FAQ
Frequently asked questions
Common questions from prospective and current clients. If your question is not answered here, write to office@ellipseproject.com.
What is your typical engagement size?
Engagements range from a six-week risk assessment (single-digit person-weeks of effort) to a multi-year DORA or NIS2 readiness programme (significant person-years). Most of our work falls between three and twelve months in duration.
Do you work outside Central Europe?
We have completed engagements in Germany, Austria, Czech Republic, Slovakia, Lithuania, Latvia, and Estonia in addition to our home market in Poland. We are happy to discuss engagements in other European jurisdictions but would scope honestly on whether we are the right fit; some markets are better served by firms with closer regulatory familiarity.
What is your relationship with certification bodies?
We have explicit independence from any certification body. We work alongside the major bodies operating in our region (DEKRA, BSI, TÜV) and can advise on selection based on your sector and cultural fit. We do not receive commission, and we do not certify ourselves.
Are you certified to any security standard?
Ellipse Project sp. z o.o. is ISO 27001:2022 certified across all operational scopes. The certificate is available on request.
How are you priced?
Engagements are typically priced on a fixed-fee basis with a defined scope and deliverable set. Time-and-materials arrangements are available where the scope is exploratory; we are explicit about which model fits the work in our initial proposal.
What languages do you work in?
English, Polish, and German are working languages for all our partners. Specific engagements in other languages are arranged on a case-by-case basis with named senior consultants in those languages.
Do you take on incident-response retainers?
No. We are an advisory firm, not an incident-response firm; the operational tempo of incident response is different from advisory work and we have chosen to focus on the latter. Where clients need an incident-response partner, we are glad to refer to firms we trust.
How does NIS2 affect our organisation specifically?
That depends on your sector, size, and the jurisdictions where you operate. We are happy to scope a short readiness assessment that produces a defensible answer to that question; the assessment deliverable is yours to take to a different vendor if you decide not to engage us further.
Can you support our internal audit function?
Yes. Some of our clients use us in a co-sourced internal audit capacity for the technology and security scope of their annual audit plan. The arrangement is structured to preserve internal audit independence; we are clear about our role as third-line support.
Do you sell software?
No. We are an advisory firm; we do not sell or resell software, simulation platforms, GRC tooling, or any other product. Our independence from tool vendors is a deliberate feature of how we operate.
What does the first conversation look like?
A 45-minute call with one of our partners covering the situation you are looking to address, the constraints we should know about, and our honest view of whether we are the right partner. We follow up within two working days with either a written scoping proposal or a referral to a firm that fits better.
Where can I read more about your published work?
Our insights page has the published material. We also occasionally contribute to ECSO and PIIT publications; relevant links are on the press page.