Governance, Risk & Compliance

A comprehensive approach to information security encompassing all aspects of governance, risk and compliance.

We excel at supporting information security, risk and compliance professionals document and communicate compelling stories, to risk and asset owners, in a language they understand.

These stories enable decision makers to make better informed choices about what risks are, and are not, acceptable to them, their clients and in some cases society.

The tools for making such compelling stories are our ORAM (Operational Risk Assessment Methodology) and CRAM (Contextual Risk Assessment Methodology).

We provide insight and support, to those responsible for managing risk, to help identify and implement effective controls to manage behaviour in line with your organisations appetite for risk. Controls range from the development, implementation and review of organisational policies, processes, procedures and standards, to technology, business documentation and records.

Our team have a track record of helping clients comply with a wide variety of regulatory, industry and contractual obligations. The ability to draw on our in house legal experts, combined with security professionals, means we can give organisations the confidence that they have compliance under control.

Under pinning all of our governance, risk and compliance work is our industry leading SABC methodology. SABC integrates our research into behaviour, change and communication into not just employee education and awareness programmes, but uniquely, into Governance, Risk and Compliance.

“I can strongly recommend Marmalade Box to anyone who is looking for ISO 27001 guidance.” 

Chief HR & Legal Officer
ZitCom Gmbh



Make stakeholders aware so that they can make better informed decisions. Make stakeholders aware of their obligations and how to re-act in given situations.


Demonstrably increase the likelihood of decisions which bring about positive security outcomes.
Manage the behaviour of those that come into contact with your information assets to reduce the likelihood or impact of their decisions and actions they take knowingly or unknowingly.


Demonstrably build a culture which value and delivers confidentiality, integrity and availability as part of business as usual.

Find out how to build your best in class security team

Find out more

Deliver changes in security awareness, behaviour & culture

Find out more

Discover how to make your security sticky

Find out more