A Regulatory Alignment and Policy Review benchmarks your IT and information security policy suite against the specific regulatory instruments that govern your firm — clause by clause, article by article.
Where a generic policy review asks, "Is this good practice?", this review asks the question your regulator will ask: "Where, exactly, does this policy meet — or fail to meet — the requirement?"
Every finding cites the precise provision it relates to: DORA RTS (EU) 2024/1532 Article 2(2)(b) on management-body approval dates; Article 21 on privileged access; FCA SYSC 15A on operational resilience; UK GDPR Article 32 on security of processing. And every finding is anchored to the exact section, paragraph and page of your document, so nothing is left to interpretation.
It is assurance, not an audit. Collaborative, blame-free, and balanced. Strengths are formally credited: Where your policy exceeds the regulatory benchmark (a quarterly privileged-account review where the standard asks for six-monthly, say), the review says so, in writing, with the article reference. That balanced record is itself valuable evidence of a functioning control environment.
The result: An article-mapped findings tracker that doubles as a regulatory evidence pack, feeding your DORA documentation, your FCA operational resilience self-assessment, and your next supervisory conversation.
For a regulated firm, policies aren't just governance hygiene. They're regulatory artefacts. They're read by supervisors, cited in Section 166 reviews, quoted in enforcement notices, and requested in every due-diligence exercise. Let's take a look at the main reasons regulated firms commission a regulatory alignment review.
DORA's technical standard on ICT risk management (RTS (EU) 2024/1532) prescribes what ICT security policies must contain: The date of formal approval by the management body, assigned review cycles, recorded exceptions, consequences of non-compliance, segregation of duties, and detailed requirements for identity and access management, logging, patching, encryption, backup and asset inventories. If your firm is in DORA's scope, or supplies EU financial entities, your policies either meet these articles or they don't. The Regulatory Alignment and Policy review tells you which, article by article.
The operational resilience regime is in its ongoing phase. The transition ended in March 2025, and the FCA has since published its observations from reviewing firms' self-assessments, including criticism of documentation that exists in form but lacks substance. Policies that contradict each other, carry blank or unexplained approvals, or reduce clear requirements to optional “shoulds” are exactly the kind of substance gaps that turn a routine review into a difficult conversation. Cleaning up these inconsistencies now means your next assessment reads as a coherent, intentional framework.
The new operational incident and third-party reporting regime (FCA PS26/2, PRA PS7/26/SS1/26) applies from 18 March 2027. Your incident policies will need to reflect the new definitions, thresholds and 24-hour initial reporting expectation; your supplier policies will need to support the material third-party register and notifications. The review identifies where current wording will fall short of the incoming regime while there's still time to fix it calmly.
Blank "Approved By" fields, review dates that predate the document, & undefined approval authorities aren't cosmetic when senior managers hold personal regulatory accountability. Our review goes through every line of your policies, standards and procedures to surface governance gaps, inconsistencies and missing sign‑offs. We map each document to the right senior personnel, clarify who actually owns what, & highlight where your documents conflict with each other.
As findings are mapped at the article level, the same tracker serves multiple masters: DORA documentation requirements, the FCA self-assessment, SYSC systems-and-controls evidence, ISO 27001 certification, client and insurer due diligence. Your compliance team stops translating between frameworks — the mapping is done.
A first-line self-review is a control; an independent, criteria-based review with cited provisions is evidence. When the auditor or the risk committee asks how you know your policy layer is sound, "We had it independently benchmarked against the applicable articles, here is the tracker and here is the closure record" is a categorically stronger answer.
FCA-authorised firms of every size: Wealth and investment managers, advisers, insurers, payment and e-money institutions, lenders and banks. UK firms with DORA exposure through EU entities, group structures or EU financial-entity clients, and the senior individuals accountable for their control environments: CISOs, Heads of Risk & Compliance, COOs and SMF holders.
Not a regulated firm, or want the broader benchmark? Our Security Policy Assurance Review applies the same locator-level methodology across sectors, benchmarked to good practice, CAF and ISO 27001.
Companion assessments: Policies are the map; capability is the territory. The Operational Resilience Assessment gives your board a measured view of actual resilience against your growth objectives, and the Technical Resilience Assessment does the same for your technical teams, together closing the loop between what your documents promise and what your firm can do.
An independent, article-mapped review you can put in front of the FCA, an auditor or a reviewer with confidence.
The RTS mapping work your compliance team would otherwise have to complete manually gets already done for you.
Findings and closure records drop straight into the FCA operational resilience self-assessment as evidence of a living control environment.
DORA (Regulation (EU) 2022/2554) has applied since 17 January 2025 across its five pillars: ICT risk management, incident reporting, resilience testing, third-party risk and information sharing. For policy purposes, the critical instrument is the ICT risk management RTS (EU) 2024/1532, which converts the regulation into checkable policy requirements. Examples of the article-level checks the review performs:
Findings cite these provisions directly, so the tracker functions as a ready-made component of your DORA evidence base. UK-only firm? We apply DORA as a transparent benchmark baseline — the strictest widely recognised statement of ICT policy content — giving you headroom against every other framework you face.
The review benchmarks your suite against the FCA fabric your policies must support: SYSC systems-and-controls obligations; the operational resilience regime (PS21/3 / SYSC 15A, PRA SS1/21) — where your policies are evidence for the self-assessment the FCA is now actively reading in its ongoing phase; record-keeping and communications rules (including approved-channel and call-recording expectations for client communications); SM&CR accountability for the governance of the suite itself; and the incident and third-party reporting regime (PS26/2 / PS7/26) applying from 18 March 2027, against which your incident classification, escalation and supplier policies are checked for forward compatibility. Where relevant, findings also reference Principle 11 / SUP 15 notification expectations, so incident policies point staff to the right regulatory reflexes.
Financial entities are primarily DORA's territory (as lex specialis), but NIS2 matters to many financial groups anyway: group service companies, data-centre and ICT subsidiaries, or affiliates in NIS2 sectors can be in scope, and your critical suppliers almost certainly are. NIS2's Article 21 measures expressly require policies — on risk analysis and information system security, cryptography, access control and supply-chain security — with management bodies accountable for approving them. The review flags where your suite would satisfy those expectations, and where supplier-facing policies should require NIS2-grade assurances from the vendors you depend on. For UK operations, the incoming Cyber Security and Resilience Bill extends NIS-style duties to managed service providers, data centres and designated critical suppliers — directly relevant to the third parties in your supply chain.
The NCSC's Cyber Assessment Framework (CAF v4.0) — four objectives, fourteen principles, forty-one contributing outcomes — is the UK's common language for cyber resilience oversight, and its influence is spreading beyond essential services into the expectations of every UK regulator, the FCA included.
Two parts of the CAF bear directly on this review: Objective A (managing security risk — governance, ownership, approval and communication of policy) and Principle B1 — Service Protection Policies, Processes and Procedures, which asks whether policies are proportionate, communicated, and demonstrably followed rather than merely written. The review maps findings to the relevant CAF outcomes and flags wording that would make an outcome hard to evidence as "achieved" — useful both for firms with CAF-assessed entities in the group and as a forward indicator of UK supervisory direction.
ISO/IEC 27001:2022 (cl. 5.2 and Annex A), current NCSC guidance (applied as living guidance — e.g. modern positions on password complexity, expiry, passphrases and passwordless), Cyber Essentials / Plus, and UK GDPR / DPA 2018 (Arts. 5 and 32) wherever policies touch client or employee personal data.
(Note: This review provides independent assurance and regulatory relevance mapping. It is not legal advice, a compliance certification, or a substitute for a formal legal or regulatory opinion. Regulatory applicability depends on your firm's legal structure, permissions and activities.)
not "improve access control" but the specific sentence to change and what it should say.
Independent re-review of updated policies to confirm issues are fixed and evidence progress for governance, audit and regulators.

It's an independent review that benchmarks your IT and security policy suite clause-by-clause against the regulatory instruments applicable to your firm — principally DORA and its ICT risk-management RTS, and FCA rules including SYSC and the operational resilience regime. Every finding cites the specific article or rule, is traceable to the exact location in your document, carries a priority and a practical fix, and strengths are credited with the same rigour.
Same methodology, different lens. The Security Policy Assurance Review benchmarks primarily against good practice — NCSC guidance, ISO 27001, CAF, Cyber Essentials — for any organisation. The Regulatory Alignment & Policy Review leads with the law: article-level mapping to DORA's RTS and FCA rules, forward flags for incoming regimes, and outputs designed to slot into regulatory evidence packs. Regulated financial firms typically choose this one; both credit strengths and deliver the same living tracker.
More than most suites currently include. DORA's ICT risk-management RTS (EU) 2024/1532 requires ICT security policies to record the date of formal approval by the management body, assign review cycles, record exceptions, specify consequences of non-compliance, list the documentation to be maintained and address segregation of duties — plus detailed content requirements for identity and access management, logging, patching, encryption, backup and asset inventories. The review checks your documents against these provisions article by article.
Possibly not directly, DORA applies to financial entities operating in the EU and to their critical ICT providers, so a purely UK firm is typically out of direct scope unless it has EU entities, group exposure or EU financial-entity clients. But we apply DORA as a transparent benchmark baseline regardless, because it's the most demanding widely recognised statement of ICT policy content: a suite aligned to DORA meets FCA, CAF and ISO expectations with headroom, and you're already prepared if EU exposure arrives.
The self-assessment is a living document the FCA now actively reviews, and it must be substantiated — not just complete in form. Our findings and your closure records provide dated, independent evidence that the policy layer underpinning your important business services is governed, consistent and benchmark-aligned; strengths credited in the review can be cited directly, and remediated gaps demonstrate exactly the "living programme" the FCA has said it wants to see.
Yes, as forward-looking flags. The FCA's PS26/2 and the PRA's PS7/26 apply from 18 March 2027, introducing a common definition of an operational incident, reporting thresholds, an initial report generally expected within 24 hours, and notification plus an annual register for material third-party arrangements. The review checks whether your incident classification, escalation and supplier policy wording will support those obligations, and flags what to change while there's still runway.
No. It's independent assurance with regulatory relevance mapping: we show precisely where your policies align with, or fall short of, cited provisions, but we don't issue legal opinions or compliance certificates, and regulatory applicability ultimately depends on your firm's legal structure and permissions. Many clients use the review to focus and reduce subsequent legal spend — counsel reviews a mapped tracker far faster than a raw policy suite.
Wherever a policy meets or exceeds the benchmark, the review says so explicitly, with the article reference — for example, a quarterly privileged-account review credited against an RTS benchmark of at least six-monthly. This matters because a balanced, evidenced record of a functioning control environment is itself useful regulatory evidence — and because reviews that only catalogue faults get shelved, while fair ones get actioned.
Minimal by design: a scoping call to establish your regulatory perimeter and policy set, then a findings walkthrough with your compliance and IT leads at the end. The review itself is performed on your documents — no workshops, interviews or system access — so it's one of the highest-assurance, lowest-disruption engagements a regulated firm can commission.
The core ICT security set that regulators touch most: passwords and authentication, privileged access, malware and vulnerability management, asset management, data classification and handling, acceptable use and mobile/remote working, plus incident-related and supplier-facing policies given the 2027 regime. A typical engagement covers five to fifteen documents, agreed at scoping — and reviewing them as a suite is essential, because cross-policy contradictions are among the most significant regulatory findings.
Annually as a baseline — matching the review cycles DORA's RTS and ISO 27001 expect your policies themselves to have — and sooner after material change: new permissions or business lines, EU exposure bringing DORA into direct scope, the run-up to the March 2027 reporting regime, restructuring, or a significant incident. Re-review evidences closure of prior findings against the same articles, completing a demonstrable assurance loop.
They're complementary halves of one question. This review establishes whether your written control environment says the right things — governed, consistent, article-aligned. The Operational and Technical Resilience Assessments measure whether your firm can actually deliver what those documents describe when serious disruption hits. Regulators increasingly probe exactly that gap between documentation and capability; running the policy review and then validating capability with an ORA or TRA closes it from both ends.
"In order for BMJ to the right way forward we looked for a VCISO to advise us on the right way to do things and give us expertise. We went to Cyber Management Alliance and it's been about a year now and we ran workshops, looked at our response to incidents, created the incident response plan and we are in a position now where we understand our way forward. Our VCISO keeps us on our toes and overall it's been a very effective way of delivering expertise into the organisation that we wouldn't have normally had."
Aaron Townsend, Service Delivery Manager, British Medical Journal
One scoping call to map your regulatory perimeter. One document-based review. One tracker your compliance team will use for years.