Services

Independent risk assurance and decision support for NHS organisations, public bodies, and organisations operating in regulated and accountability-driven environments.

Assurance Services

Assurance Services

Independent assurance on NHS data access risk and pre-procurement risk opinions for accountable decision makers.

Learn more
Grant & Innovation Assurance

Grant & Innovation Assurance

Assurance on publicly funded innovation risk aligned to Managing Public Money principles.

Learn more
Information Security, GDPR & AI Risk

Information Security, GDPR & AI Risk

Applied assurance on whether data protection and AI governance risk is defensible in practice.

Learn more

Assurance Services

Independent assurance and defensible risk opinions for NHS data access, procurement decisions, and data sharing arrangements.

NHS Data Security & Risk Assurance Review

9,500-15,000 4-6 weeks
NHS Data Security & Risk Assurance Review
Scope:

Independent assurance on whether an organisation is genuinely safe and appropriate to access NHS data. This is not a DSPT submission service — it is a defensible risk opinion for decision makers responsible for NHS data access and sharing arrangements.

What you get:
  • Assessment against NHS DSPT assertions and evidence expectations
  • Review of UK GDPR Article 32 (security of processing)
  • Evaluation of ISO/IEC 27001 controls where claimed or referenced
  • Identification of residual risks where organisations technically pass but remain high risk
  • Clear decision framing: proceed / proceed with conditions / do not proceed
Deliverables:

Board-level assurance report, clear statement of residual risk and accountability — suitable for procurement, data sharing, or partnership decisions

Pre-Procurement & Pre-Data Access Risk Assessment

6,000-10,000 2-4 weeks
Pre-Procurement & Pre-Data Access Risk Assessment
Scope:

A focused, independent risk opinion provided before procurement, onboarding, or data sharing takes place. Decision support for senior responsible owners who need to know whether a supplier or partner poses material risk before access is granted.

What you get:
  • Rapid review of supplier security and data governance posture
  • Assessment of governance maturity, control ownership, and risk management
  • Translation of technical and compliance signals into decision-relevant risk
Deliverables:

Written risk opinion for decision makers, clear articulation of material risks and mitigating factors — suitable for audit trails and assurance committees

Grant & Innovation Assurance

Independent assurance on whether innovation risk is proportionate and defensible — aligned to Managing Public Money principles and public sector accountability expectations.

Managing Public Money - Innovation Risk Assurance

10,000-25,000 4-8 weeks
Managing Public Money - Innovation Risk Assurance
Scope:

Independent assurance on whether innovation risk is proportionate, defensible, and aligned with Managing Public Money principles. For accounting officers and senior sponsors who must be able to justify continued funding or adoption to scrutiny bodies.

What you get:
  • Review of governance, risk ownership, and control environment
  • Assessment of proportionality, value for money, and tolerance of failure
  • Identification of systemic weaknesses that drive delivery failure
Deliverables:

Assurance report suitable for accounting officer decisions, clear view on whether continued funding or adoption is defensible, risk narrative aligned to public sector accountability expectations

Grant Funded Digital & AI Project Governance Review

7,500-15,000 3-6 weeks
Grant Funded Digital & AI Project Governance Review
Scope:

Independent governance and delivery risk review for grant funded digital, data, or AI-enabled projects. Assesses whether delivery governance is robust enough to protect the funder and the programme from accountability risk.

What you get:
  • Review of delivery governance and control environment
  • DPIA and data risk defensibility review (where applicable)
  • Assessment of accountability, escalation, and assurance mechanisms
Deliverables:

Governance and risk assurance report, identification of material risks to delivery or funding continuation — suitable for funding extensions or portfolio assurance

Information Security, GDPR & AI Risk

Applied assurance focused on data protection and AI governance risk practical defensibility.

GDPR Risk Defensibility Assessment

6,000-12,000 2-4 weeks
GDPR Risk Defensibility Assessment
Scope:

Applied GDPR assurance focused on whether data protection risk is defensible in practice — not whether processes exist on paper. Provides decision makers with an independent view of whether processing arrangements could withstand regulatory or public scrutiny.

What you get:
  • Review of accountability and security of processing (Article 32)
  • DPIA critique for high-risk or innovative processing
  • Consideration of public sector interpretation and scrutiny
Deliverables:

Written GDPR risk defensibility opinion, clear articulation of residual risk and decision implications — explicitly separated from legal advice

AI & Emerging Technology Governance Assessment

8,000-18,000 4-6 weeks
AI & Emerging Technology Governance Assessment
Scope:

Independent assessment of governance, accountability, and risk for AI-enabled or emerging technology services in regulated environments. Provides a clear view on whether deployment risk is acceptable and defensible for the decision makers who must sign off adoption.

What you get:
  • Review of accountability for automated or AI-supported decision making
  • DPIA and governance arrangements for AI-enabled services
  • Assessment of readiness against NHS and public sector expectations
Deliverables:

AI governance and risk assessment report, clear view on whether deployment risk is acceptable and defensible, practical decision support for senior stakeholders

ISO 27001 Assurance

Independent evaluation of whether ISO/IEC 27001 controls are meaningful enough to rely on — not whether the paperwork exists.

ISO/IEC 27001 Control Reality Assessment

5,000-9,000 3-5 weeks
ISO/IEC 27001 Control Reality Assessment
Scope:

Independent evaluation of whether ISO/IEC 27001 controls and governance are meaningful in practice. Assesses whether certification or "ISO ready" claims would withstand scrutiny from a procurement body, funder, or assurance committee — not whether documentation is in place.

What you get:
  • Review of risk register quality and Statements of Applicability
  • Assessment of leadership ownership and governance effectiveness
  • Evaluation of whether certification or "ISO ready" claims would withstand scrutiny
Deliverables:

Independent ISO-aligned assurance report, clear opinion on the credibility of the control environment — suitable for procurement, funding, or partnership decisions

Entry Point

Not sure whether formal assurance is required? Start here.

Paid Scoping & Risk Diagnostic

1,000-1,500 1 week
Paid Scoping & Risk Diagnostic
Scope:

A structured, paid diagnostic to determine whether formal assurance is required and at what level. Provides clarity before committing to a full assurance engagement.

What you get:
  • Structured risk discussion
  • High-level, framework-based review of current position
  • Clear recommendation on whether and how to proceed
Deliverables:

Short written summary with a clear go / no-go recommendation for further assurance