS
Two primary focuses: ISO 27001 as foundation + EU CRA compliance
FY26 starts April 1st — budget finalization in progress, leadership pushing to start immediately
Required Skills & Experience
ISO 27001 Lead Implementer/Auditor certification
Multi-framework compliance unification experience (ISO 27001, SOC 2, GDPR, CRA, etc.)
GRC platform experience (Drata preferred, similar platforms acceptable)
GDPR expertise with international regulatory scope
Knowledge of EU Cyber Resilience Act, Data Act, AI Act (ISO 42001)
Vendor/third-party risk management and assessment at scale
Operational playbook and policy development skills
Strong communication skills for executive reporting and cross-functional collaboration
Engagement Model
The client anticipates leading the majority of the implementation internally and is looking for a consulting partner providing expert guidance, gap assessments, policy reviews, QA oversight, and direct support for vendor onboarding and playbook development. Pricing structures considered: fixed-fee, time-and-materials, or retainer options.