About elce.ai
Structured, evidence-led cybersecurity assurance for regulated and critical sectors.
Who We Are
elce.ai is a cybersecurity consultancy founded on the principle that genuine assurance requires more than compliance documentation. Organisations in regulated and critical sectors need structured, evidence-led governance that gives boards, regulators, and operational teams genuine confidence in their security posture.
We built C-PAP (Cyber-Physical Assurance Platform) to address a structural problem we saw repeatedly across sectors: organisations managing multiple overlapping compliance frameworks through duplicated control sets, fragmented evidence, and disconnected reporting — with the result that compliance activity was consuming disproportionate resource without delivering proportionate assurance confidence.
What We Believe
Compliance and assurance are not the same thing. A certificate demonstrates that controls met requirements at a point in time. Assurance demonstrates that controls remain effective, evidence is current, risk is understood, and governance is active.
We believe that the structural problem in modern compliance — multiple frameworks asking for the same thing in different ways — is solvable through a canonical approach. One control model, one evidence base, one assessment, multiple compliance views. That is the principle behind C-PAP.
Our Focus
We specialise in cybersecurity assurance for organisations operating in regulated and critical environments — where availability, safety, operational continuity, and formal assurance are as important as confidentiality. Our work spans IT compliance, OT/ICS security, and converged IT/OT assurance, with particular depth in:
Governance & Risk
Structured governance frameworks, risk quantification, and board-level assurance reporting for organisations accountable for cyber risk.
Regulatory Compliance
Multi-framework compliance consolidation across ISO 27001, NCSC CAF, NIS, IEC 62443, and sector-specific regulatory instruments.
Cyber-Physical Assurance
Unified IT/OT assurance for converged environments, bridging enterprise IT governance with operational technology security.
Our Mission
To give organisations in regulated and critical sectors genuine confidence in their cybersecurity posture — through structured governance, defensible evidence, and assurance that is continuous, proportionate, and operationally credible.
We exist because compliance alone does not deliver assurance. Organisations need more than certificates and mapping spreadsheets. They need a governance model that consolidates overlapping obligations, manages evidence as a standing function, and produces reporting that boards and regulators can trust. That is what C-PAP is designed to provide.
Our Values
Evidence Over Assertion
We believe that assurance must be demonstrable. Claims of compliance without supporting evidence are not governance — they are aspiration. Every control, every assessment, every report must be traceable to verifiable evidence.
Honest Assessment
We report what we find, not what the organisation wants to hear. Genuine assurance requires honest evaluation of control effectiveness, transparent identification of gaps, and realistic assessment of maturity. Anything less undermines the purpose of the exercise.
Proportionality
Governance must be proportionate to risk and operational context. We do not impose disproportionate requirements on organisations whose risk profile does not warrant them, and we do not under-specify governance for those whose risk profile demands rigour.
Operational Reality
Assurance programmes must work within real operational constraints — maintenance windows, safety dependencies, legacy systems, resource limitations. Governance that looks credible on paper but fails in practice does not deliver assurance.
Mutual Qualification
We qualify engagements before committing to them. If the fit is not right — if our platform does not address the organisation's actual problem, or the engagement cannot deliver proportionate value — we say so. Trust is built by turning away work that should not proceed.
Long-Term Partnership
We design engagements for sustained value and organisational self-sufficiency, not consultancy dependency. Knowledge transfer, capability building, and operational independence are outcomes, not optional extras.
What Sets Us Apart
Canonical, Not Framework-First
Most compliance platforms start with a framework and build outward. C-PAP starts with a framework-independent canonical control model and maps frameworks to it. This structural difference eliminates the duplication that plagues multi-framework programmes and ensures that assurance is coherent regardless of which regulatory lens is applied.
Genuinely Converged IT/OT
C-PAP is not an IT governance platform with OT bolted on. The architecture was designed from the outset to span both domains — with dedicated overlay domains for OT/ICS security, critical infrastructure resilience, and safety-critical environments. OT-specific evidence types, assessment methodologies, and operational constraints are built into the model, not accommodated as exceptions.
Practitioner-Built, Board-Ready
C-PAP was designed by practitioners who have conducted assessments, written reports, and presented to boards and regulators. The platform reflects what assurance professionals actually need — structured control models, defensible evidence chains, and reporting that senior stakeholders can act on — not a theoretical governance model built in isolation from delivery reality.
Consultative, Not Transactional
We lead with questions, not product features. Every engagement begins with understanding the organisation's regulatory landscape, operational constraints, and assurance objectives. We position support based on relevance to the actual problem, not a standardised sales process. If C-PAP is not the right solution, we say so.