Most security-engineering-led organizations underbuild their GRC function until an enterprise sale, a regulator inquiry, or an audit request forces the work. The result is a months-long catch-up project that pulls senior engineering attention away from product work and produces compliance documentation that ages poorly because it was written for a specific audit rather than for ongoing operations.
Melina supports GRC work for connected-product, SaaS, and AI-product organizations — primarily ISO 27001 and SOC 2 readiness, MLPS coordination for China-market operations, and vendor-risk management infrastructure.
What this service covers
ISO 27001 and SOC 2 readiness
For SaaS and product companies entering enterprise sales motions, ISO 27001 certification and SOC 2 attestation are typically sales prerequisites. We support pre-audit readiness, control-design and operational-evidence remediation, and engagement-cadence coordination with the accredited audit firm.
Engagement scope:
- ISO/IEC 27001:2022 gap assessment (Annex A controls + management-system requirements)
- AICPA Trust Services Criteria gap assessment for SOC 2 (Type I or Type II target)
- Policy and procedure drafting integrated with the existing organizational documentation
- Technical-control remediation alongside the engineering team
- Audit-firm coordination (we are not the auditor)
See Solutions — ISO 27001 & SOC 2 readiness for the structured solution view.
MLPS coordination for China-market operations
China’s MLPS is typically a market-entry prerequisite for SaaS and connected products operating in mainland China. We coordinate the readiness work end-to-end: classification scoping, technical gap assessment against GB/T 22239, remediation alongside the engineering team, and accredited assessor coordination.
See Solutions — MLPS Readiness for the structured solution view.
Vendor-risk management
Modern SaaS architecture incorporates dozens of third-party services — each a potential supply-chain risk. We support vendor-risk management infrastructure:
- Third-party-service inventory and credential scope mapping
- Vendor security-posture review (vendor-provided SOC 2 / ISO 27001 attestations, security questionnaire responses)
- Vendor-onboarding security review process design
- Incident-response plan coverage for vendor-side compromises
Privacy compliance coordination
For organizations processing personal information across multiple jurisdictions:
- PIPL compliance coordination for mainland-China users
- GDPR compliance posture for EU users
- Privacy-impact assessment readiness
- Cross-border data transfer mechanism selection and implementation
- Data Subject Access Request (DSAR) workflow design
We coordinate with the client’s legal counsel on regulation-specific interpretation; the policy guidance we provide is operational and process-oriented rather than legal opinion.
Control-set design and policy framework
For organizations building security and compliance documentation from a low maturity baseline, we support control-set design — translating the requirements of the applicable standards into operational controls that the engineering and operations teams can actually run.
The goal is documentation that engineering teams can follow, not documentation that exists to satisfy auditors. Compliance documentation that doesn’t match operational reality fails audits in worse ways than missing documentation.
Audit and assessor coordination
Throughout the engagement, we coordinate with the client’s chosen accredited audit firms, assessors, and certification bodies. We provide technical input, control descriptions in audit-compatible language, evidence packages organized to the auditor’s likely sampling frame, and traceability between findings and control objectives.
We are not the audit firm. The certification or attestation is issued by the accredited body.
Methodology
GRC engagements follow a structured cycle: posture assessment → gap remediation plan → remediation execution alongside engineering → pre-audit readiness validation → audit support. Engagement length is shaped by starting maturity, audit-firm selection timing, and the specific certification or attestation target.
What this service does not include
- Issuance of certifications or attestations — issued by accredited bodies
- Legal opinion on regulation interpretation — provided by the client’s legal counsel
- Audit-firm selection — operator-driven (with our input where requested)
Compliance frameworks we work within
- ISO/IEC 27001:2022 and ISO/IEC 27002:2022
- ISO/IEC 27017 (cloud-services security controls)
- ISO/IEC 27018 (cloud personal-information processing)
- AICPA Trust Services Criteria (SOC 2)
- MLPS 2.0 (GB/T 22239)
- PIPL, DSL, CII
- GDPR (EU)
- CSA STAR (cloud security alliance)
- NIST CSF 2.0
- NIST SP 800-53 control families
Engagement model
| Scope | Engagement model |
|---|---|
| Single-framework readiness assessment | Scoped Assessment |
| End-to-end multi-framework readiness | Custom Engagement |
| Ongoing compliance operations support | Retainer |
“Compliance documentation that doesn’t match operational reality fails audits in worse ways than missing documentation. The structural fix is to design controls the engineering and operations teams can actually run, not controls that exist only to satisfy auditors. That shift in framing changes the engagement model from a documentation project to a process-engineering project.” — Tatiana K., CEO, Melina Security
What buyers ask us first
Three questions surface in nearly every initial GRC discovery call:
“How does GRC readiness coordinate with our security-engineering roadmap?” Most efficiently when treated as the same roadmap, not parallel ones. Compliance frameworks (ISO 27001, SOC 2, MLPS) impose controls that are operationally similar to controls a mature security program would already build. The readiness path is to design controls once that satisfy both internal engineering goals and external audit expectations — which produces a single technical-control posture rather than a security posture and a separate compliance posture.
“Can we run multi-framework readiness in parallel?” Yes, and usually should for organizations with multi-market exposure. ISO 27001 + SOC 2 + MLPS share substantial overlap in technical controls; the documentation framing differs but the underlying engineering work is largely shared. Parallel readiness against shared technical work is materially more efficient than sequential single-framework engagements.
“How does the engagement coordinate with our chosen audit firm?” We coordinate directly with the audit firm throughout — providing technical input, control descriptions in audit-compatible language, evidence packages organized to the auditor’s likely sampling frame. The accreditation frameworks explicitly require separation between the readiness provider and the audit firm, which our engagement model respects. Most clients select the audit firm before or during the readiness engagement; we provide input on audit-firm selection where requested but do not select on the client’s behalf.
Frequently asked questions
Are you our auditor?
No. The certification or attestation is issued by an accredited audit firm. We support the readiness work and coordinate with the audit firm; we do not issue the attestation. This separation is standard practice and avoids the conflict-of-interest the accreditation frameworks specifically prohibit.
Can you provide legal opinion on PIPL or DSL interpretation?
We provide operational and process guidance on PIPL and DSL implementation. Legal opinion — particularly on jurisdictional or enforcement interpretation — is provided by the client’s legal counsel. Where our guidance touches a question that requires legal interpretation, we surface it explicitly so the client can engage counsel.
Will GRC work duplicate work our existing compliance team is doing?
The engagement is designed to integrate with the existing compliance function rather than parallel it. Where the client has an existing internal team, our role is to surface gaps the internal team is too close to see, provide structured technical input on the engineering interface, and coordinate with audit firms — not to replace internal compliance work.
How do MLPS readiness and ISO 27001 readiness interact?
MLPS and ISO 27001 share structural patterns (both are management-system frameworks with technical controls and process documentation) but apply to different operations. For an organization operating in both China and outside, parallel readiness is more efficient than sequential — the engineering work overlaps and the documentation effort can share infrastructure.
Can we engage you for just one framework, not both?
Yes. Single-framework readiness is a common engagement scope.
How long does multi-framework readiness typically take end-to-end?
For an organization with mature engineering processes targeting ISO 27001 + SOC 2 Type II in parallel: 6-12 months from kickoff to audit-ready state, including 3-6 months of evidence-collection observation window for SOC 2 Type II. Adding MLPS readiness to that scope typically extends the timeline by 3-5 months due to the Chinese-entity formation and accredited-assessor coordination on top of the technical work.
What happens if our chosen audit firm asks for evidence we don’t yet have?
This is normal at the first audit cycle and is one reason we structure pre-audit readiness with deliberate evidence-collection windows. Where the audit firm surfaces evidence gaps mid-cycle, we work with the client to determine whether the gap is recoverable within the current cycle (often yes — the gap is usually documentation rather than missing controls) or whether the scope needs adjustment with the audit firm. Pre-audit readiness work materially reduces the frequency and impact of these mid-cycle surprises.
Related
- Solutions — ISO 27001 & SOC 2 readiness
- Solutions — MLPS Readiness
- Solutions — Supply-Chain Security
- Companion research: MLPS Compliance Pathways for Overseas SaaS
- Methodology