02 — Expertise

Five disciplines, one owner.

As a privacy lawyer and founder of NormShift, I don't hand off the hard parts. From privacy law to packet captures, the whole stack is mine to own.

01

Data Protection & Privacy

GDPR & DPDP Act programmes from policy to practice — privacy governance, data encryption, access control, secure data disposal and vendor data-processing controls that hold up under scrutiny.

  • GDPR
  • DPDP Act
  • Encryption
  • Access control
  • Vendor controls
02

Governance, Risk & Compliance

ISO 27001, SOC 2 and NIST implemented and maintained through real audits. Risk assessment, policy development and internal audit that turn frameworks into operating reality.

  • ISO 27001
  • SOC 2
  • NIST
  • Risk assessment
  • Internal audit
03

Security Operations

Stood up and ran Security Operations Centres — SIEM, threat intelligence, VAPT and end-to-end incident response, plus business continuity and disaster recovery with measurable RPO/RTO targets.

  • SOC
  • SIEM
  • Threat intel
  • VAPT
  • IR & BCDR
04

Cloud Security

AWS hardened with zero-trust principles, IAM least-privilege and continuous compliance monitoring. Architecture reviews across IAM, VPC, S3, Lambda and RDS with documented remediation.

  • AWS
  • Zero-trust
  • IAM
  • CSPM
  • Architecture review
05

Leadership & Stakeholder Trust

Third-party / vendor risk management, security-awareness training delivered to 900+ staff including senior management, and clear board- and stakeholder-level reporting that turns risk into informed decisions. I chair the committees and own the outcome.

  • Vendor risk
  • Awareness & training
  • Board reporting
  • Committee leadership
  • Strategy
How an engagement runs

From assessment to assurance.

Phase 01

Assess

Understand the regulatory surface & current posture

  • Map applicable regulation (DPDP, RBI, GDPR, sectoral) against current controls.
  • Gap analysis across ISO 27001 / SOC 2 / NIST and the cloud estate.
Phase 02

Architect

Design controls that fit the business

  • Prioritise by risk, not by checklist; design policy, technical and process controls.
  • Zero-trust cloud architecture and vendor-management frameworks.
Phase 03

Operate

Stand up the function & run it

  • SOC, SIEM, incident response, VAPT cadence and BCDR.
  • Security-awareness training and continuous compliance monitoring.
Phase 04

Assure

Prove it — to auditors and the board

  • Audit readiness, evidence and certification support.
  • Board-level reporting with metrics that show the trend.

Need any of this built — or fixed?

Whether it's a from-scratch programme or a struggling one, I can help you get to assurance.

Let's talk