About Expertise Services Experience Frameworks Certifications Contact
Information Security & GRC Professional

Hussain
Ratlamwala

Information Security Consultant  ·  GRC Specialist  ·  Lead Auditor

Helping organizations strengthen security, achieve compliance, manage risk, and build resilient governance frameworks.

8+ Years of Experience
6+ Compliance Frameworks
50+ Audit Engagements
ISO 27001 Lead Auditor
About Me

Security Leadership Grounded in Practice


I am an Information Security and Governance, Risk & Compliance (GRC) professional with 8+ years of experience helping organizations establish, implement, and continuously improve their security and compliance programs.

My background spans both sides of the assurance spectrum — as an Information Security Auditor and as an Information Security Consultant — giving me a uniquely balanced perspective on what organizations need to achieve and maintain robust security postures.

I have supported organizations across diverse industries in navigating complex regulatory landscapes, achieving internationally recognized certifications, and embedding security into their operational culture — not just their documentation.

  • Information Security Governance
  • Risk Management
  • Compliance Management
  • Internal Audits
  • Third-Party Risk
  • Business Continuity
  • Security Assessments
  • GRC Strategy
  • Policy Development
  • Audit Readiness

Security Governance

Designing and operationalizing governance frameworks that align security with business objectives and regulatory obligations.

Audit & Assurance

Conducting thorough internal audits, gap assessments, and readiness evaluations to identify and remediate control deficiencies.

Risk Management

Executing enterprise and information security risk assessments, maintaining risk registers, and driving risk treatment to acceptable levels.

Documentation Excellence

Developing comprehensive, audit-ready security policies, standards, procedures, and control documentation aligned to industry frameworks.

Core Expertise

Domains of Deep Knowledge

A practitioner-level command of the frameworks, methodologies, and controls that matter most.

Governance & Compliance

  • ISO 27001 Implementation
  • SOC 2 Type I & Type II
  • HITRUST CSF
  • PCI DSS
  • ISO 22301
  • Security Policies & Procedures

Risk Management

  • Enterprise Risk Assessments
  • Information Security Risk Assessments
  • Vendor Risk Management
  • Risk Treatment Planning
  • Risk Registers & Tracking
  • Control Effectiveness Reviews

Audit & Assurance

  • Internal Audits
  • Gap Assessments
  • Readiness Assessments
  • Control Testing
  • Audit Management
  • Corrective Action Management

Business Continuity

  • Business Impact Analysis
  • Business Continuity Planning
  • Disaster Recovery Planning
  • Crisis Management
  • ISO 22301 Compliance
  • BCP Testing & Exercises
Services

What I Can Do For You

End-to-end consulting engagements tailored to your compliance objectives and risk tolerance.

01

ISO 27001 Implementation & Readiness

Full-cycle support from gap assessment through ISMS design, documentation, control implementation, and certification readiness — guiding your organization to successful ISO 27001 certification.

02

SOC 2 Type I & Type II Readiness

Structured readiness programs to help service organizations meet AICPA Trust Services Criteria, prepare audit evidence, and achieve clean SOC 2 reports that satisfy enterprise customer requirements.

03

HITRUST Compliance Support

Readiness and remediation support aligned to the HITRUST CSF, helping healthcare and health-tech organizations demonstrate robust data protection controls to partners and regulators.

04

PCI DSS Compliance Consulting

Scoping, gap analysis, control design, and remediation planning to achieve and maintain PCI DSS compliance across cardholder data environments of all sizes and complexity.

05

Internal Audits

Independent, risk-based internal audit programs covering information security controls, IT general controls, and compliance with applicable frameworks, producing actionable findings and management reports.

06

Security Policies & Procedures

Development and review of comprehensive information security policy suites, standards, and operational procedures aligned to ISO 27001, NIST, and other leading frameworks.

07

Risk Assessment Services

Systematic enterprise and information security risk assessments — identifying, analyzing, and evaluating threats and vulnerabilities, with pragmatic risk treatment recommendations tailored to your business context.

08

Third-Party Risk Management

Design and operation of TPRM programs including vendor risk tiering, assessment questionnaires, due diligence reviews, and ongoing monitoring aligned to your procurement and contracting lifecycle.

09

Business Continuity & ISO 22301

End-to-end BCM program development — from BIA and BCP through DR planning, crisis communication, and tabletop exercises — aligned to ISO 22301 and industry best practices.

10

Security Documentation Development

Creation of audit-ready security documentation including Statements of Applicability, control matrices, risk registers, and management review packs for regulatory submissions and customer assurance.

11

Vulnerability Assessment & Penetration Testing (VAPT)

Scoping, planning, and coordinating VAPT engagements covering asset discovery, vulnerability scanning, risk-based prioritization, and penetration testing. Includes pre-engagement preparation, findings interpretation, and post-assessment remediation planning to systematically reduce your organization's attack surface.

12

Virtual CISO (vCISO)

Fractional security leadership covering strategic program oversight, board-level reporting, security roadmap development, policy governance, compliance management, and vendor oversight — delivering embedded CISO-level expertise aligned to your business objectives without the cost of a full-time hire.

Experience

Professional Journey

Current Role

Information Security Consultant

Independent Consulting Practice

  • Security Compliance Program Design
  • ISO 27001 & SOC 2 Implementation
  • Enterprise Risk Management
  • Governance Framework Development
  • Security Policy Documentation
  • Audit Readiness Advisory
  • Vendor Risk Program Management
  • Stakeholder Risk Reporting
  • Business Continuity Planning
  • Compliance Gap Remediation
Successfully managed multiple audit and compliance engagements while collaborating with stakeholders across business, technology, and security functions.
Previous Role

Information Security Auditor

Information Security Assurance Practice

  • Internal Audit Planning & Execution
  • Compliance Framework Assessments
  • IT General Control Reviews
  • Risk Identification & Analysis
  • Corrective Action Tracking
  • Management Report Preparation
  • Control Effectiveness Testing
  • Regulatory Compliance Reviews
  • Process Walkthroughs
  • Evidence Collection & Documentation
Framework Expertise

Compliance Frameworks

Hands-on experience across the standards and frameworks that define information security and compliance excellence.

ISO
27001

ISO/IEC 27001

The international standard for Information Security Management Systems. Experienced in full ISMS implementation, Statement of Applicability, control annexure, and certification audit readiness.

SOC 2
Type I

SOC 2 Type I

Point-in-time assurance over the design of security, availability, processing integrity, confidentiality, and privacy controls against the AICPA Trust Services Criteria.

SOC 2
Type II

SOC 2 Type II

Operational effectiveness testing over an audit period, requiring sustained control performance. Readiness programs structured to minimize audit findings and reduce remediation cycles.

HIT
RUST

HITRUST CSF

Common Security Framework used extensively in healthcare and health technology sectors. Provides a prescriptive, certifiable control baseline across regulatory and industry requirements.

PCI
DSS

PCI DSS

Payment Card Industry Data Security Standard protecting cardholder data environments. Experienced in scoping, network segmentation, control implementation, and SAQ/RoC preparation.

ISO
22301

ISO 22301

International standard for Business Continuity Management Systems. Covers BIA, continuity strategy, BCM documentation, testing programs, and BCMS certification preparation.

Deliverables

What You Receive

Tangible, audit-ready artifacts that demonstrate your security posture and accelerate compliance outcomes.

Information Security Policies
Standards & Procedures
Risk Assessment Reports
Risk Registers
Internal Audit Reports
Vendor Risk Assessments
Statement of Applicability
Business Impact Analysis
Business Continuity Plans
Disaster Recovery Plans
Compliance Dashboards
Security Awareness Programs
Vulnerability Management
Penetration Testing
vCISO
Certifications

Professional Credentials

ISO 27001 Lead Auditor

Certified to conduct and lead ISO/IEC 27001 audits, assess ISMS conformance, and evaluate information security control effectiveness.

Certified

Certified Information Security Consultant

Certified from a well known Information and Cybersecurity Institution.

Certified

CISM

Additional professional certification — to be added soon.

Coming Soon
Why Choose Me

The Difference I Bring

01

8+ Years of Hands-On Experience

More than eight years of practitioner-level experience across both audit and consulting disciplines — not theoretical knowledge, but proven delivery in real organizations.

02

Dual Audit & Consulting Perspective

Having operated as both an auditor and a consultant, I understand exactly what auditors look for — and how to prepare your organization to pass with confidence.

03

Multi-Framework Regulatory Knowledge

Deep familiarity with ISO 27001, SOC 2, HITRUST, PCI DSS, ISO 22301, and related regulations allows cross-framework optimization rather than siloed compliance efforts.

04

Practical, Implementable Solutions

Recommendations are grounded in operational reality. Controls and processes are designed to work within your business — not just satisfy auditors on paper.

05

Strong Documentation Capability

Producing clear, comprehensive, audit-ready documentation is a core strength — from policies and risk registers to SOA matrices and management review packs.

06

Business-Focused Security Approach

Security exists to enable business, not obstruct it. Compliance programs are designed to protect what matters while preserving operational agility and stakeholder trust.

Get In Touch

Start a Conversation

Let's Work Together

Whether you're preparing for a certification audit, building out your GRC program, or need an independent perspective on your security posture — I'm here to help. Reach out to discuss your needs.