Proxim Advisory Group brings enterprise-grade cybersecurity GRC and business strategy to startups and SMBs — the organizations that need it most, and deserve it most.
We don't retrofit enterprise frameworks onto small teams. We design assurance and advisory programmes that fit where you are — and where you're going.
Governance frameworks, risk assessments, AI/automation governance, and assurance roadmaps aligned to SOC 2, ISO 27001, NIST CSF, HIPAA, and PIPEDA.
Gap assessments, policy development, contract reviews, security questionnaire support, and evidence preparation to position your business for audit success.
Operational strategy, business model analysis, and governance structures for founders and leadership teams at every stage.
Tailored risk registers, control libraries, and continuous monitoring frameworks that scale with your organization.
Proxim Advisory Group was founded on a single conviction: that small and growing businesses deserve the same quality of governance and security advisory traditionally reserved for large enterprises.
The word proxim derives from the Latin for closeness — and that's precisely what distinguishes our practice. We don't parachute in with a generic framework and leave. We sit alongside your leadership team, understand your context, and build programmes that actually work for your size, your sector, and your risk appetite.
Founded in British Columbia, Canada, Proxim Advisory Group serves startups and small-to-medium businesses across North America, Europe and Africa. Our practice spans cybersecurity governance, risk and assurance (GRC) consulting, and strategic business advisory — delivered by an advisor with doctoral-level academic credentials and hands-on operational experience.
Whether you're preparing for your first security audit, building investor-ready governance, or navigating a regulated industry, Proxim brings the rigour, clarity, and conviction to guide you through.
We engage as a true partner — close to your team, your decisions, and your outcomes.
Every recommendation is grounded in evidence, frameworks, and academic rigour.
Assurance programmes that fit your business — not the other way around.
We earn it through transparency, consistency, and delivering on every commitment.
The principal advisor holds a Doctor of Business Administration (DBA) in Information Systems and Enterprise Resource Management, is a Certified Information Systems Security Professional (CISSP), and brings deep experience in global GRC, cloud security assurance, and strategic risk management across operational and leadership roles.
Doctoral scholarship, hands-on security practice, and business advisory judgment inform every engagement in Proxim's advisory model.
Book a free 30-minute discovery call to discuss where your business stands and what Proxim can do for you.
Every Proxim engagement is scoped to your business. We combine frameworks that matter with advice that translates — practical, actionable, and built to last.
Governance, Risk, and Assurance is no longer optional — it's a business enabler. Customers, investors, and regulators increasingly demand demonstrable security posture. Proxim helps you build it systematically, without the overhead of a full enterprise security team.
We work with you to assess your current state, identify gaps against applicable frameworks, design appropriate controls (including for AI and automation where relevant), and support you through to audit readiness or certification.
Facing an audit, a customer security questionnaire, or a regulatory review? Proxim's assurance readiness service prepares your organization to perform confidently — not just pass, but demonstrate a mature, sustainable assurance posture that wins customer trust and opens enterprise doors.
We specialize in helping SMBs achieve the certifications and assurance status that expand market access. This includes deep support for the commercial moments that matter most — contract reviews and security questionnaires that directly affect your ability to close deals.
Behind every assurance challenge is a business challenge. Proxim's advisory practice goes beyond security frameworks to address the strategic and operational questions that founders and leadership teams face at every stage of growth.
Drawing on doctoral-level business administration training and extensive executive experience, the principal advisor brings an evidence-based approach to strategy, governance, and operations for growing businesses.
Risk management is the backbone of a resilient organization. Without a structured programme, risk decisions are made ad hoc, inconsistently, and often too late. Proxim designs pragmatic risk management programmes that give your leadership team visibility and control.
We build risk frameworks that are proportionate to your size — rigorous enough to satisfy external scrutiny, practical enough for a lean team to maintain.
Every business is different. Choose the engagement model that fits your needs and budget — or combine them.
Defined deliverable, timeline, and fee. Ideal for gap assessments, policy suites, and audit prep projects.
Monthly advisory hours for businesses that need consistent access to a trusted GRC and assurance advisor.
Fractional Chief Information Security Officer — strategic security leadership without a full-time hire.
Book a free 30-minute discovery call. We'll listen, ask the right questions, and tell you plainly what will move the needle for your business.
A curated knowledge base covering our services, the assurance frameworks we work in, AI governance, and the broader GRC questions that come up in discovery calls. If you don't see your question here, book a call — we'll answer it directly.
Proxim delivers four interconnected practice areas: Cybersecurity GRC consulting (governance, risk, compliance), Assurance Readiness & Audit Preparation, Business Advisory & Strategy, and Risk Management Programme design. We also offer Virtual CISO (vCISO) engagements on a retainer basis for organizations that need fractional executive security leadership without a full-time hire.
Startups and small-to-medium businesses — typically 1 to 200 employees — that are either approaching a customer-driven security review, preparing for a certification (SOC 2, ISO 27001), navigating a regulated industry (healthcare, finance, public sector), or scaling operations and need governance to keep pace. We are particularly well-suited to founder-led companies that want a senior advisor, not a junior consultant reading from a checklist.
You work directly with the principal advisor — doctoral-level (DBA) business administration training, deep cybersecurity and assurance experience, and a practitioner's view of what is realistic for a lean team. Engagements are right-sized, evidence-based, and free of the overhead and turnover typical of large firms.
Most engagements begin with a free discovery call, followed by a scoped assessment (current state, gaps, target framework). From there we typically deliver a roadmap, then either execute the roadmap on a project basis or support the client on an ongoing advisory retainer. Retainers are commonly used for vCISO duties, audit preparation, and continuous risk monitoring.
Both. Proxim is founded in British Columbia, Canada and serves clients remotely across North America, Europe, and Africa, with in-person engagements available where appropriate.
SOC 2 (Type I and Type II), ISO/IEC 27001, NIST Cybersecurity Framework (CSF 2.0), NIST 800-53 and 800-171, HIPAA, PIPEDA, PCI DSS at a guidance level, and emerging AI-specific standards including ISO/IEC 42001 (AI Management Systems) and the NIST AI Risk Management Framework (AI RMF). We also align programmes to the FAIR risk quantification model where it adds value.
It depends on your customers and markets. SOC 2 is the dominant expectation among North American SaaS buyers and tends to be faster to first attestation. ISO 27001 carries more weight internationally and with enterprise procurement teams in Europe. Many growing companies eventually pursue both; a good discovery call narrows the right starting point in under an hour.
For an organization starting from scratch, 4 to 9 months to readiness is typical, depending on team size, existing controls, and how quickly evidence can be produced. Type II audits require an additional observation window (commonly 3 to 12 months). We design roadmaps that compress this timeline where possible without cutting corners that auditors will catch.
We support HIPAA Privacy, Security, and Breach Notification Rule compliance, including risk analyses, policy frameworks, Business Associate Agreement (BAA) review, and safeguards aligned to the HHS guidance. For Canadian organizations handling personal health information, we map equivalent controls to PIPEDA and provincial health-privacy regimes.
We help organizations meet PIPEDA's ten Fair Information Principles, conduct Privacy Impact Assessments (PIAs), and prepare for the modernization underway through Bill C-27 (the Consumer Privacy Protection Act and the Artificial Intelligence and Data Act). For BC-based clients, we also account for PIPA.
Yes. AI governance is a core part of our practice. We help organizations inventory AI and automation use cases, classify them by risk, design oversight controls, and build the policies, approvals, and monitoring needed to deploy AI responsibly. This applies equally to internal productivity tools, customer-facing AI features, and embedded vendor capabilities.
ISO/IEC 42001 (AI Management Systems), the NIST AI Risk Management Framework (AI RMF 1.0) and its Generative AI Profile, the EU AI Act risk-tiering model, Canada's proposed Artificial Intelligence and Data Act (AIDA), and sector-specific guidance such as the U.S. Executive Order on AI and emerging financial-services AI rules. We translate these into practical controls for SMBs — not 300-page binders.
At minimum: an acceptable-use policy for generative AI, a vetted list of approved tools and data classifications allowed in each, a process for reviewing new AI features in existing SaaS products, basic logging and human-in-the-loop checkpoints for high-impact decisions, and training so staff understand what not to paste into a prompt. We can deliver this as a focused two- to four-week engagement.
AI does not require a separate parallel programme — it requires extensions to what you already have. We integrate AI risk into your existing risk register, map AI controls to your current framework (SOC 2, ISO 27001), update vendor management to cover AI sub-processors and model providers, and extend incident response to cover model failures, prompt injection, and data exposure.
Sensitive data leaking into public AI tools, shadow AI (employees using unsanctioned tools), over-reliance on AI output for regulated decisions, contractual exposure when AI features are embedded into customer-facing products, and audit findings tied to a lack of documented oversight. Most of these are inexpensive to mitigate if addressed early.
GRC — Governance, Risk, and Compliance — is the structured way an organization makes decisions, manages uncertainty, and meets its obligations. For a smaller company, a right-sized GRC programme prevents avoidable incidents, accelerates enterprise sales by answering security questionnaires confidently, and gives leadership a clear view of what could go wrong and what is being done about it.
We use a tiered approach: a qualitative risk register for breadth, semi-quantitative scoring for prioritization, and FAIR-style quantification for high-impact risks where dollar figures help leadership decide. The output is a risk register that is actually maintained — not a one-time spreadsheet that ages out within a quarter.
A vCISO is a fractional executive who provides security leadership, board reporting, programme oversight, and audit accountability without the cost of a full-time CISO hire. Most SMBs do not need a full-time CISO until they reach significant scale; a vCISO retainer fills the gap with senior judgment at a fraction of the cost.
We complete client security questionnaires accurately and efficiently, maintain a reusable answer library so your team isn't rewriting the same answers every quarter, and help position your responses to win deals rather than just survive review. This is one of the highest-ROI services we offer for sales-led SMBs.
Project work is scoped after a discovery call; advisory retainers are sized to the scope of executive time required each month. We are transparent about pricing and structure engagements to deliver visible value at each milestone — no open-ended commitments.
Book a free, one-hour discovery call. We'll listen to where you are, ask the questions that matter, and tell you plainly what we think the right next step is — whether or not that involves engaging Proxim.
Don't see your question? Ask us directly.
Every engagement starts with a conversation. Book a free 30-minute discovery call — no obligation, no sales pitch. Just an honest conversation about where you are and where you want to be.
British Columbia, Canada
Remote & in-person
Within 1 business day