CAPABILITY · LAYER 2
Markets and Compliance
The discipline of staying credible, defensible, and continuously operable as standards, regulators, and buyers raise the bar.
Layer 2 sub-pages: Markets and Compliance (here) · Capital & Environmental Markets →
Cross-pillar bridge: AI Foundation (AI pillar) →
In 30 Seconds
Compliance is no longer just an annual audit cycle. It is a live operational discipline that sits alongside finance, talent, and operations.
Frameworks like ISO 27001, SOC 2, GDPR, and now ISO 42001 and the EU AI Act define how an organisation demonstrates that it is trustworthy to customers, regulators, partners, and investors. They sit alongside sector regimes (financial services, health, pharma, regulated environmental work) and the emerging AI-specific frameworks.
Pandion treats compliance as connected work, not a separate world. The disciplines below are part of the same capability picture as strategy, operating model, AI readiness, and talent.
The Disciplines We Recognise
These are the standards and frameworks senior practitioners actually work with. Most organisations encounter several at once, in combinations driven by sector, customers, and risk profile.
Established Standards
- • ISO 27001: information security management
- • SOC 2: service organisation controls (trust services)
- • GDPR / UK GDPR: data protection and privacy
- • Cyber Essentials / Cyber Essentials Plus: UK baseline
- • PCI DSS: payment card data
- • Sector regimes (FCA, MHRA, CQC, environmental permitting, and equivalents)
AI and Emerging Frameworks
- • ISO/IEC 42001: AI management systems
- • EU AI Act: risk-tiered AI regulation
- • NIST AI RMF: AI risk management framework
- • OWASP LLM Top 10: LLM-specific security risks
- • SOC 2 with AI controls: as practitioners read AI into existing trust services
For the AI-specific frameworks, see AI Foundation.
Naming a framework here does not mean Pandion delivers certification for it. It means we recognise the territory and can help an organisation understand where it sits, where it is exposed, and where it needs senior specialist support.
The Work-Types Organisations Encounter
Compliance shows up as concrete work, not as a single project. The labels practitioners use:
Audit readiness
Preparing for a certification audit, gap analysis against a standard, evidence gathering, control testing, and remediation.
Framework management
Maintaining a live compliance posture across one or more standards as the organisation, technology, and threat landscape change.
Customer assurance response
Responding to vendor due-diligence questionnaires, SIG, CAIQ, security reviews, and procurement risk assessments.
Policy development
Writing, reviewing, and updating policies, standards, and procedures that turn frameworks into operational rules.
Incident response
Managing security incidents, breach notification obligations, root-cause analysis, and post-incident remediation under regulatory pressure.
GRC role design
Designing the right shape of compliance leadership for the stage of the organisation: fractional, embedded, outsourced, or full-time.
Compliance programme leadership
Setting the strategic roadmap, board reporting cadence, risk appetite, and cross-functional coordination that hold the discipline together.
Regulatory horizon-scanning
Tracking incoming regulation, emerging standards, and sector guidance that will change what good looks like in the next 12 to 24 months.
Where Pandion Fits, and Where We Do Not
We work next to compliance leadership, not instead of it. The honest division of labour:
Where Pandion fits
- • Operating-model and organisation design with compliance treated as a first-class function, not a bolt-on
- • AI readiness and AI governance design that holds up against ISO 42001 and EU AI Act lenses
- • Capability transfer: writing playbooks, training internal teams, and standing up the working method
- • Documentation, knowledge architecture, and audit-trail design at the working-system level
- • Connecting compliance disciplines to strategy, capital, talent, and delivery so it does not sit in a silo
Where Pandion does not fit
- • Certification audits or formal attestations
- • Sitting as the ongoing GRC leader inside the organisation
- • Owning regulatory submissions or filings
- • Acting as legal counsel
- • Penetration testing or technical security assessment
These are senior specialist disciplines. We work alongside partners who do them well.
Recommended Specialist Disciplines
For ongoing compliance leadership, certification, and the senior judgement that lives next to regulators, we route to specialists. The disciplines below are the partners we look for. Named referral partners are added as relationships are established.
Compliance and GRC leadership
Senior, experienced compliance or GRC professionals operating fractionally or embedded. Owns the live compliance picture for the organisation.
Named referral partner: reserved
Certification body or audit partner
Accredited auditor or certification body for ISO 27001, ISO 42001, SOC 2, and equivalent standards. Issues the attestation.
Named referral partner: reserved
Data protection lead
DPO, data-protection counsel, or specialist supporting GDPR / UK GDPR posture, DPIAs, and regulator engagement.
Named referral partner: reserved
Technical security assessor
Penetration testing, red teaming, secure code review, and offensive security work.
Named referral partner: reserved
AI governance partner
Specialist on AI risk frameworks, the EU AI Act, ISO 42001, model risk management, and AI assurance.
Named referral partner: reserved
Sector legal counsel
Regulated-sector counsel where filings, licensing, or specific legal opinion is required.
Named referral partner: reserved
For AI-specific frameworks (ISO 42001, EU AI Act, NIST AI RMF, OWASP LLM Top 10) and the question of how AI changes existing compliance posture, the deeper treatment lives at AI Foundation.
Compliance Work That Needs a Connector
If you are mapping a compliance picture, planning an audit, designing a GRC function, or working out how AI changes your existing posture, we are happy to help you see the landscape and route to the right specialists.