Skip to main content
Our Approach
Methodology · Four pillars

We don't manage to a checklist. We build on our four pillars.

ComplianceXO organizes every engagement around four disciplines: Governance, Infrastructure, Operations, and Culture. A gap in any one of them undermines the other three. Our assessments, subscriptions, and advisory work are all structured around this model.

§The four pillars
IGovernanceOversight and strategy to meet your company's objectives.IIInfrastructureThe right technology to securely support your business.IIIOperationsVerifiable, consistent, and efficient execution of processes.IVCultureEnsuring the right people are doing things the right way.
IGovernancePillar I of IV

Oversight and strategy to meet your company's objectives.

Governance is the set of decisions your organization makes about who owns risk, which frameworks apply, and what constitutes acceptable behaviour. Without it, security spending is undirected and compliance is accidental. With it, every control has a clear owner, every audit has a clear answer, and leadership has a single page that tells the right story.

What we assess · 6 areas
  1. 01Risk appetite and risk register
  2. 02Policy framework and acceptable-use standards
  3. 03Compliance mapping across applicable frameworks
  4. 04Roles, responsibilities, and RACI for security decisions
  5. 05Board and executive reporting cadence
  6. 06Third-party and supply-chain risk program
IIInfrastructurePillar II of IV

The right technology to securely support your business.

Infrastructure is the hardest pillar to change and the one most attackers target first. Networks, identities, endpoints, cloud configurations, and build pipelines are the attack surface that governance policies are supposed to protect. We assess the substrate, identify the seams, and tell you which controls to close before your vulnerabilities are exposed.

What we assess · 6 areas
  1. 01Network architecture and segmentation
  2. 02Cloud configuration and hardening (CIS Benchmarks)
  3. 03Identity and access management — MFA, least privilege, PAM
  4. 04Endpoint detection and patch management
  5. 05Build pipeline and release management security
  6. 06Asset inventory and configuration management
IIIOperationsPillar III of IV

Verifiable, consistent, and efficient execution of processes.

Governance sets the rules. Infrastructure sets the stage. Operations is everything that happens on a Tuesday afternoon — the alert that fires, the vendor that asks for access, the employee who clicks the wrong link. An effective operations pillar means your team knows exactly what to do, who to call, and how to document it before the incident happens.

What we assess · 6 areas
  1. 01Security monitoring, SIEM, and log management
  2. 02Incident response plan and playbooks
  3. 03Change management and change control
  4. 04Vulnerability management and penetration testing
  5. 05Vendor access review and offboarding
  6. 06DMARC, DKIM, and SPF enforcement
IVCulturePillar IV of IV

Ensuring the right people are doing things the right way.

The most expensive firewall in the world is bypassed by one well-crafted phishing email sent to someone who was never trained to spot it. Culture is not a soft outcome — it is a measurable control. We assess how security is communicated, how it is reinforced, and how it is rewarded. Then we build a program that makes secure behaviour the path of least resistance.

What we assess · 6 areas
  1. 01Security awareness program design and delivery
  2. 02Tabletop exercises and simulation
  3. 03Phishing simulation and remediation workflows
  4. 04Professional development and training
  5. 05AI acceptable-use education and guardrails
  6. 06Onboarding and offboarding security checklists
§How an engagement runs
I

Scope

A 30-minute call. We agree scope, stakeholders, and what success looks like at the end.

II

Discover

We read your documentation, interview your team, and review your systems.

III

Diagnose

A draft report — gaps, risks, prioritised remediation — circulated for your review.

IV

Decide

Executive summary, final report, actionable, prioritized roadmap.

The model

All IT risk and compliance frameworks share core principles. Our four pillars align with whatever framework you use, and they cover the full scope of a robust security program.

Erik Boemanns·Founder, Chief Technologist, Mirability / ComplianceXO
Where to start

See where your four pillars stand — free, in six minutes.

Our free self-assessments are designed around the same model. Take the AI, cybersecurity, or email assessment and you will get an instant view of your posture against the pillar that matters most right now.

Take the free self-assessmentSee operator-led assessments