Skip to main content
Tarbh Tech

Governance, Risk & Compliance

GDPR, NIS2, and ISO 27001 compliance is not a bolt-on. It is built into how we deliver managed IT. Every COSAINT tier contributes to your compliance posture, with deeper capability as you move up.

Discuss Your Compliance Needs See GRC Add-On Pricing

What we do

Compliance is not about documents gathering dust in a folder. It is about demonstrable, evidence-backed controls that satisfy auditors, regulators, and your own board. We build those controls into your IT environment from day one.

Every COSAINT tier includes security controls that map to GDPR, NIS2, and ISO 27001 requirements — MFA, encryption, 24/7 monitoring, endpoint protection, and automated reporting. As you move up tiers, the compliance capability deepens: conditional access policies, device compliance, full Defender Suite, and ultimately the complete Purview and Cyberday stack at Strategic.

For organisations pursuing formal certification or preparing for regulatory audits, our GRC add-on provides the structured compliance programme: ISMS platform, policy frameworks, control mapping, workshops, and audit preparation.

Frameworks we cover

Three frameworks, one integrated approach. Our controls satisfy overlapping requirements simultaneously.

GDPR

General Data Protection Regulation

The EU regulation governing the processing of personal data. Applies to every organisation handling EU residents' data, regardless of size.

Key requirements

  • Article 32 — appropriate technical and organisational measures for data security
  • Article 33 — 72-hour breach notification to supervisory authority
  • Article 35 — data protection impact assessments for high-risk processing
  • Article 28 — documented processor agreements and sub-processor management

How we help

We implement the technical controls (encryption, access management, DLP, backup) and provide the documentation and evidence trail that demonstrates GDPR compliance. Purview at Strategic tier adds data classification and DLP policy enforcement.

NIS2

Network and Information Systems Directive 2

EU directive on cybersecurity for essential and important entities. Transposed into Irish law (and other member states) with significant penalties for non-compliance.

Key requirements

  • Article 21 — risk management measures including incident handling and business continuity
  • Article 21(2)(d) — supply chain security and vendor risk management
  • Article 23 — 24-hour early warning and 72-hour incident notification
  • Article 20 — management body accountability and cybersecurity training

How we help

Our security baseline maps directly to NIS2 technical measures. Blackpoint provides the 24/7 monitoring that Article 21 expects. For clients in scope, we provide documented risk assessments, incident response plans, and the board-level reporting that Article 20 requires.

ISO 27001

ISO/IEC 27001:2022 Information Security Management

The international standard for information security management systems (ISMS). Increasingly expected by enterprise clients, partners, and insurers.

Key requirements

  • Annex A.5 — organisational controls (policies, roles, asset management)
  • Annex A.6 — people controls (screening, awareness, disciplinary)
  • Annex A.7 — physical controls (secure areas, equipment)
  • Annex A.8 — technological controls (endpoint, access, cryptography, logging)

How we help

We set up and maintain your ISMS in Cyberday, map controls to Annex A, build evidence libraries, and prepare you for certification audits. Our security stack covers the majority of A.8 technological controls out of the box.

Compliance across our tiers

Every tier contributes to your compliance posture. Higher tiers add deeper controls and formal compliance management.

1

COSAINT Cyber

EUR 35/user/mo

Security baseline — foundation for compliance

  • Blackpoint MDR (24/7 SOC) — evidence of continuous monitoring
  • Email threat protection — demonstrable email security controls
  • SPF/DKIM/DMARC configuration — domain authentication
  • Baseline security gap report — starting point for compliance assessment

Not a compliance tier, but the security baseline that every compliance framework expects you to have in place.
2

COSAINT Essentials

EUR 60/user/mo

Identity controls and access management

  • Entra Conditional Access — MFA enforcement, location and risk-based policies
  • MDO P1 — Safe Links, Safe Attachments, anti-phishing policies
  • SaaS Backup — data protection and recovery capability
  • Monthly security reports — evidence trail for auditors

Adds the identity and access management controls required by GDPR Article 32, NIS2 Article 21, and ISO 27001 Annex A.8.
3

COSAINT Managed

EUR 85/user/mo

Endpoint hardening and device compliance

  • MDE P1 — endpoint hardening, ASR rules, vulnerability management
  • Intune device compliance — enforced encryption, update policies
  • Defender for Cloud Apps — shadow IT discovery and control
  • 1Password Business — credential management and access controls

Adds the technical measures for endpoint security and device management that auditors check for ISO 27001 A.8 and NIS2 Article 21(2)(d).
4

COSAINT Complete

EUR 115/user/mo

Defender Suite and GRC add-on eligible

  • Full Defender Suite — MDE P2 (EDR), MDO P2, Entra P2/PIM
  • Attack Simulation Training — security awareness evidence
  • Eligible for GRC add-on (Foundations, Managed, or Comprehensive)
  • Full helpdesk with SLA-tracked incident response

The minimum tier eligible for the GRC add-on. Provides the full Microsoft security stack that compliance frameworks require.
5

COSAINT Strategic

EUR 150/user/mo

Comprehensive compliance built in

  • Cyberday ISMS — ISO 27001, NIS2, GDPR compliance platform
  • Microsoft Purview Suite — DLP, Insider Risk, eDiscovery, Audit Premium
  • Microsoft Sentinel — SIEM for logging evidence (A.8.15/A.8.16)
  • Defender EASM — external attack surface management
  • vCISO advisory and board-level compliance reporting

Full compliance capability built into the base tier. No separate GRC add-on needed — ISMS, Purview, Sentinel, and vCISO are all included.

GRC & Compliance FAQ

Do I need to be on a specific tier for compliance support?
Every COSAINT tier includes a security baseline that supports compliance. For formal compliance programmes (ISMS, certification preparation, regulatory audits), we recommend COSAINT Complete with the GRC add-on, or COSAINT Strategic which includes comprehensive compliance capability in the base tier.
What is the difference between the GRC pillar and the GRC add-on?
The GRC add-on is a per-tenant monthly service that adds formal compliance management (Cyberday ISMS, workshops, audit preparation) on top of COSAINT Complete. This pillar page explains our overall GRC capability and how compliance readiness builds across all tiers. If you need the full compliance programme, see our GRC add-on pricing.
Can you guarantee we will pass an ISO 27001 audit?
We cannot guarantee certification — that decision rests with the accredited certification body. What we can do is set up your ISMS, map all controls, build the evidence library, prepare management review documentation, and run internal audits. Our clients have a strong track record of achieving certification on the first attempt.
Is NIS2 relevant to my organisation?
NIS2 applies to essential and important entities across sectors including energy, transport, health, digital infrastructure, ICT service management, manufacturing, and more. If you employ more than 50 people or have turnover above EUR 10 million in a covered sector, you are likely in scope. We can help you assess applicability.
How does GDPR compliance relate to your security baseline?
GDPR Article 32 requires "appropriate technical and organisational measures" for data security. Our security baseline — MFA, encryption, endpoint protection, backup, access controls, 24/7 monitoring — directly addresses these requirements. The Purview suite at Strategic tier adds data classification, DLP, and insider risk management for deeper GDPR controls.

Technology Partners

The tools and platforms we use to deliver governance, risk, and compliance capability.

Microsoft Purview Compliance Manager logo

Microsoft Purview Compliance Manager

Compliance assessment and tracking across Microsoft 365 and Azure workloads.

How we use it

We use Compliance Manager to assess each tenant against regulatory frameworks, track improvement actions, and generate compliance score reports for boards.

Learn more
Cyberday logo

Cyberday

GRC software platform for ISO 27001, NIS2, and GDPR compliance management.

How we use it

Our primary ISMS platform. We set up control frameworks, map policies to Annex A controls, and maintain living evidence libraries for audit readiness.

Learn more
Microsoft Sentinel logo

Microsoft Sentinel

Cloud-native SIEM for security analytics, threat intelligence, and automated response.

How we use it

Deployed for Strategic clients. Provides the logging and monitoring evidence that NIS2 and ISO 27001 auditors expect (A.8.15/A.8.16).

Learn more
Riskora logo

Riskora

GRC consulting and advisory for governance, risk, and compliance programmes.

How we use it

Our GRC advisory partner for complex compliance engagements, risk assessments, and board-level governance advisory beyond our standard scope.

Learn more
C-Risk logo

C-Risk

Cyber risk quantification using the FAIR methodology for board-level reporting.

How we use it

Used for clients who need financial risk quantification. Translates technical risk into monetary terms that boards and insurers understand.

Learn more
Microsoft Purview DLP logo

Microsoft Purview DLP

Data loss prevention policies across email, Teams, SharePoint, and endpoints.

How we use it

Configured for Strategic clients to enforce data handling policies required by GDPR Article 32 and ISO 27001 Annex A.8 controls.

Learn more

Ready to get compliant?

Whether you are preparing for NIS2, pursuing ISO 27001, or strengthening your GDPR posture, we will help you build the controls and evidence that regulators expect.

Get in Touch

Or email us at [email protected]