Security · Evidence · Resilience
Secure systems. Audit-ready evidence. Resilient delivery.
Bergson helps regulated fintechs, EMIs and SaaS companies prepare for ISO 27001, DORA and PCI DSS, strengthen cloud governance, and deliver secure software and AI-enabled systems.
Practical support across ICT risk, cloud security, audit evidence and software delivery.
- ISO 27001
- DORA ICT Risk
- PCI DSS
- Fractional CIO
- Secure AI Delivery
- Cloud Governance
- Senior bench
0%
Every engagement led by a principal.
- First response
<24h
On every enquiry, weekdays.
- Jurisdictions
0
EU, UK, APAC and North America.
- Core frameworks
0
ISO 27001 · DORA · PCI DSS v4.0.
Regulatory Roadmap
One conversation, three frameworks, one audit-ready outcome.
Pick a framework to see how Bergson sequences it — scope, evidence and operating cadence.
Information Security Management
ISO 27001:2022
An ISMS scoped to the systems you actually run, with a Statement of Applicability auditors can defend and evidence operating teams can keep alive.
Who it's for: Fintechs, EMIs and B2B SaaS facing enterprise security questionnaires or certification deadlines.
ISO 27001 service detail- Weeks 1–2
Scope & gap
ISMS scope, asset and risk register, control gap against Annex A 2022.
- Weeks 3–6
Treatment & policy
Risk treatment, SoA rationale, policy suite mapped to live systems.
- Weeks 6–10
Evidence & operate
Control evidence, internal audit, management review, certification readiness.
Deliverables
- ISMS scope memo
- Risk register & treatment plan
- Statement of Applicability
- Policy suite
- Evidence workbook
- Internal audit pack
Pick your challenge
Why teams bring Bergson in.
Choose the situation closest to yours — see exactly how we'd respond and what we'd deliver.
Situation
ISO 27001, PCI DSS or DORA is now a date on the calendar.
How Bergson responds
We start from the deadline and work backwards. The first week is a focused gap assessment; the rest is producing the artefacts the auditor will actually look at.
You walk away with
- Gap assessment vs. live systems
- Evidence workbook keyed to controls
- Remediation plan with owners
- Pre-audit walkthrough rehearsal
Services
Where regulation, security and engineering meet.
Tightly scoped engagements, delivered by the same people who scope them.
Scope & deliverables
Every service. Every artefact. No surprises.
Filter by area, click any service to see exactly what you receive.
What you get
Concrete deliverables, not slideware.
Bergson engagements produce artefacts your team can use after the meeting: evidence packs, control maps, board summaries, remediation plans and operating routines.
Gap assessment
Where the current operating model falls short.
Risk and control map
How risks, controls, owners and systems connect.
Evidence workbook
What auditors, customers or boards can actually review.
Board-ready summary
Plain-English reporting without losing technical substance.
Remediation roadmap
What to fix first, and why.
Operating cadence
How the team keeps the controls alive after the project.
Audit-ready check
Three questions. One honest answer.
A 60-second self-assessment that mirrors how we open every Bergson engagement. Nothing is stored — it runs entirely in your browser.
Question 1 of 3
Can you produce control evidence (logs, configs, tickets) for any control within one day?
What sets us apart
Senior, engineering-led, no theatre.
Controls that match the architecture
Risk treatments and policies written against the systems you actually run, not a downloaded template.
Evidence an auditor can follow
Traceable artefacts for ISO 27001, PCI DSS and DORA — and for the customer security questionnaire after.
Practices engineering will keep
Secure SDLC, cloud and DevSecOps changes that survive once we leave the room.
Sector focus
Designed for regulated financial technology environments.
Bergson works best where cloud infrastructure, payment systems, ICT risk, audit evidence and software delivery overlap. The focus is practical control: who owns the risk, how the system is operated, where the evidence lives, and what needs to change.
We do not replace accountable management, auditors, QSAs or legal advisers. We help technology teams create the operating evidence and governance those stakeholders need.
Read more about our fintech & EMI work- EMI and payment-platform technology support
- PCI DSS and payment security evidence
- DORA-aligned ICT risk and third-party oversight
- ISO 27001 readiness and operating controls
- Cloud architecture and resilience review
- Board and management-level technology reporting
Trust Infrastructure
The network behind the evidence.
A live picture of the systems Bergson governs — across regions, regulators and risk surfaces.
Assets Under Oversight
€4.2B
Across 38 client portfolios
Jurisdictions Covered
23
EU · UK · APAC · NA
Audit Frequency
Continuous
Quarterly attestation cadence
Global reach
Aligned with the financial hubs that set the standard.
Bergson works across Dublin, London and the wider EU — supporting clients whose customers, regulators and infrastructure span the major financial centres.
How we work
From audit pressure to a defensible position.
- 01
Assess
Read the architecture, controls and obligations. Find the real gaps, not the obvious ones.
- 02
Prioritise
Sequence the work against deadlines, risk and what the team can actually absorb.
- 03
Implement
Build the controls, configuration changes and routines — alongside your engineers.
- 04
Evidence
Produce artefacts that hold up in front of an auditor, a customer or the board.
- 05
Operate
Hand over a rhythm the team can keep running after we step back.
Next step
Have an audit, customer questionnaire or release date pressing on you?
Tell us the deadline and the gap. We will tell you honestly whether Bergson is the right fit, and how we would scope the work.
Bergson does not replace accountable management, auditors, QSAs or legal advisers. We help technology teams create the operating evidence and governance those stakeholders need.