CTRL Disrupt
Your Managed Security & Risk Office.
Based in the Netherlands.
EXPERTISE
ISO 27001
NIS2
BIO2.0
EU AI Act
AI Security & Compliance
Marshalllaan 2
2625 GZ Delft
The Netherlands
© 2026 CTRL Disrupt Consulting B.V. · KvK 87198983 · All rights reserved.
TARGETED ASSESSMENTS
Focused expertise for specific challenges.
Not every engagement needs to start with a full managed relationship. Every targeted assessment can stand on its own — or serve as the entry point to a broader partnership.
Cloud Security Assessment
A structured evaluation of your cloud environment's security posture — architecture, configuration, identity, data protection, and compliance alignment.
EU AI Act Readiness Scan
An assessment of your AI-related risks, governance readiness, and EU AI Act preparedness. For organisations exploring or deploying AI.
NIS2 Gap Analysis
A focused evaluation against NIS2 requirements — with a clear view of what needs to change and a practical path to compliance.
Security Architecture Review
An expert review of your security architecture — identifying structural weaknesses, redundancies, and opportunities to strengthen your posture.
ISMS Health Check
For organisations with an existing ISMS: an independent evaluation of its effectiveness, maturity, and alignment with current best practices.
Compliance Baseline Assessment
A broad assessment across multiple frameworks such as ISO 27001 & NIST to understand your overall compliance posture and prioritise where to focus.
HOW ENGAGEMENTS WORK
Foundation. Build. Manage.
Most relationships move through three phases — from understanding your landscape, to building the program, to managing it as an ongoing function. No hard handoffs: the same team carries you through all three.
01
Foundation
We assess your current security and risk landscape across all five capabilities, identify the gaps, and build a clear, prioritised roadmap. A structured engagement — typically four to twelve weeks — that establishes the baseline.
02
Build
We design and implement the program: governance frameworks, risk processes, compliance structures, policies, architecture blueprints, and strategic roadmaps. We put the recommendations into action — tailored to your reality, not a template.
03
Manage
We operate as your ongoing Managed Security & Risk Office — maintaining compliance, managing risk, overseeing architecture, advising leadership, and evolving the program as your organisation and the landscape change. This is where the relationship lives.
No two managed offices look the same.
Your security and risk office is shaped by who you are and what you face. We tailor the scope, depth, and focus based on four factors:
Your size and structure
A 60-person technology company needs different governance than a 1,500-person healthcare organisation. We scale the managed office to match your organisational reality.
Your sector and context
Government, healthcare, financial services, technology, critical infrastructure — each sector brings its own threat landscape, regulatory requirements, and operational context.
Your maturity
Some organisations start from zero. Others have existing programs that need strategic refinement. We meet you where you are and build from there — without condescension.
Your compliance landscape
ISO 27001, NIS2, BIO2.0, EU AI Act, DORA — the regulations & frameworks that apply to you shape what we prioritise and how we structure your compliance program.
CAPABILITIES
What your managed office covers.
Governance
We establish governance frameworks, define roles and responsibilities, create policy architectures, and ensure security governance connects directly to business strategy and board-level oversight. We also build the awareness and culture that make governance stick — not documents for a shelf.
Risk
We implement systematic risk identification, assessment, and treatment. We connect operational risks to strategic objectives, maintain living risk registers, facilitate risk discussions at the right levels, and help leadership make informed decisions about risk tolerance and investment.
Strategy
We help define your security and risk strategy — aligning investments, priorities, and roadmaps with business objectives, risk appetite, and the evolving threat and regulatory landscape. Strategy is what turns a collection of controls into a coherent, forward-looking program.
Architecture & Transformation
We design, review, and oversee architecture across the organisation — enterprise architecture, business architecture, and security architecture spanning cloud, identity, data, and network. We also guide organisations through major change — cloud migration, digital transformation, restructuring — ensuring security is designed into the change, not bolted on afterwards.
Compliance
We manage your compliance program across ISO 27001, NIS2, BIO2.0, EU AI Act, GDPR, and sector-specific regulations — integrating them so they reinforce each other instead of creating parallel workstreams. AI security and compliance is built in from day one.
Think of it as having your own security and risk department — without building one.
CTRL Disrupt operates as your external, dedicated security and risk office. We manage the full program: governance, strategy, risk management, architecture, and compliance.
You get a complete, senior-led team without the recruitment challenge, the overhead, or the years of internal development. We work alongside your people, within your context, adapting to your industry, size, maturity, and regulatory landscape.
We focus on the strategic and governance layer — the program that determines whether your organisation's security actually works. Operational security — SOC, monitoring, testing — is delivered by specialised partners we select, direct, and hold accountable. And because we're independent of tooling and vendors, our direction is always in your interest.
WHAT WE DO
Your Managed
Security & Risk Office
We don't sell services. We operate a function. CTRL Disrupt takes ownership of your organisation's security and risk management — as an ongoing, integrated, managed partnership.
GETTING STARTED
Every managed relationship starts with a Foundation.
Before we can manage your security and risk function, we need to understand it. The Foundation phase is a structured engagement — typically four to twelve weeks — that establishes the baseline for everything that follows.
01
Assessment
We map your current security and risk landscape: what exists, what works, what's missing, and what's at risk. Technical reviews, governance assessments, compliance gap analyses, and stakeholder conversations.
02
Roadmap
Based on the assessment, we build a clear, prioritised roadmap — practical, honest, and aligned with your capacity and ambitions. No hundred-page reports. A working plan we'll execute together.
03
Transition
The Foundation phase transitions naturally into the ongoing managed relationship. No hard handoff — the same team that assessed your landscape builds your function and continues to manage it.
Let's build your security and risk office.
Every organisation's path is different. Let's start with a conversation about yours — what you're facing, what you need, and how we can help.