Dublin · ISO 27001 · DORA · PCI DSS
The audit is not the problem.
Gaps in the evidence are.
Bergson helps regulated fintechs, EMIs and SaaS companies prepare for ISO 27001, DORA and PCI DSS — and keep the controls alive after the auditor leaves.
- < 24h
- First response
- 100%
- Senior bench
- EU · UK · Global
- Active jurisdictions
- ISO · DORA · PCI
- Core frameworks
Engagement Status
- ISO 27001:2022 ISMSIn scope
- DORA ICT RiskActive
- PCI DSS v4.0Tracked
- Cloud GovernanceReview
- Incident ResponseDrilled
Evidence ready · Senior-led · Defensible
TRUSTED BY TEAMS IN: Payment Institutions · EMIs · Regulated Fintechs · B2B SaaS · Cloud-native Platforms
What we do
Where regulation, security and engineering meet.
- Compliance & Audit Readiness
ISO 27001 Readiness
ISMS, risk register, SoA, policies and audit-ready evidence.
8–12 weeks
Learn more → - ICT Risk & Resilience
DORA ICT Risk
ICT risk framework, incident reporting and resilience testing.
6–10 weeks
Learn more → - Compliance & Audit Readiness
PCI DSS Evidence
Scoping, SAQ D, segmentation and ASV evidence support.
10–14 weeks
Learn more → - Technology Leadership
Fractional CIO
Senior technology, risk and board-level governance support.
Ongoing · monthly
Learn more → - Secure Engineering & AI
Secure AI & Software Delivery
Secure architecture, SDLC, DevSecOps and AI governance.
4–8 weeks
Learn more → - Cloud Security & Operations
Cloud Security & Governance
AWS, Azure, Kubernetes, IAM, logging and resilience.
4–6 weeks
Learn more →
Engagement Model
From audit pressure to a defensible position.
Assess
Read the architecture, controls and obligations. Find the real gaps.
Prioritise
Sequence work against deadlines, risk and what the team can absorb.
Implement
Build the controls, configuration changes and routines, with your engineers.
Evidence
Produce artefacts that hold up to an auditor, a customer or the board.
Operate
Hand over a rhythm the team can run after we step back.
Audit Readiness Check
Three questions. One honest answer.
A 60-second self-assessment that mirrors how we open every Bergson engagement. Nothing is stored — it runs entirely in your browser.
Question 1 of 3
Can you produce control evidence — logs, configs, tickets — for any control within one working day?
What you receive
Concrete artefacts, not slideware.
Gap assessment
Where the current operating model falls short.
Risk and control map
How risks, controls, owners and systems connect.
Evidence workbook
What auditors, customers or boards can actually review.
Board-ready summary
Plain-English reporting without losing technical substance.
Remediation roadmap
What to fix first, and why.
Operating cadence
How the team keeps the controls alive after the project.
Have a deadline pressing on you?
Tell us the gap.
We will tell you honestly whether Bergson is the right fit, and how we would scope the work.
Bergson Limited is registered in Ireland. We are not auditors, QSAs, or legal advisers. We help technology teams produce the evidence those stakeholders need.