Each stage builds on the last. Start with a free checklist. Progress to full governance oversight. Every step moves you toward a documented, defensible position with your board, your insurer and the FCA.
A simple, practical starting point. No commitment required.
Written by Patrick Murphy - Chartered Financial Planner, 50+ years in UK financial services - this practical checklist helps IFA managing directors ask the right questions about their firm's cyber governance position before engaging any adviser.
Ten questions. Plain English. No technical knowledge needed. Where several answers are "No" or "Not sure", it identifies where GOIA's independent assessment would add most value.
Download the checklist
A fast, independent view of your firm's external exposure and governance position.
The Snapshot provides an independent rapid assessment covering the three highest-priority risk indicators for IFA firms. No system access required. The output is not a raw technical scan - it is translated into business and governance language: what the exposure means for your firm's operational continuity, regulatory position and director accountability.
Delivered within 48 hours of the information being received. The £250 fee is credited against the Executive Review if you proceed.
Independent scan of your public-facing attack surface - domains, IP addresses, exposed services and any leaked credentials identified in public breach datasets.
SPF, DKIM and DMARC configuration checked. Plain-language explanation of any gap and the specific risk it creates for your firm.
Initial view of the most significant governance gaps, linked to FCA operational resilience expectations.
A structured, board-readable summary in governance and business impact language - not raw technical output.
8-domain governance assessment. Board-ready report. Fixed fee. 10 working days.
The Executive Review is GOIA's core engagement and the foundation for every ongoing client relationship. It covers all 8 governance domains through structured interviews, document review and independent assessment. No privileged system access required. All findings are presented verbally to the managing director before the written report is issued.
Plain-language RAG rating per domain. Three most critical actions. Written for the board, not the IT team.
Findings across all 8 domains with risk ratings, regulatory linkage and prioritised remediation.
Ready for board papers or FCA compliance file. Standard GOIA format.
Three to five highest-priority controls with suggested ownership and effort.
All findings presented to the MD before the written report is issued.
Framework-referenced remediation list for your IT provider. One page.
Insurer Evidence Pack available on request - a formatted summary of assessment findings for submission to your cyber insurer or broker at renewal.
Targeted remediation aligned directly to Review findings.
Following the Executive Review, GOIA scopes targeted remediation projects to address the highest-priority findings. Each project has a defined scope, defined ownership, board-level progress reporting and a clear completion point. Typical examples include: external exposure remediation; email authentication advisory; incident response plan creation and board sign-off; FCA Important Business Services mapping; third-party MSP due diligence.
Structured oversight. Board reporting. Continuous monitoring. IR readiness.
The Ongoing Governance engagement provides structured independent oversight across your full cyber risk position - combining governance advisory, board-level reporting, independent control validation and continuous technical monitoring into a single joined-up service.
The monitoring layer is embedded within the governance service. It gives GOIA real-time visibility of your firm's security posture between governance sessions - so board reports are based on live evidence. The commercial relationship underpinning the monitoring capability is disclosed in full in the engagement letter, as required by GOIA's conflict of interest policy.
60-minute structured session covering control status, regulatory developments and action tracker review.
Board-ready summary covering posture update, control validation, regulatory horizon and open actions.
Ongoing visibility of external posture, user risk and endpoint status between governance sessions.
Bi-annual facilitated exercise. Output: updated IR plan, board-aware response structure, FCA/insurer evidence.
Email and phone access for governance questions. Response within one working day during business hours.
Full Executive Review repeat with year-on-year comparison. Staff awareness briefing included.
£1,750 + VAT. Fixed fee. Board-ready in 10 working days.