The ITCA™ Framework
Four disciplined stages that convert regulatory complexity into operating reality. Applied on every engagement, scaled to every size, agnostic to the framework in scope.
Most compliance work fails in the gap between a policy and a working system.
Consulting delivers a policy pack. Nobody operates it. Six months later the auditor finds the same gaps, the team rebuilds the same controls, and the bill arrives a second time. The regulation did not change. The approach did.
ITCA™ is the sequence that fixes that. It forces the engagement through four non-negotiable stages — and treats none of them as optional. You cannot Translate before you Identify. You cannot Control before you Translate. You cannot Activate what was never controlled. The discipline is the method.
Map what actually applies to you.
Every engagement opens with a structured regulatory and operational diagnostic. We map the product, the data flows, the markets served, the architecture, the vendor footprint, and the contractual obligations against every framework that could plausibly apply. Then we eliminate the ones that do not.
What happens
- Product, data, market, and architecture mapping
- Regulatory exposure diagnostic across AI Act, ISO standards, GDPR, NIS2, sectoral regimes
- Gap analysis against current control environment
- Commercial risk scoring — what will block your next deal, your next audit, your next round
What you see
- Structured discovery workshops with your leadership and technical teams
- Written findings shared continuously — no black-box analysis
- Decisions made in the open, with full reasoning
What you get
- Regulatory Applicability Map — a clear, written scope
- Control environment baseline assessment
- Prioritised risk register, sequenced by commercial and regulatory urgency
Convert regulation into concrete action for your setup.
Regulations are written for lawyers. Controls are operated by engineers, product managers, and support teams. The translation layer is where most programmes fall apart — and where ours spends the most time. Every regulatory obligation becomes a specific instruction mapped to your tech stack, your team structure, and your operating model.
What happens
- Obligation-to-control mapping at line-item level
- Unified Control Framework design — one control set satisfying every applicable standard
- Technical architecture review against mapped controls
- Role and responsibility design (RACI, decision rights)
What you see
- Working sessions with engineering, product, legal, and operations
- Control catalogue built in the open, reviewed line by line
- No templates imported — every control is justified
What you get
- Unified Control Framework — framework-agnostic control catalogue
- Technical implementation brief for each control
- Operating model update: roles, decision rights, governance forums
Build and deploy the operating infrastructure.
Controls become real here. Policies are authored and approved. Technical controls are configured. Evidence pipelines are wired. Third-party risk workflows are operational. The ISMS, AIMS, or QMS moves from diagram to running system. This is delivery — and we run it ourselves, not through junior analysts.
What happens
- Policy and procedure authoring — tailored, not templated
- Technical control implementation across the stack
- Evidence collection automation and audit trail design
- Third-party risk and vendor onboarding workflows
What you see
- Weekly delivery cadence with binary status (done / not done)
- Hands-on configuration alongside your team, not over it
- Auditor-eye review of every artefact before sign-off
What you get
- Full policy stack and approved ISMS / AIMS / QMS
- Configured technical controls with runbooks
- Evidence library wired to the control catalogue
- Vendor risk programme operational
Run the system, hand it over, stand down.
Activation is the stage most consulting engagements skip. We run it in full. Controls are exercised against real events, the team is trained to operate the system under audit conditions, and a clean hand-over package is delivered. When we leave, nothing collapses. Your team owns what we built.
What happens
- Tabletop exercises: incident response, breach notification, audit simulation
- Team training on operating the control environment
- Mock audit or mock buyer questionnaire under real conditions
- Formal hand-over with named owners for each control
What you see
- Your team driving the system while we coach
- Edge cases surfaced and remediated before they become real
- Clean disengagement on an agreed date
What you get
- Audit-ready posture: ISMS operational, evidence current, owners named
- Hand-over package — policies, procedures, runbooks, KPIs, next-audit plan
- Monthly advisory retainer (optional) for the first audit cycle
Practical questions about ITCA™.
What does the ITCA™ framework stand for?
ITCA™ stands for Identify, Translate, Control, Activate — the four disciplined stages we run on every engagement. It is the sequence that turns regulation into concrete operating infrastructure, rather than leaving you with a framework document that no one implements.
How long does a full ITCA™ cycle take?
A typical end-to-end cycle runs 12 to 20 weeks depending on the number of frameworks in scope, the maturity of the existing control environment, and the team's bandwidth to co-deliver. Fixed-scope Compliance Sprints are usually 6 to 12 weeks.
Is the ITCA™ framework specific to AI compliance?
No. ITCA™ is applied across every NEXUS.ai practice — AI Governance, GRC and Cybersecurity, Fractional Leadership, and Operating Model and Market Entry. The stages are framework-agnostic because the operational discipline is the same: identify what applies, translate it to your setup, build the controls, and activate them in the business.
Does ITCA™ replace ISO 27001, SOC 2, or EU AI Act requirements?
No. ITCA™ is not a regulatory framework. It is the delivery methodology we use to implement regulatory frameworks. The external standards remain exactly what they are; ITCA™ is how we execute against them.
Who owns the deliverables at the end of an ITCA™ engagement?
You do. The final Activate stage includes a full handover: policies, controls, evidence library, operating cadence, and internal ownership. Nothing lives in a consultant's folder. Your team operates it from day one of handover.
Want to see ITCA™ applied to your situation?
30-minute scoping call. Written proposal within 5 business days.
Request scoping →