Applied Risk Management · Security Consulting, vCISO, AI-Driven SCMS

The market need

Real security is hard. Compliance alone won't get you there.

Compliance theatre

Tick-box compliance produces paperwork, not stronger security. Audits pass, attackers still get in, and the team's energy is spent on evidence rather than improvement.

Manual reviews don't scale

Spreadsheets, screenshots, email threads. Evidence scattered across tools. Real issues missed because the team is buried in process.

Advice without execution

Consultants deliver a roadmap, then leave. The work of operating the controls falls back on a team that's already stretched.

SaaS without ownership

GRC platforms charge per seat, hold your data, and force their model on your business. You pay forever for something that never quite fits.

What we do

Three offers. Take one, two, or all three.

Senior security consulting and virtual CISO services are core practice, delivered for over twenty years. The AI-Driven SCMS is the differentiator we add when you want real security improvement built into the way you work.

01

Security Consulting

Strategic and tactical

Senior security advice across the full lifecycle, from a CISSP, CCSP, CISM, CRISC, CDPSE-certified consultant.

Security posture assessments
Control design and gap analysis
Architecture and tooling reviews
Incident response support
Audit readiness and prep

02

AI-Driven SCMS

The differentiator

A co-built Security Controls Management System that uses AI to actually operate your controls and surface what matters, every month.

Real security improvements, period over period
AI-led control reviews with auditor-grade rigour
Documents your controls and processes automatically
SHA-256 hashed evidence and audit trail
NIS2 and NIST CSF v2.0 compliance built in
Findings auto-routed to stakeholders

Owned by you. No licences. No vendor lock-in. Your team upskills in AI as part of the work.

03

vCISO Services

Ongoing senior leadership

Fractional Chief Information Security Officer, embedded in your business as a senior advisor and decision-maker.

Security strategy and roadmap ownership
Board and executive reporting
Risk register and acceptance decisions
Vendor and third-party oversight
Programme management

What is an SCMS?

A Security Controls Management System. Real security, with compliance built in.

An SCMS is the system of record for how your security controls are designed, executed, evidenced, and reported on. The AI-Driven version goes further: AI runs the controls, challenges weak evidence, surfaces the issues that actually matter, and drives genuine security improvement period after period. Compliance with NIS2 and NIST CSF v2.0 falls out as a built-in property, not a separate workstream.

What it does

Improves real security by surfacing the issues AI can detect and a busy team can't easily see.
Operates your controls on a fixed cadence (monthly, quarterly, semi-annual) using AI-powered skills that act as an independent auditor.
Documents every control, decision, and review automatically as the work happens, so audit-ready documentation never lags behind reality.
Challenges weak evidence and refuses rubber-stamping, the way a senior reviewer would.
Routes findings, actions, and metrics out of tolerance to SOC, MSP, management, and audit committee, without manual spreadsheet shuffling.
Demonstrates compliance with NIS2 Article 21(2) and NIST CSF v2.0 as a property of the system, not a separate exercise.

What it produces

A documented control derived from your policy and the underlying control framework (NIS2, NIST CSF v2.0, ISO 27001), tailored to your environment.
A documented process to operate that control, with built-in metrics and Key Risk Indicators that drive the monthly review.
A review.md per control per period, with structured YAML front matter and a human-readable narrative.
A folder of named evidence files (CSV, XLSX, PDF, screenshots) per review.
A manifest.sha256 proving the integrity of every file.
A YAML review-index, action log, and review log: the entire history in version-controllable form.
Period dashboards (markdown and HTML) a board can read in five minutes.
Auto-populated agendas for SOC, MSP, management, and risk & audit committee meetings.

Sample artefacts illustrative, fictional company and data

Two of the artefacts the SCMS produces every month. The structure is real, drawn from a live deployment. The company, assets, and findings are entirely fictional.

reports/dashboard-2026-04.md Period dashboard

Acme Pharma Ltd · Security Controls Dashboard

Period: April 2026 · Generated: 2026-05-08 · Prepared for: Management Security Review

86.7% Overall compliance ▲ +4.2pp vs March

26 / 30 Sub-controls passed 11 controls reviewed

42 Open actions 3 Critical · 12 High

4 Failed sub-controls Down from 6 in March

Compliance by control

Control	Area	Apr	Mar	Trend	Pass / Total
MC-AM-M	Asset Mgmt	100.0%	100.0%	=	3 / 3
MC-MON-SOC-M	Monitoring	100.0%	80.0%	▲	5 / 5
MC-IAM-Q	Identity	100.0%	n/a	·	4 / 4
MC-VM-M	Vuln Mgmt	75.0%	62.5%	▲	6 / 8
MC-DP-M	Data Protection	66.7%	66.7%	=	2 / 3
MC-NS-M	Network Security	66.7%	33.3%	▲	2 / 3
MC-SAT-M	Awareness Training	50.0%	75.0%	▼	2 / 4

Top risks this period

#	Risk	Source	Owner	Status
1	SVR-PROD-DB-04 unpatched 168 days. PostgreSQL CVE-2025-1094, CISA KEV. Fourth consecutive month carried.	MC-VM-M	Argyle MSP	Critical
2	Phishing simulation click rate 18.4%. Exceeds 8% threshold. Concentrated on Commercial team.	MC-SAT-M	vCISO	Critical
3	3 endpoints not enrolled in Intune. Finance loaners. MSP reported done; export contradicts.	MC-MON-MSP-M	Argyle MSP	Critical
4	FortiGate firmware 18 months behind on perimeter pair (FW-DUB-01 / 02).	MC-NS-M	Argyle MSP	High
5	Backup job `VEEAM-FIN-WEEKLY` failed 3 of 4 weeks on FIN-FILE-02.	MC-DP-M	IT Ops	High

Metrics out of tolerance

Metric	Target	Actual	Source
Critical vulnerability SLA (% within 90 days)	≥ 90%	58%	MC-VM-M
KEV vulnerabilities > 45 days	≤ 5	14	MC-VM-M
Phishing simulation click rate	≤ 8%	18.4%	MC-SAT-M
MDM enrolment rate	100%	96.4%	MC-MON-MSP-M

Dashboard rendered from review-index.yaml + open actions log. Source: Acme Pharma SCMS · Generated 2026-05-08.

controls/reviews/submitted/MC-VM-M-2026-04-07/review.md Monthly review

---
# ============================================================
# CONTROL METADATA
# ============================================================
control_id: MC-VM-M
control_name: Vulnerability Management Monthly Review
control_area: VM
frequency: M
period: 2026M04
review_date: 2026-04-07
reviewer: Senior Consultant (vCISO, Applied Risk Management)

# ============================================================
# SUB-CONTROL RESULTS
# ============================================================
sub_controls:
  - id: VM-M-01
    name: Scan coverage and data integrity
    result: PASS
    criteria:
      - id: VM-M-01.1
        description: All in-scope assets scanned within review period
        result: PASS
        evidence: Qualys reports 142 of 142 assets scanned. No failures.

  - id: VM-M-03
    name: Remediation SLA tracking
    result: FAIL
    criteria:
      - id: VM-M-03.1
        description: 90% of critical vulnerabilities remediated within 90 days
        result: FAIL
        target_pct: 90
        actual_pct: 58
        evidence: 31 of 74 active critical vulnerabilities (42%) exceed 90 days. Concentration on SVR-PROD-DB-04, LAP-FIN-08, and the FortiGate perimeter pair.

# ============================================================
# COMPLIANCE SUMMARY
# ============================================================
compliance:
  total_sub_controls: 8
  passed: 6
  failed: 2
  rate_pct: 75.0
  trend_vs_previous: improving

---

# Monthly Vulnerability Management Review

Control: MC-VM-M · Period: 2026M04 (April 2026) · Reviewer: Senior Consultant, vCISO

Executive summary

Acme Pharma's enterprise TruRisk score improved to Low (412) following remediation of the March MS Exchange cluster. Total active critical vulnerability inventory (QDS > 89) is 74 across the 142-asset estate.

Compliance: 6 of 8 sub-controls passed (75.0%), up from 62.5% in March. The two failing sub-controls (VM-M-03 SLA tracking, VM-M-05 persistent vulnerability escalation) map to the same underlying issue: a small number of database servers and finance laptops carry the bulk of the aged critical inventory.

Sub-control results

Sub-control	Result	Criteria passed
VM-M-01 Scan coverage and data integrity	PASS	2 of 2
VM-M-02 Critical and high vulnerability triage	PASS	2 of 2
VM-M-03 Remediation SLA tracking	FAIL	1 of 2
VM-M-04 CISA KEV and ransomware prioritisation	PASS	3 of 3
VM-M-05 Persistent vulnerability escalation	FAIL	0 of 2
VM-M-06 Action tracking and closure	PASS	2 of 2
VM-M-07 Newly detected vulnerability triage	PASS	1 of 1
VM-M-08 Asset-level hotspot review	PASS	1 of 1

Persistent vulnerability escalation (VM-M-05)

Item	Age	Comment
SVR-PROD-DB-04: PostgreSQL CVE-2025-1094	168 days	CISA KEV. Argyle MSP closure plan overdue. RAC escalation triggered.
FW-DUB-01 / FW-DUB-02: FortiOS 7.0.x EOL	422 days	Perimeter pair on EOL firmware. Replacement project requires capex approval.
LAP-FIN-08 (M. Devlin): Office cluster	multi-month	9 active critical, 247 total. Fourth consecutive review on this device.

Auditor notes

The SLA failure in VM-M-03 is the strategic concern. The hotspot pattern indicates targeted intervention on three assets would substantially improve the metric.
SVR-PROD-DB-04 at 168 days is now the longest-running open critical in the estate. Two-week deadline set on Argyle MSP before RAC routing.
FortiGate perimeter pair on EOL firmware is a strategic exposure; the action this month is to formalise the replacement timeline at the May management meeting, not patch the unpatchable.
The Acme Commercial-team phishing-simulation cluster (cross-referenced from MC-SAT-M) suggests targeted re-training rather than another all-staff campaign.

How it works

A five-step journey. Strategy and operation, fused.

1
Discover

Your security posture and obligations mapped against your existing controls. Gap assessment delivered as a working document, not a slide deck, that becomes the starting point of your SCMS.
2
Design

We co-build master controls and verification criteria for your environment. Your existing control language is preserved, what's missing is added, what's vague is sharpened. NIS2 and NIST CSF v2.0 mappings are designed in from day one.
3
Automate

AI skills execute the reviews using dialogue-driven verification, professional skepticism, and evidence challenge. Your team operates the system. We coach them in.
4
Prove

Every review yields SHA-256 hashed evidence manifests, a YAML audit trail, named artefacts, and board-ready reports. Auditors get one answer to every question: open the manifest.
5
Improve

Actions auto-route to stakeholder agendas. Exceptions are governed and time-bound. Quarterly advisory calls keep strategy aligned with operation as the system evolves and your security posture strengthens.

What you get

Concrete artefacts. From day one of operation.

Drawn from a reference deployment running today inside a major Irish standards body.

18Master control areas covering Monitoring, Vulnerability Mgmt, IAM, Asset Mgmt, Data Protection, Network Security, Awareness, Oversight, and more.

200+Sub-control verification criteria, each with explicit evidence requirements and pass/fail logic.

SHA-256Hashed evidence manifests per review (manifest.sha256): cryptographic integrity, verifiable on demand.

YAMLReview index, action log, review log: the entire compliance history in machine-readable, version-controllable form.

4Auto-routed stakeholder agendas covering SOC, MSP, Management, Risk & Audit Committee. Findings land where they need to.

6Reusable AI skills covering the full lifecycle: create-master-control, perform-review, modify-control, submit-review, scms-utilities, deploy-skills.

AI in action

The AI doesn't rubber-stamp. It audits.

Quoted verbatim from the SCMS skill files. Verifiable.

Act as an independent auditor, not a passive scribe.
Challenge weak evidence: "That screenshot doesn't show a timestamp. Can you provide dated evidence?"
No rubber-stamping. Each criterion needs a specific evidence reference, not just "all looks fine".
Exceptions require documented justification, valid_until date, and an auditor note. Maximum 12 months.

Frameworks & certifications

Mapped from the ground up. Not retrofitted.

NIS2 Article 21(2)
full coverage

NIST CSF v2.0
function mapping

ISO 27001 Annex A
alignment

Cyber Essentials Baseline
controls

Consultant certifications: CISSP · CCSP · CISM · CRISC · CDPSE

Why this is different

Not a SaaS. Not a slide deck. A system you own.

Security first, compliance follows

The system is designed to actually improve security posture. Compliance with NIS2 and NIST CSF v2.0 is a property of the system, not the goal of it.

Documents itself as you work

The SCMS captures every control, decision, evidence reference, and outcome automatically as part of operating. Documentation is a side-effect, not a project.

Cryptographic evidence

Integrity is mathematically verifiable, not vendor-attested. SHA-256 manifests cover every artefact in every review.

Owned and yours to change

The skills, controls, evidence, and reports live in your environment. Modify, extend, retire what doesn't fit. The system bends to your business, not the other way.

No per-seat fees

No per-review licensing. No "premium" tier for the audit features. Cost is your engagement, not a meter that runs forever.

AI upskilling, built in

Your GRC and security team learn applied AI by operating a real system that earns its keep. The training is the work.

About

John Farrelly

Managing Director and Principal Consultant
CISSP · CCSP · CISM · CRISC · CDPSE

I've spent decades inside IT management, security and risk programmes, from retail and financial services to standards bodies. Senior security consulting and vCISO leadership are still core to what I do every day.

I built the AI-Driven SCMS to solve a problem I hit repeatedly as a consultant: reports go in drawers, SaaS dashboards stop being checked, and real security improvement gets lost in the process of demonstrating compliance. The SCMS flips that. Real security is the work. Compliance falls out of it.

If you need senior security expertise, ongoing CISO leadership, or a system that actually moves your security posture forward, we should talk.

Book a discovery call

Reference deployment

Operating today inside a major Irish standards body.

18Master controls under management

200+Sub-control criteria reviewed

Monthly & QuarterlyAutomated review cadence

100%NIS2 Article 21(2) mapping

"The SCMS turned a quarterly compliance scramble into a monthly cadence of evidenced reviews. Auditors stopped asking where's the evidence and started asking what changed since last month."

Reference deployment, anonymised pending naming approval.

More named case studies will appear here as clients agree to be referenced.

Common questions

FAQ

What's actually on offer?

Three things, taken individually or together: senior security consulting (assessments, advisory, architecture, IR support), virtual CISO services (ongoing strategic security leadership), and the AI-Driven SCMS (a co-built system that operates your controls and improves real security posture).

Can I engage for consulting or vCISO without the SCMS?

Yes. Consulting and vCISO are core services on their own. The SCMS is the differentiator we add when you want real security improvement built into your operating rhythm, not a separate workstream.

How is "AI-Driven" different from a normal SCMS?

A normal SCMS is a record-keeping system. The AI-Driven version uses AI skills as an independent auditor: it interrogates evidence, refuses rubber-stamping, surfaces patterns a busy team would miss, and drives genuine security improvement period over period. Compliance is a side-effect of doing the work properly.

Is the SCMS a product I license?

No. It's a way of working you own. No licences, no per-seat fees, no vendor lock-in. The skills, controls, and evidence all live in your environment.

Does the AI replace my security team?

No, it amplifies them. Your team operates the SCMS. AI does the rigour-heavy work (evidence verification, review documentation, cryptographic hashing, agenda routing). Your people do the judgement work, faster.

How does the automatic documentation work?

Every review, decision, evidence reference, action, exception, and outcome is captured by the system as the work happens. The output is structured Markdown and YAML you can read, search, and version-control. Your auditor (internal or external) gets a complete, current record without anyone writing a separate report. Documentation is a side-effect, not a project.

How does this improve my security and meet NIS2?

Every control is mapped to NIS2 Article 21(2) and NIST CSF v2.0 by design. Each review run produces concrete remediation actions and metrics-out-of-tolerance, so security posture demonstrably improves period over period. Compliance reporting is generated from the same data.

What happens if the AI changes?

You own the skills, controls, and evidence. Methodology persists. The AI engine is replaceable, the system is not. Your audit trail stays intact regardless.

Do I need AI engineers to run this?

No. Your existing GRC and security team works alongside the AI. We coach them in. Your team upskills in applied AI as part of the work, at no extra cost.

How long until first audit-ready review?

Weeks, not months. Discovery to first live review is typically four to six weeks, depending on how much existing control documentation you bring to the engagement.

Get in touch

Book a discovery call.

A 30-minute conversation. We'll talk through your security priorities, where consulting or vCISO services would help, and whether the AI-Driven SCMS makes sense for your environment. No deck, no pitch.

Services: Security Consulting · vCISO · AI-Driven SCMS
Location: Dublin, Ireland
Working with: Irish and EU organisations across regulated and unregulated sectors
Confidentiality: NDAs welcome before any technical detail is shared

Stronger security, driven by AI.Compliance built in, not bolted on.