Fractional GRC consultancy · UK & EU

Practitioner-led GRC for businesses that need real compliance, not theatre.

A free NIST CSF 2.0 maturity self-assessment, policy packs aligned to ISO 27001, and lightweight GRC tooling — built by a senior consultant for organisations of 10–150 people. Launching 2026.

What’s coming  /  Three products

A layered product, shipped in order.

01  The assessment

NIST CSF 2.0 maturity self-assessment

A free, honest cybersecurity maturity assessment mapped to NIST CSF 2.0. About twenty minutes. Plain-English output, no upsell, no sales call.

Coming first · 2026

02  Policy packs

ISO 27001 & NIST CSF document packs

Policy and control documentation aligned to ISO 27001 and NIST CSF 2.0, written for the people implementing controls. Optional Policy-as-a-Service retainer.

Coming soon

03  GRC tooling

Risk, controls & supplier assurance

A risk register, control effectiveness testing, and supplier assurance — built for SMBs who find enterprise GRC platforms overkill.

Coming soon

Who it’s for  /  Trigger events

The thing that brought you here.

Most people who land here arrived because something specific happened. A customer sent a 200-question security questionnaire. The board agreed to pursue ISO 27001 by year-end. An insurer asked for evidence of controls before quoting. A tender now requires Cyber Essentials. NIS2 or DORA suddenly applies, and the timeline is shorter than anyone expected.

Bastion360 is being built for the businesses these things actually land on — typically 10 to 150 people, without a full-time CISO, where compliance is one part of someone’s job and the deadline is real.

  1. 01Vendor security questionnairesCustomer-led
  2. 02ISO 27001 & Cyber EssentialsCertification
  3. 03Cyber insurance renewalsInsurer-led
  4. 04Public sector tendersProcurement
  5. 05NIS2, DORA, sector regulationRegulatory

The approach  /  Philosophy

Real GRC judgement, with AI as a force multiplier.

Bastion360 is run by a Senior InfoSec GRC Consultant with deep ISO 27001, NIS2, and NIST CSF 2.0 experience — on both implementation and audit sides. Everything published here is written for the people who have to do the work, not for the auditor’s slide deck.

The output is audit-defensible. The language is plain. The scope is honest about what your business actually needs versus what a vendor wants to sell you.

AI is used for the parts it’s genuinely good at — first drafts, control mapping, evidence triage, document comparison. It is not the product. The product is the judgement that decides what to keep, what to throw away, and what to push back on.

Compliance theatre is expensive and fragile. Real GRC is cheaper to run, and holds up the day it’s tested.

Early access

Get the assessment first.

Subscribers get the NIST CSF 2.0 maturity assessment on the day it launches, plus occasional practitioner notes on GRC — short, infrequent, written by a human.

No marketing sequences. No AI-generated newsletters. No sales calls.

  • First access to the assessment when it launches
  • Notified when policy packs and tooling go live
  • Occasional practitioner notes — signal, not noise