The Anti-Consultant Consultant
Compliance that makes sense - not just a certificate on the wall.
Hi, I'm Lyudmil Arkov, and I'm probably not the compliance consultant you're expecting.
I don't wear expensive suits. I don't speak in incomprehensible jargon. And I definitely won't disappear the moment your certificate arrives.
What I will do? Make information security compliance actually make sense for your business.
From Phone Support to Your Security Partner
Twenty-two years ago, I started in phone support at a telecom company. Not exactly the typical origin story for a compliance consultant, right? But that journey through tech support, system administration, and eventually information security leadership taught me something crucial: real security isn't about frameworks - it's about understanding how technology and business actually work together.
My first ISO 27001 implementation happened almost by accident. As a system admin, I was tasked with getting our company certified. No consultants, no roadmap - just me and a standard that seemed designed to confuse. But something clicked. I realized ISO 27001 wasn't about creating perfect documentation - it was about building better businesses through systematic security thinking.
Over the past decade, I've implemented ISO 27001, SOC 2, TISAX, C5, Cyber Essentials, and more for companies ranging from 5-person startups to thousand-employee enterprises. Each one taught me something new about how the same standard can transform differently depending on who's implementing it.
That's what I love about this work - there's no one-size-fits-all solution. Your 15-person SaaS startup needs a completely different approach than a 100-person AI company, even if they're both pursuing ISO 27001.
Why 27kay Exists
After years of being both consulted and consulting, I kept seeing the same problems:
- Companies spending fortunes on consultants who spoke in circles
- Startups drowning in documentation they'd never use
- Certificates gathering dust while actual security remained unchanged
- The dreaded "We're done until next year, right?" mentality
I founded 27kay (yes, it's a play on ISO 27001 - I couldn't resist) to be different. This is a boutique consultancy by design, not limitation. I'm not interested in being the biggest. I'm interested in being the most valuable to the select few clients I work with.
The Boutique Approach
You work with me, not a junior associate. When you hire 27kay, you get two decades of IT experience and a decade of security expertise - not someone reading from a script.
Quality over quantity, always. I'd rather have 10 clients who trust me completely than 1,000 who don't know my name. This isn't about maximizing billable hours - it's about building lasting partnerships.
We start with honest conversation. Our first discussion isn't about selling you services - it's about whether you actually need certification, and whether we're the right fit for each other. Sometimes the answer is no, and that's okay.
Continuous improvement, not checkbox compliance. If you just want a certificate to file away, I'm not your consultant. But if you see compliance as a tool for building a better, more secure business? Let's talk.
How I Work
Remote-first, async-native. I work with companies that live in 2026. That means Slack, Notion, Linear - whatever tools you're already using. No mandatory on-site visits, no timezone tyranny.
Available but not desperate. I'll be responsive and engaged, but I won't pretend to be at your beck and call 24/7. Sustainable relationships require boundaries.
Implementation without the timeline pressure. Could we rush through ISO 27001 in three weeks? Technically, yes. Should we? Rarely. We'll move at the pace that makes sense for your business, not chase arbitrary deadlines.
The Reality Check
Some truths that might surprise you:
- Not every company needs ISO 27001 or SOC 2 right now
- Sometimes improving your security is more important than getting certified
- The best security control is often common sense, systematically applied
- Compliance can actually be... dare I say it... interesting when done right
Who Thrives with 27kay
My best client relationships share a few characteristics:
- Forward-thinking startups and small businesses - who see compliance as growth enablement, not a necessary evil
- Companies that value expertise - but don't want the corporate consulting experience
- Teams ready to improve continuously - not just pass an audit
- Organizations that appreciate straight talk - over consultant-speak
If you're reading this thinking "finally, someone who gets it" - we should talk.
If you're thinking "I just need the cheapest, fastest certificate" - we probably shouldn't.
Let's talk
Not sure if you need ISO 27001 or SOC 2? Wondering if your 10-person startup is ready? Let's start with coffee - virtual or otherwise.
Book a free consultation →