ISO/IEC 42001 is the world's first internationally recognised standard for AI governance — applicable to any organisation that develops, deploys, or uses AI systems. It provides a certifiable framework to govern AI responsibly, demonstrably, and sustainably. Our AIMS practice guides you from initial awareness through to certification, with EU AI Act compliance built in at every stage.
EU AI Act — integrated, not an add-on
The EU AI Act applies to any AI system with EU market access — regardless of where your company is based. Our AIMS engagements map ISO 42001 controls directly to EU AI Act obligations: risk classification, conformity assessment, human oversight, and technical documentation. Achieving ISO 42001 certification is the most credible way to demonstrate EU AI Act readiness.
AI Governance Gap Assessment
A structured clause-by-clause review of your current practices against ISO 42001 requirements. Produces a prioritised remediation roadmap with clear milestones and effort estimates.
AI System Inventory & Classification
Discovery and cataloguing of all AI systems in use — including third-party tools and embedded models — with risk classification to inform scope and prioritisation decisions.
AI Risk Assessment
Structured identification and scoring of AI-specific risks including bias, explainability gaps, model drift, data quality, and transparency failures — assessed against your organisational risk appetite.
AI Impact Assessment (AIIA)
Formal assessment of the potential impacts of AI systems on individuals, communities, and your organisation — a core ISO 42001 control requirement and a prerequisite for many EU AI Act obligations.
Vendor AI Due Diligence Assessment
Structured evaluation of third-party AI suppliers and tools — covering governance posture, transparency practices, accountability frameworks, and contractual safeguards required under ISO 42001.
EU AI Act Readiness Assessment
Assessment of your AI systems against EU AI Act risk classifications (unacceptable, high, limited, minimal) and identification of applicable conformity obligations, documentation requirements, and timelines.
AIMS Design & Build
Full design and implementation of your AI Management System — scope definition, context analysis, stakeholder mapping, and all required management processes aligned to ISO 42001 clauses 4–10.
AI Policy & Objectives Framework
Drafting and embedding your AI Policy, organisational AI objectives, and board-level accountability structures — aligned to your business strategy and regulatory obligations.
AI Roles & Responsibilities Framework
Clear definition of AI governance roles across the organisation — from board-level accountability and AI ethics oversight through to operational model ownership and incident reporting.
AI Incident Management Process
Design and implementation of AI incident detection, escalation, response, and learning procedures — ensuring your organisation is in control when AI systems behave unexpectedly.
Human Oversight Framework
Embedding meaningful human oversight mechanisms into AI decision-making workflows — a critical requirement of both ISO 42001 and the EU AI Act, particularly for high-risk AI applications.
AI Procurement & Supplier Governance
A structured framework for governing the acquisition and ongoing management of AI tools, platforms, and third-party models — including due diligence criteria, contract requirements, and ongoing monitoring.
Full AIMS Documentation Package
All policies, procedures, registers, and records required for ISO 42001 certification — professionally drafted and tailored to your organisation's specific AI use cases and risk profile.
AI Use Case Register & Lifecycle Records
Structured registers documenting your AI systems, their purpose, data inputs, outputs, and governance status at each stage of the AI lifecycle — a key ISO 42001 evidence requirement.
AI Acceptable Use Policy
Clear, practical guidance for staff on how AI tools may and may not be used — covering generative AI, third-party tools, and internally developed systems, reducing liability and promoting responsible use.
AI Ethics Guidelines
A documented ethics framework codifying your organisation's values and principles in the design, deployment, and ongoing operation of AI systems — mapped to ISO 42001 Annex A controls.
ISO 42001 Internal Audit
A rigorous internal audit against all ISO 42001 clauses and Annex A controls, identifying non-conformities and generating a corrective action plan ahead of the certification body audit.
Certification Body Audit Support
Full support through Stage 1 (documentation review) and Stage 2 (implementation audit) — preparation, evidence organisation, audit facilitation, and certification body liaison throughout.
Post-Certification Surveillance Support
Ongoing support to maintain your certified AIMS — managing annual surveillance audits, addressing emerging non-conformities, and embedding continual improvement between three-year certification cycles.
Corrective Action & Improvement Programme
Targeted support to address non-conformities identified during audits, and to establish a structured continual improvement culture within your AI governance function.
ISO/IEC 27701 is the leading international standard for Privacy Information Management — an extension to ISO 27001 that provides a certifiable framework for governing personal data. Our PIMS practice builds your management system with GDPR compliance and DPDP Act alignment embedded from the start, not retrofitted after certification.
GDPR compliance — delivered through PIMS
ISO 27701 maps directly to GDPR Articles 5–49, covering lawful processing, data subject rights, controller and processor obligations, and international transfer safeguards. Every PIMS engagement produces GDPR-ready documentation as standard — your Records of Processing Activities, Data Processing Agreements, and Privacy Notices are all GDPR-compliant upon delivery.
Privacy Gap Assessment
A comprehensive clause-by-clause review of your current privacy practices against ISO 27701 requirements — covering both Data Controller and Data Processor obligations, with a clear prioritised compliance roadmap.
Data Flow Mapping & Personal Data Inventory
End-to-end mapping of personal data across your organisation — what you hold, where it lives, how it moves between systems and third parties, who can access it, and on what lawful basis it is processed.
Privacy Risk Assessment
Identification and evaluation of privacy risks to data subjects arising from your processing activities — assessed against ISO 27701 Annex requirements and mapped to applicable regulatory obligations.
Data Protection Impact Assessment (DPIA)
Structured assessment of high-risk processing activities — a legal requirement under GDPR Article 35 and strongly recommended under the DPDP Act. Covers risk identification, mitigation measures, and residual risk sign-off.
Consent Mechanism Review
Evaluation of your current consent collection, recording, and withdrawal mechanisms — assessing validity, granularity, documentation, and withdrawal ease against GDPR, DPDP Act, and ISO 27701 requirements.
Legitimate Interest Assessment (LIA)
Structured three-part test (purpose, necessity, balancing) to assess whether legitimate interest is an appropriate lawful basis for specific processing activities under GDPR, where consent is not the right mechanism.
PIMS Design & Build
Full design and implementation of your Privacy Information Management System — scoped correctly for your role as a Data Controller, Processor, or both, and aligned to ISO 27701, GDPR, and DPDP Act obligations simultaneously.
Privacy Policy & Notice Development
Clear, legally sound privacy notices and policies for your customers, employees, and third parties — written in plain language that builds trust, meeting GDPR and DPDP Act requirements for transparency and notice content.
Data Subject Rights Fulfilment Processes
End-to-end design of processes to handle Data Subject and Data Principal requests — access, correction, erasure, restriction, portability, and objection — within GDPR and DPDP Act prescribed timelines.
Personal Data Breach Management
Design of your personal data breach identification, containment, notification, and reporting procedures — covering GDPR 72-hour notification obligations and DPDP Act breach obligations to the Data Protection Board.
Privacy by Design Integration
Embedding privacy principles into your product and software development lifecycle — ensuring that personal data protection is addressed at the architecture and design stage, not as a compliance afterthought.
Data Processor Management Framework
A structured framework for selecting, contracting, monitoring, and reviewing third-party data processors — including due diligence templates, processor audit procedures, and sub-processor management.
Full PIMS Documentation Package
All policies, procedures, templates, and records required for ISO 27701 certification — tailored, professionally drafted, and mapped to both GDPR and DPDP Act obligations for multi-framework compliance.
Records of Processing Activities (RoPA)
A complete, maintained register of all personal data processing activities — mandatory under GDPR Article 30 and required under the DPDP Act, structured for both Controller and Processor perspectives.
Data Processing Agreements (DPAs)
Professionally drafted DPA templates for use with vendors, partners, and sub-processors handling personal data on your behalf — covering all required GDPR Article 28 clauses and DPDP Act processor obligations.
Data Retention & Disposal Policy
A documented, enforceable data retention schedule defining how long personal data is held across each processing category, and how it is securely disposed of — with legally defensible retention rationale.
ISO 27701 Internal Audit
Rigorous internal audit of your PIMS against all ISO 27701 clauses and Annex A and B controls, with corrective action planning and evidence preparation prior to the certification body audit.
Certification Body Audit Support
End-to-end support through Stage 1 documentation review and Stage 2 implementation audit — preparation, evidence organisation, on-the-day facilitation, and post-audit corrective action support.
Post-Certification Surveillance Support
Ongoing support to maintain your certified PIMS — annual surveillance audit preparation, management of emerging regulatory changes (DPDP rules, GDPR guidance updates), and continual improvement activities.
ISO 27001 + 27701 Extension
For organisations already certified to ISO 27001, a targeted engagement to extend your existing ISMS with a fully compliant PIMS layer — leveraging your current infrastructure for maximum efficiency.
India's Digital Personal Data Protection Act 2023 introduces significant new obligations for any organisation that processes the personal data of Indian residents — whether the organisation is based in India or overseas. With MeitY's implementing rules now active, enforcement is underway. Padmaura Digital Trust brings both the legal understanding and the operational expertise to build your compliance programme before the regulator comes calling.
Why DPDP Act compliance cannot wait
The Data Protection Board of India has the authority to impose financial penalties of up to ₹250 crore per breach. The Act applies to the processing of digital personal data — which means virtually every organisation operating in India is in scope. Building your compliance foundation now, before enforcement matures, is significantly less costly than responding to a regulatory notice.
DPDP Readiness Assessment
A structured review of your current data processing practices against the DPDP Act's obligations — producing a practical, phased compliance roadmap with effort estimates and priority sequencing.
Data Fiduciary Obligations Advisory
Detailed guidance on your obligations as a Data Fiduciary — covering the lawful bases for processing, purpose limitation, data minimisation, storage limitation, and the security safeguards required under the Act.
Consent Manager Integration Advisory
Advisory on integrating with DPDP-registered Consent Managers — ensuring valid, specific, informed, and freely given consent is obtained, recorded, and honoured across all your data touchpoints.
Data Principal Rights Implementation
Design and deployment of processes to honour all Data Principal rights under the Act — access to data summary, correction and erasure, grievance redressal, and nomination — within the prescribed regulatory timelines.
Grievance Redressal Mechanism Design
Design of a DPDP-compliant grievance redressal mechanism — including Data Protection Officer designation (where required), response SLAs, escalation paths, Board appeal procedures, and record-keeping.
Significant Data Fiduciary Advisory
Specialist advisory for organisations likely to be designated as Significant Data Fiduciaries by the Central Government — covering enhanced obligations including Data Protection Impact Assessments, Data Audits, and the appointment of a Data Protection Officer.
Cross-Border Data Transfer Guidance
Advisory on transferring the personal data of Indian residents to countries outside India — covering the Government's permitted countries list, contractual safeguards, and MeitY notification requirements.
DPDP-Compliant Privacy Notice Drafting
Drafting of privacy notices in clear, plain language meeting the Act's specific requirements — including notice of purpose, categories of data, Data Principal rights, and the contact details of the grievance officer.
DPDP Act + ISO 27701: the most efficient compliance path
Implementing ISO 27701 alongside your DPDP Act compliance programme produces GDPR-ready documentation as a by-product — meaning organisations with EU market access or international clients achieve three-framework compliance (DPDP, GDPR, ISO 27701) for the cost of one structured engagement.
Certification is only as strong as the people behind it. Our training programmes are designed to build genuine internal capability — not just awareness — so that governance lives in your organisation long after our engagement ends. Every session is tailored to your industry, your AI use cases, and your team's existing knowledge level. We do not deliver off-the-shelf courses; we deliver programmes that make a real difference.
ISO 42001 Leadership Awareness Workshop
A focused half-day session for CXOs, board members, and senior leadership — covering AI governance obligations, the business case for AIMS, leadership accountability under ISO 42001, and the EU AI Act's executive responsibilities.
ISO 27701 & DPDP Act Awareness Workshop
An engaging full-day session for privacy leads, legal counsel, compliance teams, and operational managers — covering PIMS principles, GDPR obligations, DPDP Act requirements, and your organisation's current privacy posture.
AI Risk & Ethics Workshop
A practical full-day workshop for AI teams, data scientists, and ML engineers — covering model governance, bias detection and mitigation, explainability requirements, responsible AI development practices, and ISO 42001 technical controls.
DPDP Act Masterclass
A deep-dive half-day session for compliance managers and legal teams — covering the Act's obligations in detail, current MeitY rules, Significant Data Fiduciary obligations, and practical implementation steps for India-based operations.
Data Privacy Awareness Training
Organisation-wide awareness training for all staff — covering personal data handling obligations, data subject rights, breach reporting responsibilities, and your internal privacy policies and acceptable use procedures. Available as in-person or online sessions.
Internal Auditor Training
Practical two-day training for staff taking on internal audit responsibilities under ISO 42001 or ISO 27701 — covering audit principles, planning, evidence gathering, interview techniques, non-conformity reporting, and corrective action follow-up.
DPO & Privacy Officer Coaching Programme
A structured four-session coaching programme for newly appointed or existing Data Protection Officers — building the knowledge, confidence, and practical skills to lead your organisation's privacy function effectively under GDPR and the DPDP Act.
AI Governance Lead Coaching
Mentored support for the individual designated as AI Governance Lead within your organisation — covering ISO 42001 management review responsibilities, AI risk committee facilitation, and ongoing governance leadership.
All training is tailored — not off-the-shelf
Before every engagement, we review your industry, your AI use cases, your existing governance maturity, and your team's background. Session content is adapted accordingly — a healthcare organisation's AI risk workshop looks very different from a fintech's, and it should. Standardised training produces standardised outcomes; we produce genuine capability.
Governance does not end at certification. Regulations evolve, AI systems change, new risks emerge, and audit cycles return. Our retained advisory services give you ongoing expert support — without the cost, commitment, or operational overhead of a full-time senior hire. We act as a trusted extension of your team: available when you need us, with the depth of expertise your organisation requires.
Virtual DPO (vDPO)
Outsourced Data Protection Officer service — fulfilling your statutory DPO obligations under GDPR Article 37 and emerging DPDP Act requirements, providing the expertise of a senior privacy professional without a full-time appointment.
Virtual AI Governance Officer (vAIGO)
A retained AI governance advisory role — attending your AI risk committee, reviewing new AI deployments before go-live, keeping your AIMS current and audit-ready, and advising on emerging regulatory developments.
Quarterly Compliance Health Checks
Structured quarterly reviews of your AIMS and PIMS — assessing continual improvement progress, identifying emerging risks, reviewing AI system changes against your risk register, and keeping both management systems on track between surveillance audits.
AI & Privacy Incident Response Advisory
On-call expert support when an AI incident or personal data breach occurs — covering containment, impact assessment, regulatory notification (GDPR 72-hour, DPDP Act Board notification), remediation planning, and post-incident review.
Board-Level Governance Reporting
Preparation of clear, actionable board-level reports on your AI and privacy governance posture — translating technical compliance status into business language, giving your leadership the visibility they need to discharge their governance obligations.
Regulatory Response Support
Expert support in responding to enquiries, audits, or investigations from MeitY, the Data Protection Board of India, or other regulators — including response drafting, evidence compilation, and where appropriate, liaison support. Protecting your organisation's interests and reputation under regulatory scrutiny.
What a retainer looks like in practice
Retainer engagements are structured around your needs — typically 4–8 hours per month, with a dedicated consultant who knows your organisation, your systems, and your regulatory context. No briefing required every time you call; no per-hour surprises. Just expert support, available when it matters.
Governance frameworks tell you what controls to have in place. Security audits tell you whether those controls actually work. Padmaura Digital Trust's security assurance practice provides independent, expert-led testing across your technical and organisational attack surface — giving you honest, evidence-based answers about your real-world security posture, not just your documented one.
Governance + security assurance: a complete picture
ISO 42001 and ISO 27701 define the controls your organisation must implement. Our security audit practice independently verifies that those controls are effective — closing the gap between documented governance and real-world assurance. A certification tells a regulator you have a management system; a penetration test tells you whether it actually protects anything.
Web Application Penetration Testing (WAPT)
Manual and automated testing of web applications against OWASP Top 10 and beyond — covering injection attacks, broken authentication, sensitive data exposure, security misconfigurations, and business logic vulnerabilities that automated scanners miss.
Mobile Application Security Testing
In-depth security assessment of iOS and Android applications — combining static analysis (SAST), dynamic analysis (DAST), and runtime testing against the OWASP Mobile Application Security Verification Standard (MASVS).
API Security Testing
Comprehensive security testing of REST, GraphQL, and SOAP APIs — covering authentication and authorisation flaws, broken object-level authorisation (BOLA/IDOR), data exposure, rate limiting bypass, and injection vulnerabilities against OWASP API Security Top 10.
Secure Source Code Review
Expert manual review of application source code to identify security defects at the code level — before they reach production. Covers security anti-patterns, hardcoded secrets, insecure cryptography, and framework-specific vulnerabilities.
Network Penetration Testing
Simulated adversarial attack against your internal and external network infrastructure — identifying exploitable vulnerabilities, misconfigured services, and lateral movement paths an attacker could use to reach critical business assets.
Cloud Security Audit (AWS / Azure / GCP)
Configuration review and security assessment of your cloud environment — covering IAM misconfigurations, publicly exposed storage, network security group weaknesses, logging gaps, and encryption deficiencies against CIS benchmarks.
Firewall & Network Security Review
Audit of firewall rulesets, network segmentation, access control lists, and routing configurations — identifying overly permissive rules, implicit trust relationships, and network architecture weaknesses that create unnecessary attack surface.
Vulnerability Assessment & Management
Systematic identification, classification, and risk-scoring of vulnerabilities across your infrastructure — with a prioritised, actionable remediation plan and re-testing to confirm fixes are effective before closing findings.
Red Team Exercise
A full-scope, goal-based adversarial simulation targeting your people, processes, and technology — testing not just whether controls exist, but whether your security team detects, responds to, and contains a realistic attack campaign.
Social Engineering Assessment
Phishing simulations, vishing campaigns, and physical security testing — assessing the human layer of your security posture with precision and discretion, and using findings to drive targeted awareness and process improvements.
Third-Party Vendor Security Assessment
Independent security review of vendors and suppliers with access to your systems, data, or networks — validating their security claims, assessing their actual posture, and identifying supply chain risks before they become your incidents.
ISO 27001 Internal Audit
A rigorous internal audit against all ISO 27001:2022 clauses and Annex A controls — identifying non-conformities, generating a corrective action plan, and producing the audit evidence required for your certification body audit.
AI systems introduce a new class of security risk that conventional penetration testing was never designed to address. Prompt injection, jailbreaking, training data poisoning, model extraction, and RAG pipeline attacks require a fundamentally different testing methodology — one built specifically for the threat landscape that emerges when intelligence becomes part of your attack surface. This is what our AI Security practice was built for.
AI Security + AI Governance: the full lifecycle
ISO 42001 governs how your AI systems are managed — AI security testing independently validates that they are safe to operate. Together, they give your organisation both the management system and the technical assurance that responsible AI deployment demands. An AI system can be fully ISO 42001 compliant and still be vulnerable to prompt injection. Governance and security are complementary, not interchangeable.
LLM Security Assessment & Red Teaming
Adversarial testing of large language model deployments — systematically probing for jailbreaks, harmful output generation, sensitive data leakage, system prompt extraction, and safety bypass across your LLM-powered applications and APIs.
Prompt Injection Testing
Targeted assessment for both direct prompt injection (user manipulates the LLM directly) and indirect prompt injection (attacker-controlled content in retrieved data manipulates the LLM) — the most critical and underassessed vulnerability in deployed AI systems.
RAG Pipeline Security Testing
Security assessment of Retrieval-Augmented Generation architectures — testing for document store poisoning, context manipulation, unauthorised document retrieval, sensitive data exfiltration through retrieved context, and embedding manipulation attacks.
Agentic AI Security Assessment
Security review of autonomous AI agent deployments — assessing for tool misuse, privilege escalation through tool calls, unintended action execution, cross-agent trust boundary violations, and the security implications of giving AI systems access to external APIs and services.
Adversarial Machine Learning Testing
Testing of ML models against adversarial inputs specifically crafted to cause misclassification, evasion, or manipulation — critical for AI systems used in fraud detection, content moderation, medical diagnosis, access control, or any high-stakes automated decision.
Training Data Poisoning Assessment
Evaluation of your ML training pipelines and data sourcing processes for data poisoning vulnerabilities — assessing whether maliciously injected data during training or fine-tuning could corrupt model behaviour at inference time in ways that are difficult to detect.
Model Inversion & Extraction Testing
Assessment of your deployed models' resistance to inversion attacks (which attempt to reconstruct training data from model outputs) and extraction attacks (which attempt to steal model functionality through systematic API queries to replicate a proprietary model).
AI API Security Testing
Comprehensive security testing of AI model APIs — covering authentication weaknesses, rate limiting bypass, output validation failures, sensitive training data exposure through model responses, and abuse-case analysis for models exposed to external or untrusted callers.
AI System Threat Modelling
Structured threat modelling of your AI systems using STRIDE and the MITRE ATLAS framework (the AI-specific extension of MITRE ATT&CK) — identifying attack paths, adversary techniques, and security gaps before deployment rather than after an incident.
AI Security Architecture Review
Expert review of your AI system architecture against AI-specific threat scenarios — covering model serving infrastructure, vector database security, access controls, monitoring and observability for adversarial behaviour, and isolation between AI components.
AI Supply Chain Security Review
Assessment of your AI supply chain — third-party foundation models, pre-trained weights, fine-tuning datasets, open-source ML libraries, and data providers — for security, integrity, provenance, and the risk of compromised dependencies.
OWASP LLM Top 10 Assessment
Structured assessment of your LLM applications against the OWASP LLM Top 10 — the industry's definitive reference for LLM-specific security vulnerabilities, covering prompt injection, insecure output handling, training data poisoning, model denial of service, and supply chain vulnerabilities.
Why conventional VAPT misses AI risks entirely
A web application penetration test will not find prompt injection in your LLM. A network scan will not detect training data poisoning. A source code review will not assess whether your RAG pipeline can be manipulated by a document uploaded by an attacker. AI security requires a testing methodology built from the ground up for AI-specific threat vectors — which is exactly what this practice delivers.
Ready to Begin?
Book a free 30-minute discovery call — we'll map the right services to your specific situation, regulations, and timelines.