Home 2

Who we work with

Four verticals where the stakes are highest

Built for companies under enterprise compliance pressure — where the cost of getting it wrong is greatest.

SaaS companies

Enterprise customers requiring SOC 2 before procurement closes. Sales-driven timelines. Lean or absent internal security teams.

SOC 2

ISO 27001

vCISO

AI & ML companies

Novel risk profiles. Investor due diligence on AI governance. First-mover ISO 42001 compliance for AI systems and models.

ISO 42001

SOC 2

AI governance

FinTech companies

Regulated data environments. SOC 2, GDPR, and PCI DSS combined. Board-level security governance and investor due diligence.

SOC 2

GDPR

PCI DSS

Healthcare SaaS

Health system procurement requires HIPAA plus SOC 2 combined. ePHI workflows, BAA chain management, and OCR readiness.

HIPAA

SOC 2

BAA

Client feedback

What practitioners say about working with us

Yves approaches cybersecurity with a practical mindset, emphasizing solutions that integrate into daily operations. His thoroughness ensured our strategies aligned with regulatory standards while remaining streamlined and accessible, avoiding unnecessary complexity.

CIO

Former CIO, SPIRE Credit Union

Also served as CISO, Blaze Credit Union

We went from a scattered policy library to a working compliance program in under twelve weeks. The audit went exactly as expected — no surprises, no last-minute scrambles. The ability to translate complex requirements into plain language our engineers could act on made all the difference.

CTO

CTO, Series A healthcare SaaS

60 employees · Minneapolis area

We had Vanta purchased and sitting mostly idle. Within three weeks, every integration was live, evidence was collecting automatically, and our control pass rate went from 40% to over 85%. The difference between having the platform and actually using it well is enormous.

Security manager, Series B FinTech

120 employees

Why not alternatives?

How we compare to your other options

Most companies evaluate four paths. Here is an honest comparison.

Estimates. Actual costs vary by scope and company size. ISPH fees include hour estimates and overage rates disclosed upfront.

Standalone products & add-ons

Six high-value engagements that stand on their own

$8,500 – $15,000

ISO 42001 AI governance assessment

Standalone AI security risk assessment for AI and ML startups. Gap analysis, risk register, remediation roadmap. Almost no boutique competition in this space today.

First-mover advantage

$8,000 – $14,000

Investor / pre-fundraise security package

Security posture assessment, gap report, and evidence package for Series A/B investor due diligence. Urgency-driven buyer with a motivated timeline.

Series A / B ready

$3,500 – $6,000

Annual security program review

Formal annual assessment of program maturity, progress, and gaps. Natural January or February renewal product for all vCISO and maintenance clients.

Annual renewal anchor

$3,000 – $6,000

Cyber insurance alignment review

Security controls documentation structured for cyber insurance underwriters. Findings mapped to common coverage requirements. Pairs with any compliance or IR engagement.

Insurance-ready

$1,500 – $3,000

Trust center setup

Post-SOC 2 customer-facing trust page on Vanta or Drata. Natural upsell after every compliance engagement. Eliminates dozens of questionnaire questions permanently.

Post-audit upsell

Custom · bulk discount

VC portfolio security program

Structured program for VC firms placing consistent compliance requirements on portfolio companies. One VC relationship becomes three to five client engagements.

3+ portfolio companies

Common questions

Pre-sales questions we hear most often

Straight answers before you book the call.

How is InfoSecProsHub different from hiring a consultant who delivers templates?

Most compliance consultants deliver a binder of policy templates and a gap report, then invoice. We build the program with you — configuring the GRC platform, writing customized policies that reflect how your company actually operates, coordinating the auditor, and managing evidence collection. The deliverable is a working compliance program, not a set of documents requiring your team to execute everything.

We already purchased Vanta or Drata. Do we still need your help?

Most companies that buy a GRC platform discover getting integrations working, evidence collecting automatically, and controls showing green requires significant configuration work no one on the team has time for. The Vanta and Drata Configuration service (starting at $2,800) is designed exactly for this situation — getting your existing platform from idle to audit-ready.

What does SOC 2 actually cost when you include everything?

Total cost depends on scope, but here is a realistic range for a typical Series A SaaS company: ISPH fee $18K–$28K (Growth tier), plus GRC platform license $10K–$25K/year (Vanta or Drata), plus audit firm fee $15K–$40K. Total budget typically falls in the $50K–$100K range for a first SOC 2. We disclose all three numbers at every scoping call — no surprises.

How long does SOC 2 actually take?

For a single-product SaaS company with a clean cloud environment: SOC 2 Type I in 10–14 weeks. Type II requires an additional observation period of three to six months after Type I. The biggest variables are evidence access speed, cloud complexity, and whether policies need to be built from scratch. We give you a realistic timeline at the scoping call based on your actual situation.

Do you provide legal advice or legal representation?

No. InfoSecProsHub provides compliance program management and security implementation — not legal advice or legal representation. For HIPAA and GDPR engagements, OCR inquiries, breach notification letters, DPA negotiations, and supervisory authority interactions should involve legal counsel arranged and paid by the client.

What happens to the compliance program after the audit?

Most compliance programs collapse after the SOC 2 report drops. Evidence stops collecting, policies go unreviewed, and by the next audit cycle you are starting over. The Compliance Maintenance Plan (starting at $1,600/month) prevents that cliff — keeping evidence current, controls active, and the GRC platform healthy year-round so your next audit is a continuation rather than a restart.

Can you do HIPAA and SOC 2 at the same time?

Yes — and we recommend it. Enterprise health system procurement increasingly requires both. There is significant control overlap between HIPAA and SOC 2, meaning the combined cost of doing both together is substantially lower than two separate engagements. The multi-framework approach is available at Professional and Enterprise tiers.

What is the scoping call and is there a cost?

The scoping call is a free 30-minute conversation. We confirm your framework, timeline, business urgency, and current state. After the call, you receive a written scope and fee range within 48 hours — including platform license estimates, audit firm fee estimates, and total budget guidance. No sales pressure, no obligation. If we are not the right fit, we will tell you.

Ready to start?

Let's talk about what's blocking your next deal.

A 30-minute scoping call costs nothing and gives you a clear picture of what it takes to get compliant, stay secure, and be ready for what is next.

No pitch. No pressure. A practical conversation about what you need and whether we are the right fit.

Total cost transparency. Every scoping call includes the complete budget — ISPH fee, platform license estimate, and audit firm fee estimate. No surprises at any stage.