Skip to main content
HackingByte
Global EnglishFrançais Morocco EnglishFrançais Europe EnglishFrançais

Choose your region and language

Region
Language
Scoping call

Controls that survive the audit and the next attacker.

Readiness and ongoing programmes for ISO 27001, SOC 2, NIS 2, DORA, and GDPR — plus fractional CISO leadership — evidence over box-ticking.

Request a scoping call See how we work
  • Senior-led delivery.
  • Vendor-independent.
  • Evidence-driven reporting.

Delivered in Morocco

One control set for loi 05-20 and your customers’ standards.

Our Casablanca-based team builds governance and controls that answer Morocco’s cybersecurity law (loi 05-20) and the DGSSI’s expectations, and maps the same control set to the ISO 27001 and SOC 2 frameworks your international customers ask about — so one programme satisfies the local regulator and a global buyer alike.

GRC in Morocco usually has two audiences at once: the DGSSI and Bank Al-Maghrib expectations at home, and the ISO 27001 or SOC 2 evidence your international customers ask for abroad. Run separately they duplicate work; run as one control set they answer both. Loi 05-20 set the cybersecurity baseline for sensitive systems, and loi 09-08 the data-protection one — neither is satisfied by a certificate alone.

Our Casablanca-based team builds a single set of controls and maps it across loi 05-20, the DGSSI’s expectations, and the international frameworks your buyers require — so one programme satisfies the local regulator and a global customer at once. Where useful, a fractional CISO carries it. We provide readiness and evidence; the legal interpretation stays with your counsel.

Where we help

ISO 27001 & SOC 2 for exporters

The certifications your international customers ask for, built on controls that hold up to both a foreign auditor and the DGSSI — not a binder assembled before the audit.

Mapped to loi 05-20 & the DGSSI

Your security controls aligned to Morocco’s cybersecurity law and the DGSSI’s expectations for sensitive systems, evidenced once and reused for your international frameworks.

Data protection (loi 09-08 / CNDP)

The governance side of loi 09-08 — processing inventory, accountability, and the CNDP formalities — folded into the same programme rather than run apart.

Fractional CISO leadership

Senior security leadership locally to own the programme, supplier risk, and the regulator and customer relationships without a full-time hire.

When Moroccan teams call us

The moments Moroccan organisations bring us in for GRC:

  • An international customer won’t sign without ISO 27001 or a SOC 2 report.
  • The DGSSI’s expectations or a Bank Al-Maghrib directive apply to your systems.
  • You’re answering local regulators and foreign customers at once and the duplicated effort has become the problem.
  • You need senior security leadership but not yet a full-time CISO.

What you receive

The HackingByte Engagement Brief

Every service ends in the same three connected artifacts — so exploit, control gap, and business impact tell one story.

  1. Technical Report

    Reproducible findings with evidence and per-finding remediation, written for your engineers.

  2. Executive Risk Brief

    The same findings as business risk for leadership and the board — no jargon, no CVSS tables.

  3. Action Plan

    Prioritised, owner-assigned, and scoped to what your team can actually deliver.

Timeline

What a typical engagement looks like.

GRC work takes one of two shapes. A readiness project runs to a defined gate — a diagnostic of where you stand, a mapped control and evidence model, and a prioritized plan to evidence-ready — typically over a few weeks to a few months depending on how many frameworks are in scope and how much of an operating model already exists. An ongoing programme then runs as a continuing cadence: maintaining the evidence, keeping the risk register live, and reporting to the board, with a fractional CISO retainer as a defined monthly arrangement.

We set the shape and schedule around your real deadline — a customer’s questionnaire, an audit date, or a regulator’s clock — and agree it during scoping before you commit.

How it’s different

  1. Offensive-informed — the same senior team that tests your defences advises on your controls, so the GRC work is grounded in how attacks actually succeed, not just how a clause reads.

  2. Independent of the audit — we get you ready and work alongside your auditor or certification body; staying out of the audit chair is the point, so our advice on what to fix carries no agenda.

  3. Built to be operated — controls are designed to be run by your team and kept current, with evidence that doubles as the response material when a customer or regulator asks how risk is managed.

Why GRC fails

Frameworks only matter when they map to ownership, evidence, and decisions.

A framework is a list of things that should be true. It does not make them true. The gap between “we have a control” and “that control works, someone owns it, and we can prove it on any given day” is where most programmes quietly live — and it’s exactly the gap an auditor’s sampling, an enterprise customer’s questionnaire, or a real incident exposes.

Three things close that gap, and none of them are documents. Clear ownership, so every control has a name attached and a person who would notice if it stopped working. A working evidence model, so proof is a by-product of how the team operates rather than a scramble before an audit. And honest prioritization, so the limited time your team has goes to the risks that matter rather than the easiest boxes to tick. We build those three first; the policy set follows from them, not the reverse.

What we help build

The operating model under the certificate.

Certification is an output. The thing that produces it — and survives between audits — is an operating model. We help you build the parts that make one real:

  • Governance operating model — who decides, who owns risk, and how security questions reach the people who can answer them, on a cadence that runs without being chased.
  • Control ownership — every control mapped to a named owner and the process it lives in, so nothing is “everyone’s job” and therefore no one’s.
  • Evidence model — evidence generated as a by-product of normal work (tickets, reviews, pipelines, logs) instead of reconstructed under deadline pressure.
  • Risk register and treatment logic — a register that reflects real exposure, with treatment decisions that are recorded, owned, and revisited rather than written once and forgotten.
  • Executive and board reporting — security posture translated into the few numbers and decisions leadership actually needs, in language a board can act on.
  • Framework mapping — one control set mapped across ISO 27001, SOC 2, NIS 2, GDPR, and DORA, so each new obligation becomes an evidence exercise rather than a rebuild.

From register to board

Cyber risk consulting: from register to board view.

A risk register no one reads is just another document. Cyber risk consulting is the work of turning real exposure into decisions: identifying the threats that actually apply to your business, scoring them by impact rather than gut feel, and tying each one to an owner and a treatment your leadership has actually agreed. The register stops being an audit artifact and becomes the thing that decides where the next quarter of security budget goes.

We carry that line all the way to the board. Because HackingByte reads every control through an offensive lens, the risks we escalate are the ones an attacker would actually use, not the ones that are simply easy to count. The result is a board-grade view of cyber risk — a short list of what could hurt the business, what it would cost to address, and what happens if you don’t — in language executives can act on without a translation layer.

How we work

Diagnose, map to real systems, prioritize by business risk.

Every engagement runs the same way, scoped to where you are now:

Diagnose the current state. We assess what you actually have — controls, evidence, ownership, and the obligations in front of you — and return an honest picture of the distance to where you need to be.

Map obligations to real systems and processes. We connect each requirement to the concrete system, team, and workflow that satisfies it, so the programme describes your company rather than a template one.

Prioritize gaps by business risk. We rank the gaps by what they actually expose, so a constrained budget closes the risks that matter most before the cosmetic ones.

Build the evidence routines. We set up how proof gets produced and kept current, then show your team how to run it so nothing has to be rebuilt before each audit.

Prepare leadership for the conversations. We get your leaders ready for the audit, customer, and regulator conversations — what will be asked, what the evidence says, and where the honest caveats are.

See how we work

Where the line sits

What we are, and what we aren’t.

We get you ready and we keep you ready. We are not a certification body and we do not issue certificates — for ISO 27001 that comes from an accredited certification body, and a SOC 2 report is issued by a licensed CPA firm. Staying independent of the audit is the point; it’s what lets us be straight with you about where you actually stand.

We also do not give legal advice. Where a framework raises a legal question — how an obligation should be interpreted, what a contract needs to say — that’s your counsel’s work, and we support it rather than pretend to replace it. What we do is operationalize security and compliance: turning obligations into controls, controls into evidence, and evidence into decisions your leadership can stand behind.

Scoping & pricing

Fixed-price, banded by scope — no day rates.

We price GRC work fixed and banded by scope — the number of frameworks, the size of the estate, and whether it’s a readiness project or an ongoing programme — and share the band during scoping before you commit. A fractional CISO retainer is a defined monthly arrangement, not an open-ended day rate.

We sell no tooling and take no vendor commissions, so the programme is built around your obligations rather than a product we’re trying to move. If you’re working to a budget, tell us during scoping and we’ll be straight about what it covers.

Frequently asked questions

Can one programme cover loi 05-20, the DGSSI, and ISO 27001/SOC 2?

Largely, yes — their security cores overlap. We build one control set and map it across the local regime and your international frameworks, so you evidence once and answer both the DGSSI and a foreign auditor.

Do you certify us?

No — certification is issued by an accredited body. We get you genuinely ready, run the internal audit, and stand beside you through the external one. We hold no certification-body status and claim none.

Do you also handle loi 09-08 data protection?

Yes — the governance and CNDP formalities of loi 09-08 fold into the same programme. The legal interpretation stays with your counsel.

Is this legal advice?

No. We operationalise the security and governance these regimes require and produce the evidence; how each applies to your organisation is your counsel’s determination.

Tell us the framework and the deadline — we’ll scope readiness that holds up to the audit and the attacker.

Every engagement ends in the same three connected artifacts, and the continuous platforms keep watch between engagements. Continuous monitoring platforms.

Request a scoping call