No. 01
Senior delivery, always
Our principals deliver the work themselves. The person who scopes the engagement is the same person you'll meet on day one โ and the day after that. You don't pay senior rates for graduate output.
ThePenz is a London-based cybersecurity advisory built by senior practitioners with careers inside FCA-regulated banks, building societies and fintechs. We deliver provable security, defensible compliance and board-ready governance โ without the consultancy theatre.
We're not a generalist tech firm with a security practice bolted on. We are career insiders of FCA-regulated banks, building societies and fintechs โ who chose to consult on our own terms. The four principles below are how we run every engagement.
Our principals deliver the work themselves. The person who scopes the engagement is the same person you'll meet on day one โ and the day after that. You don't pay senior rates for graduate output.
We take no referral fees, accept no partner kickbacks, and hold no exclusive vendor reseller agreements. The recommendation we make is the recommendation we believe in.
Direct experience under FCA, PRA, BoE, ICO and PSR scrutiny. We know what regulators actually look for, what triggers second questions, and how to write evidence that survives both an audit and a Skilled Persons review.
We translate cyber risk into pounds, regulation into priorities, and findings into board narratives. Whether the audience is a CRO, an audit committee or the FCA, we write to that audience โ not to a template.
Each service line solves a specific problem regulated firms face. Engage one to address an immediate gap, or layer them into a multi-quarter security programme. Every engagement ships measurable, evidenced artefacts.
End-to-end ISMS implementation with our 54-document library. Stage 1 / Stage 2 ready in 14โ20 weeks with a UKAS-accredited certification body of your choice.
Read more โ No. 02Gap analysis, scoping, evidence rooms and remediation engineering for merchants and service providers across SAQ AโD and Levels 1โ4.
Read more โ No. 03IASME-aligned application packs, hardening recommendations, and CE+ on-site assessment readiness โ first-time pass rate of 100%.
Read more โ No. 04Authenticated scans, CVE matching, version-fingerprinting and confidence-scored false-positive triage โ powered by our in-house VulnScan Pro engine.
Read more โ No. 05Realistic, sector-tailored campaigns. Behavioural metrics. Adaptive learner journeys. Measurable change quarter-on-quarter โ not just an annual click-rate number.
Read more โ No. 06ISO 27005, NIST RMF and FAIR-aligned. Threat modelling with STRIDE and PASTA. Quantified findings expressed in ยฃ loss exposure your CRO can defend.
Read more โ No. 07Bank of England baseline reruns. Gap-to-target analysis with proportionality justification. Quick-win roadmaps that don't depend on multi-year infrastructure projects.
Read more โ No. 08Vendor-neutral GRC tooling rationalisation. Control libraries spanning ISO/NIST/PCI/SOC2. Risk registers, evidence automation and management dashboards.
Read more โ No. 09Concise, version-controlled policies mapped to ISO Annex A, NIST CSF, FCA SYSC, PRA SS1/21, DORA and UK GDPR. Policies people actually read.
Read more โ No. 10Board packs, findings reports, regulatory submissions, incident post-mortems. Written to the audience โ not to a template. We rescue reports too.
Read more โ No. 11Role-based programmes for executives, developers, finance and frontline staff. Live workshops, micro-learning, in-flow nudges. Behaviour change, not box-ticking.
Read more โ โDetailed service pages with scopes, deliverables, methodologies and sample timelines for each of our eleven disciplines.
Browse all โ"ThePenz delivered our ISO 27001 readiness pack in weeks. Policies that fit the business. Working artefacts, not slide decks. They're the rare consultancy your audit committee wants in the room โ and we'll be calling them again."
A consistent, transparent methodology refined over a decade of regulated-industry delivery. Every engagement follows the same four phases โ what changes is the depth, not the structure.
Scoping workshops, asset inventories, stakeholder interviews. We understand your reality before we touch your roadmap.
Gap analysis against the relevant standard. Threat modelling. Quantified findings register with severity, owner and remediation effort.
Policy drafting, control engineering, scanner deployment, training rollouts. Executed on a published cadence with weekly checkpoints.
Continuous assurance: managed scans, simulated phishing, regular reviews, board-grade reporting dashboards.
Most of our work happens where the stakes โ and the regulators โ are highest. We bring sector-specific frameworks, vocabulary and audit experience to every engagement.
FCA & PRA compliance, operational resilience, third-party risk, and CQUEST baseline assessments for retail, challenger and mutual lenders.
PCI DSS v4.0, PSD2/SCA controls, AML technology controls, and SOC 2 readiness for payment institutions, EMIs and embedded finance.
NHS DTAC, DSPT, UK GDPR and DPIAs for digital health platforms, telemedicine and clinical SaaS.
SOC 2 Type I/II, ISO 27001, customer security questionnaires and SecDevOps integration for B2B SaaS scale-ups.
Cyber Essentials Plus, NCSC Cyber Assessment Framework, GovAssure prep for central and local government suppliers.
SRA / ICAEW expectations, client data protection, insider threat programmes for legal, accounting and advisory firms.
Templates, frameworks, and field-tested guides we use on real engagements. No gated content, no sales follow-up โ just useful material, because the security community is better when we share.
A week-by-week breakdown of how a real ISMS gets stood up in a mid-sized regulated firm โ from kick-off, through policy ratification, to Stage 2 audit attendance. With sample artefact templates.
Findings from real Entra ID security reviews: the eight controls that catch 80% of issues, and the misconfigurations everyone seems to share.
Plain-English breakdown of the substantive changes, the customised implementation option, and the deadlines you've already missed.
No discovery call gauntlet. No qualification rep. A practitioner will respond within one working day to schedule a 30-minute scoping call โ at no cost, with no obligation.