Security risk assessment
Structured ISO 27005-aligned assessments scoped to your actual business. We produce risk registers your board can read, not artefacts for the archive.
Independent information security advisory
Audit, advise, awaken.
We help mid-market organisations across Central and Western Europe meet their security obligations — ISO 27001, NIS2, DORA, GDPR — without losing focus on the people who actually live inside the controls.
10 yrEstablished in 2016
120+Audits delivered
7European jurisdictions served
ISO 27001Certified ourselves
What we do
Our advisory services
Four advisory practices. Each engagement is scoped individually; please get in touch to discuss your specific context.
ISO 27001 readiness and accompaniment
Gap analysis, remediation roadmap, and accompaniment through certification. Honest about effort, honest about timelines.
NIS2 and DORA advisory
Practical translation of NIS2 and DORA obligations into a workplan your security team can actually execute, with measurable acceptance criteria.
Security awareness assessment
Quarterly human-layer assessments that measure how your people respond — not just what they remember from last year's training.
“Ellipse Project delivered a NIS2 readiness review that finally produced a workplan our security team could actually execute, rather than a 200-page document destined for a shared drive.”
— Head of Information Security, European energy utility, ~3,500 employees
Selected work
Retail banking, ~4,500 employees
DORA readiness for a regional retail bank
Eighteen-month DORA readiness programme covering operational-resilience testing, incident reporting, third-party risk, and ICT supplier oversight.
Power utility (essential entity), ~3,500 employees
Four-year NIS2 framework for a regional power utility
Multi-year framework covering NIS2 readiness, annual tabletop exercises, awareness programme oversight, and quarterly executive reporting.
Healthcare, multi-site hospital network, ~8,000 staff
Awareness programme for a regional hospital network
Redesign of a hospital network's security awareness programme around clinical-context scenarios and workflow-compatible controls.
From the Insights
2026-03-28
NIS2 — what is actually different, and what is repackaged
A practical reading of the directive for organisations that already had a working ISMS, and where the genuinely new requirements bite.
2026-02-14
DORA's supplier register is the workstream most projects underestimate
Of all the obligations DORA imposes, the ICT supplier register and contractual review consistently consumes the most effort. Why, and what to do about it.
2026-01-08
ISO 27001:2022 transition — what to know one year before the deadline
The transition deadline from ISO 27001:2013 to ISO 27001:2022 lands on 31 October 2025. Where remediation work tends to land in practice.
Working with Ellipse Project
Most of our engagements start with a short conversation — 45 minutes with one of our partners covering your situation, our honest view of fit, and what a structured engagement would look like. We follow up with a written proposal or, where we are not the right partner, a referral to a firm that fits better.