Aller au contenu
FRENFR-CAEN-CA
Contact
Service

Audit & compliance — GDPR, ISO 27001, NIS2, HDS, ANSSI

From initial audit to certification, we hold the calendar — and we sit at the board with you.

01 · Pillar

Gap analysis

Initial diagnosis documented against the target framework (ISO 27001, NIS2, HDS, GDPR). Quantified action plan, prioritised by criticality and effort, delivered in 4 to 6 weeks.

02 · Pillar

Operational compliance

Policies, procedures and registers drafted. Technical controls deployed (encryption, segmentation, access management, monitoring). Internal team training.

03 · Pillar

Blank audit before certification

Blank audit run by our own auditors (themselves ISO 27001 Lead Auditor certified) before the official audit. No surprises on D-day.

04 · Pillar

Outsourced DPO and GDPR compliance

Designation of a Hexceos DPO, processing register maintenance, DPIA support, management of data subject requests and breach notifications.

05 · Pillar

Sector-specific compliance

Health (HDS), finance (DORA), industry (NIS2), Quebec (Law 25, PIPEDA). We hold the corresponding certifications so you don't have to become the expert.

Audit & compliance — hold the calendar, not just the promise

Regulatory compliance is a corporate project, not an IT project. It plays out at the board as much as at the IT department: investment choices, risk prioritisation, budget allocation. Hexceos supports you on both dimensions — operational and strategic — with one contact from diagnosis to certification.

What we cover

  • ISO 27001 — gap analysis, deployment, blank audit, certification support.
  • ISO 27005 — EBIOS Risk Manager method, mapping, treatment plan.
  • NIS2 — eligibility, ANSSI declaration, compliance plan.
  • GDPR — outsourced DPO, processing register, DPIAs, breach handling.
  • HDS — auditor preparation, or direct hosting in our HDS sovereign datacenter.
  • Sector-specific — DORA (finance), TISAX (automotive), HDS (health), Law 25 and PIPEDA (Quebec and Canada).

Service commitments

  • Certified auditors (ISO 27001 Lead Auditor, CISA, CIPP/E).
  • Detailed plan delivered in 6 weeks, opposable milestones.
  • Flat-fee pricing on scoped missions (no time-and-materials).
  • Continuity possible with our managed SOC for operational security.
FAQ

Questions
we get asked.

How long does it take to be ISO 27001 certified?
For an SMB of 50 to 200 staff starting from medium maturity, expect 9 to 12 months between kick-off and certificate. For a mid-sized firm, 12 to 18 months. We hold the calendar by publishing a detailed plan at scoping and arbitrating weekly in steering committee.
Does NIS2 apply to us?
NIS2 covers a much broader scope than NIS1 — essential entities (energy, health, transport, finance, water, space, public administration) and important entities (postal, waste, chemicals, food, digital, research). If you have more than 50 staff or €10M turnover and operate in one of these sectors, NIS2 probably applies. We confirm eligibility in 2 to 3 hours of scoping.
Is HDS certification mandatory if we host health data?
Any hosting party that stores identifying health data under the French Code de la santé publique must be HDS-certified. If you self-host, you must be HDS. If you outsource (to Hexceos for instance), your host must be HDS. Our datacenter is.
Can you act as our outsourced DPO?
Yes. Hexceos appoints a certified DPO (CIPP/E or equivalent), who becomes your CNIL point of contact, maintains your processing register, supports your DPIAs and manages breaches. Monthly flat fee, not time-and-materials.
Let's talk

30 minutes,
no commitment.

A senior engineer, your situation as it is, concrete answers.

Request a call Cybersecurity audit