A consulting-grade GRC portfolio built around a full-scope ISMS implementation for AlphaTech Inc., a fictional US-based healthtech SaaS company processing PHI for 340,000 patients across 12 states. ISO 27001:2022 · HIPAA/HITECH · GDPR · CCPA · NIST CSF 2.0 — 36 interconnected governance artifacts, built as a system. This is not a document library. Every artifact connects to at least one other. Every control maps to a clause. Every decision has documented reasoning.
<aside>
</aside>
<aside>
</aside>
<aside> <img src="/icons/invitation_purple.svg" alt="/icons/invitation_purple.svg" width="40px" />
</aside>
<aside> <img src="/icons/branch-merge_purple.svg" alt="/icons/branch-merge_purple.svg" width="40px" />
</aside>
<aside> <img src="notion://custom_emoji/46988ef4-1cb2-427c-9613-6240da0d8d77/1f82fcee-1272-806a-bcc1-007a5d58c4c8" alt="notion://custom_emoji/46988ef4-1cb2-427c-9613-6240da0d8d77/1f82fcee-1272-806a-bcc1-007a5d58c4c8" width="40px" />
</aside>
<aside>
This portfolio documents a full-scope ISMS implementation for AlphaTech Inc., a simulated US-based healthtech SaaS company processing PHI for 340,000 patients across 12 US states with active UK and Canada data exposure.
The engagement covers ISO 27001:2022 governance design, HIPAA/HITECH Business Associate compliance, GDPR and CCPA privacy documentation, enterprise risk management, and a 9-component modular incident response program. Every artifact is built as part of a coherent, cross-referenced compliance system, rather than a collection of isolated documents.
36 interconnected deliverables. Every control maps to a clause. Every decision has documented reasoning. The full case study is in the Healthcare IT GRC Engagement Hub below.
</aside>
<aside> <img src="/icons/user_purple.svg" alt="/icons/user_purple.svg" width="40px" />
Name
Stephanie Uzama | GRC Analyst
</aside>
<aside> <img src="/icons/folder_purple.svg" alt="/icons/folder_purple.svg" width="40px" />
Case Study
AlphaTech Inc. — Full-scope ISO 27001:2022 ISMS design, HIPAA/GDPR/CCPA privacy compliance, risk management, and 9-component incident response program. Open Case Study →
</aside>
<aside> <img src="/icons/calendar_purple.svg" alt="/icons/calendar_purple.svg" width="40px" />
Company Scope
US-based healthtech SaaS. PHI processed for 340,000 patients across 12 states. AWS cloud infrastructure. HIPAA Business Associate. UK/Canada customer exposure triggering GDPR and CCPA obligations.
</aside>
| Metric | Value |
|---|---|
| Total ISMS artifacts | 31 |
| Total risks assessed | 36 |
| HIGH risks (residual score 15+) | 15 |
| Risks requiring prioritised remediation | 14 |
| Policies in ISMS scope | 6 |
| Identified PHI third-party processors | 4 |
| Patient records in scope | 340,000 across 12 US states |
| Workforce | 180 employees · 40% remote · 3 offshore contractors |
| Section | What It Contains |
|---|---|
| Case Study → | Engagement summary, key decisions, outcomes, and full artifact index |
| Governance Core → | ISMS scope, context analysis, information security policy and objectives |
| Risk Core → | Risk register, assessment methodology, treatment decisions |
| Control Core → | Control library, access control suite, Statement of Applicability |
| Operations Core → | Vendor management, change management, incident response program, and privacy documents |
| Assurance Core → | Audit readiness, gap analysis, BIA, BCP, ICT readiness, and control testing evidence |
| Evidence Repository → | Full source documents — audit-ready artifact library |
<aside>
<aside>
Available for GRC consulting engagements and remote analyst roles.
</aside>
</aside>
⚠ Disclaimer: AlphaTech Inc. is a fictional US-based healthcare IT company created for portfolio and learning purposes. The documents and projects in this portfolio demonstrate my practical, hands-on application of Governance, Risk, and Compliance (GRC) principles, frameworks, and standards. Any resemblance to real organizations is purely coincidental.