Independent third-party risk practice · Dublin, Ireland

We do one thing: due diligence on suppliers, for businesses whose customers demand proof.

Every finding in our reports can be traced back to a public source, so nobody has to take the result on faith.

  • Mapped to
  • ISO 27001
  • DORA
  • NIS2

The principle

Everything in the report can be traced back to where we found it.

Nothing goes into a report that cannot be walked back to its source. A customer, an auditor, or a supervisor reading an assessment can check any finding themselves, because every one of them comes from records that are publicly available.

Company registriesOwnership filingsCourt and regulatory recordsBreach disclosuresPublic-facing infrastructure

We do not use a proprietary score and there is nothing hidden in the method. The sources are public. What you pay for is knowing where to look, what the findings mean against ISO 27001, DORA and NIS2, and which of them need attention first.

The discipline comes from the open-source investigation world, where researchers publish their methods precisely so the work can be checked. We hold ourselves to the same standard.

This is also what makes the work hold up under audit. Anyone who doubts a finding can go and check it.

Who this is for

Not every business needs this.

This is for small and mid-sized companies facing ISO 27001 certification, DORA or NIS2 obligations, or a customer who has made vendor due diligence a condition of the contract. For them, a questionnaire will not satisfy anyone, and an enterprise platform costs more than the problem justifies.

If you manage thousands of suppliers, a platform will serve you better.

If you have a handful of suppliers that matter and a customer or auditor who will look closely, you are in the right place.

What you get

One report per supplier, written so it can be checked.

Scope follows what your customers actually require, so you are not paying for work that does not apply to you. Turnaround for a single assessment is measured in days.

One report per supplier

Every finding traceable to its source and mapped to the specific controls your customer or certifier applies, whether that is ISO 27001 supplier controls, DORA, NIS2 or a combination.

A findings summary

Prioritised by risk, so you can see what needs attention first and what can wait until the next review.

A remediation roadmap

Practical actions in a sensible order, with a realistic view of what can be fixed and by when.

How a finding readsIllustrative example

Finding 3.2

The supplier's primary customer-facing domain permits TLS 1.0 connections, a protocol deprecated since 2021 and disallowed under the supplier's own published security policy.

Source: public TLS configuration of the supplier's production domain, verifiable by anyone, and the supplier's security policy as published on their website.

Maps to

ISO 27001 A.8.21

DORA Art. 28

NIS2 Art. 21(2)(d)

Ongoing monitoring, optional

If you need the picture kept current, we re-run the checks monthly and flag anything material that has changed.

How we work

The work is done by hand.

Automated platforms exist to score thousands of suppliers at once, and they do that well. We look at a small number of suppliers closely, which is a different job.

A small senior team does the work, and your information is not passed through AI tools. This is partly about accuracy, but mainly because an AI assessor is one more third party handling your data, inside the very supply chain you are trying to get under control.

And the point of it all is not the certificate. It is knowing your suppliers well enough to keep working with them safely, which is why we treat the report as the start of a relationship rather than the end of one.

Independent by design. We sell no software, resell no platform, and answer to no vendor, so the assessment has only one customer: you.

Client data on EU infrastructure
Client data is processed on EU infrastructure and seen only by the people doing the work. We also stay available after the report is delivered, to help close the gaps it finds.
Professional grounding
The practice is led by an individual member of ISACA, the professional association for IT audit, risk and governance.

What we examine

Every area we check is in the public record.

Ownership and control
Breach and incident history
Exposed infrastructure and leaked credentials
Email security posture, including SPF, DKIM and DMARC
Published subprocessor lists: who your supplier's own suppliers are
Published GDPR enforcement and regulatory actions
Court, regulatory and insolvency records
Adverse media
Certification claims

How an engagement runs

Three steps, no surprises.

01

Scoping call

You tell us who the supplier is and what your customer or regulator is asking for. We agree what the assessment needs to cover.

02

Assessment

We work through the public record and map what we find to whichever of ISO 27001, DORA and NIS2 apply to your situation.

03

Report and walkthrough

You receive the report and we talk you through it, finding by finding. We stay available afterwards to help close the gaps it raises.

How long it takes depends on the scope, but engagements are measured in days, not months.

Common questions

The things people ask before they email.

Do you need access to our systems?
No. The assessment is built from the public record and from anything you choose to share with us. We never ask for credentials and we do not probe, scan or hack anyone's infrastructure.
Will the supplier know they are being assessed?
No. We only read what is already public, so there is nothing for the supplier to detect. Nothing we do involves intrusion or anything unlawful, so no party is put at risk by the assessment.
What do you need from us to start?
The supplier's name and the requirement you have to satisfy, whether that is a customer's contract clause, an ISO 27001 audit, or a DORA or NIS2 obligation. The scoping call covers the rest.
Where is our information processed?
On EU infrastructure, seen only by the people doing the work. We think about how your data is handled on our side with the same care we apply to your suppliers, because we would otherwise be one more exposure in your chain.
Can you help us fix what you find?
Every report comes with a remediation roadmap, and we stay available after delivery to work through it with you. We do our best to guide you, though severe findings such as an active breach may call for a specialised response team.
CS

Contact

Talk to us.

We are here to help you improve your compliance and security. A short, direct conversation is the best place to start, and replies come from the people who do the work, not an intake team.

Get in touch