“We were told it was impossible. We did it in less than a month.”

How Gabriel Greenfield Achieved CyberVadis Certification and Transformed Itself into a Trusted Digital Third Party.

A few weeks ago, a major client sent us a request that we were familiar with in form but had never fully addressed before: to provide a CyberVadis attestation to continue our business relationship. A questionnaire with 32 checks covering governance, data protection, technical security, incident management, and business continuity.

For a consulting firm of 15 people, operating 100% remotely, with no CIO, no legal department, and no dedicated compliance budget, the initial reaction could have been to give up.

We chose the other option.

Act I — The Brutal Assessment

The first step was to reject self-delusion. We conducted an honest assessment of our actual posture against the 32 CyberVadis criteria, immediately cross-referencing them with three other standards we already had in mind: GDPR, ISO 27001, and ISO 42001. That’s where the key insight emerged that changed everything: these four standards largely address the same issues. Governance, access management, data protection, incident traceability: these are requirements that can be shared. Every document produced for CyberVadis would simultaneously serve ISO 27001. Every piece of technical evidence collected in Azure would feed into ISO 42001. Our outsourced DPO would help us with the rest.

This sharing of resources wasn’t a shortcut. It was the method.

Act II — The 25-Day Plan

We structured an operational action plan spanning 25 business days. Thirty-two items. Sixty questions. Twenty-five milestones, one per day. Each check was associated with three elements: a policy document (proof of design), a technical configuration in our Microsoft

Soft 365 (the technical proof), and a SharePoint archive (the auditor proof).

Critical priorities first. Days 1 to 5: Information Security Policy signed by management, password management and MFA in Azure Entra ID, privileged access control, securing remote access. Then the high priorities. Days 6 to 20: M365 backups, email security, Defender for Office 365, mobile device management, BYOD, web filtering. GDPR compliance. Finally, monitoring and audit controls.

This wasn’t a project. It was an operation. A mission.

Act III — The Partnership with AI

I must be honest about one element that was decisive and that many still hesitate to mention publicly: Claude, Anthropic’s AI, was a full-fledged working partner in this program.

Not to replace human judgment. Not to sign documents. But to significantly reduce the time required to produce documentation that, without it, would have taken several weeks or months to draft. In just a few hours of collaborative work, we produced: an Information Security Policy, an Information System Charter, a BYOD Policy, an Email Policy, a Web Filtering Policy, a GDPR Processing Register, an AI Systems Register, an Incident Management Procedure, and a Risk Register—all featuring Gabriel Greenfield-branded headers, a CISO + DPAIO + CEO signature block, and systematic multi-standard compliance (Cybervadis, GDPR, ISO27001, ISO42001). We are able to know exactly how each rule is covered by each of the actions taken.

Every document generated was immediately reviewed, contextualized, and validated by our CISO Quentin and me. The AI produced the content. Humans exercised judgment. It was this collaboration that made the impossible deadline possible.

Act IV — Vanta / ISO 27001 / ISO 42001 Integration

What could have been a standalone sprint became the foundation of a comprehensive compliance program. Every document produced within the CyberVadis framework was simultaneously mapped to ISO 27001:2022 and ISO 42001:2023. The Vanta platform, which we integrated into our Microsoft 365 tenant, automatically collects control evidence and generates a real-time dashboard.

We are targeting ISO 42001 certification for Q4 2026 - the first international standard for AI management. For a firm whose clients include banks, financial institutions, and regulated entities, this sends a strong signal: we don’t just advise on digital transformation and AI. We embody it, we live it, we certify it.

Epilogue — The Metamorphosis

In less than a month, Gabriel Greenfield is no longer just a transformation consulting firm. We have become a trusted third party: an organization whose security posture, data governance, AI management, and operational resilience are documented, proven, and auditable.

This isn’t just a box to check. It’s a profound transformation of our professional identity.

For our banking clients, who operate under DORA, NIS2, ECB requirements, and ACPR recommendations, working with a provider that can present a complete compliance dossier is no longer a “plus.” It’s a prerequisite.

We’ve chosen to make this our competitive advantage.