Services

Five practices. One programme.

Engagements are scoped to your environment and risk profile. We can run a single assessment, a focused project, or act as your ongoing security partner. Below is the full picture of what we do across the five practices.

Practice · 01

IT Security

Build and maintain infrastructure where security is designed in — not retrofitted after an incident.

Secure IT Architecture

Network segmentation, identity and access design, secure cloud landing zones, and architecture review for new or changing systems.

Security Hardening

Bringing servers, endpoints, network devices and cloud workloads up to recognised baselines (CIS Benchmarks, vendor guidance) without breaking what works.

Scope Server & endpoint hardening · network device & firewall configuration review · cloud workload hardening

Web Application Security

Review and remediation guidance covering authentication, session handling, secure coding and OWASP Top 10 exposure.

Scope External (internet-facing) applications · internal applications

Cloud Security Assessment

Technical review of cloud deployments and configurations against provider and industry best practice.

Practice · 02

Risk Management

Understand what's worth protecting, what threatens it, and what to do first.

Risk Assessments & Management

Structured assessment of information assets, threats and controls, producing a prioritised, business-aware risk register and treatment plan.

Vulnerability Management

Build or refine a continuous discover-triage-remediate process across infrastructure and applications.

Scope Programme gap assessment · programme build / refinement · ongoing managed vulnerability management

Business Continuity & Disaster Recovery

BCP and DR plans grounded in real recovery objectives and validated through tabletop exercises.

InfoSec Policies & Procedures

Policy frameworks staff understand and procedures operations can follow, aligned to applicable laws and standards.

Scope Policy & procedure creation · policy audit against standards

Gap Analysis

Benchmark current state against a target framework with a roadmap to close each gap.

Scope ISO/IEC 27001 · NIST CSF / SP 800-53 Rev. 5 · CIS Controls · GDPR · DORA · NIS2

Security Training

Awareness for staff, technical depth for IT and developers, executive briefings for leadership. Tailored content, not off-the-shelf slides.

Practice · 03

Adversary Simulation

Real validation — we show you how attackers could breach your systems, in a controlled way, before someone else does.

Attack Simulation & Penetration Testing

Goal-based offensive exercises that discover and manually validate vulnerabilities, then exploit them to demonstrate genuine business risk including access and lateral movement.

Scope External network — assessment & validation · external network — with penetration testing · internal network — assessment & validation · internal network — with penetration testing

Phishing & Social Engineering

Targeted campaigns measuring resilience to social engineering, with reporting on click-through and credential-submission behaviour and follow-up training tied to results.

Attack Surface Mapping

An attacker's-eye external view: exposed services and ports, leaked credentials, third-party risk and brand impersonation.

Wireless Security Assessment

Configuration and security review of wireless access points and infrastructure, including encryption, authentication and rogue access point detection.

Device Security Testing

Technical and physical assessment of client-provided devices to determine whether an attacker could extract data, tamper with the device, or compromise its software.

Practice · 04

Compliance

Standards and regulations made practical — reach compliance and stay there, without turning operations into a paperwork factory.

Zero One delivers the information-security controls, documentation, policies and procedures these standards and regulations require, and independent assessment of those controls. We are not a law firm or an accredited certification body, legal advice and the formal certification audit rest with the client's counsel and an accredited body respectively.

ISO/IEC 27001

End-to-end support: scoping, gap analysis, risk assessment, Statement of Applicability, ISMS documentation, and independent control assessment ahead of certification. The certification audit itself is conducted by an accredited body.

Scope Gap assessment · full ISMS implementation support · internal audit / control assessment · certification audit preparation

ISO/IEC 27000 Family

Practical use of supporting standards: 27002 controls, 27005 risk, 27017/27018 cloud, 27701 privacy.

GDPR — Security of Processing

Implementation and assessment of the technical and organisational security measures GDPR requires (access controls, encryption, logging, resilience, testing of effectiveness). Delivered alongside the client's legal counsel and DPO, Zero One does not provide legal advice or act as statutory DPO.

DORA

Support for the ICT risk-management obligations of DORA for in-scope financial entities: ICT risk management, resilience-testing readiness and the supporting documentation.

NIS2

Support for NIS2 obligations for essential and important entities: cyber risk-management measures, continuity, and supply-chain security readiness.

Practice · 05

AI Security & Governance

Adopt AI safely and prove you have it under control — from vetting AI vendors to securing AI systems to standing up the governance that keeps pace with the technology.

AI Vendor Due Diligence & Onboarding

A decision gate for AI vendors, AI-enabled SaaS, model providers and AI features — combining third-party security due diligence, AI-specific risk screening and privacy review into a clear approve / approve-with-conditions / reject recommendation.

AI System Security Assessment

A defensive review of a piloted or deployed AI system: data flows, RAG and knowledge-base access, model interaction, connectors and logging — testing for prompt injection, data exposure and unsafe automated actions.

AI Governance Framework Design

The operating model that lets you approve, control and monitor AI use — AI policies, an AI register, a risk-classification model and an intake-to-approval workflow, aligned to ISO/IEC 42001 and the NIST AI RMF.

Continuous AI Governance Assurance

Recurring review that keeps your AI register, vendor evidence, risks, access and controls current as models change and use expands — with management reporting on an agreed cadence.

Not sure where to start?

Begin with a free initial assessment.

We'll listen to what you're trying to protect, look at where you stand today, and tell you what we'd prioritise — whether or not you work with us next.