01Standards
Policy-driven oversight
Your MSP works to the standards you set, not just the bare minimum in a framework. DDQs, board-approved standards, and client commitments stay visible in day-to-day delivery.
Risk that's visible. Compliance that's defensible.
Fig is a governance-led security and resilience platform for corporate risk teams. Continuous monitoring, supplier oversight, evidence trails, and board-ready reporting on one operating model - so the controls you commit to in policy are the controls that actually run.
Oversight with follow-through
Visibility and action in one operating model.
Your MSP can manage Fig day to day while you keep an independent view of risk, resilience, and assurance work.
02Resolution
Action, not just observation
When a vendor's patching or MFA posture drifts, Fig does more than highlight it on a dashboard. It records the issue, assigns ownership, applies the right deadline, and tracks it through to closure.
03Operating model
Your MSP can run it
Fig works through the MSP that already manages your infrastructure. They can run the platform day to day while you keep an independent view of the resilience work they are delivering.
Independent oversight
Real visibility into your managed security posture.
01Operational
Continuous monitoring
Keep your internal team and your MSP working from the same view, with risks, issues, and follow-up tracked centrally.
02Decision-making
Evidence-based conversations
Move from "tell us about your controls" to "here is what we see in your environment." Make informed decisions with real data.
03Assurance
Document your due diligence
Maintain audit trails and compliance reports. When regulators ask "how do you monitor your MSP?" you have a documented answer.
Frameworks
Your policies, not just framework minimums.
Fig enforces your actual compliance commitments - your DDQs, your board-approved standards, your client-facing obligations - not just the minimum framework bar.
NIS2
NIS2
EU critical infrastructure resilience
DORA
DORA
Digital Operational Resilience Act
ISO 27001
ISO 27001
Information security management
SOC 2
SOC 2
Service organisation controls
CS&R
CS&R
Cyber Security and Resilience
GDPR
GDPR
Data protection and privacy
Supply chain visibility
Know the actual security posture of every critical vendor.
Your supply chain is only as secure as your weakest vendor. Fig gives you a single dashboard of all your critical third parties' compliance status. For corporates in the UK MOD supply chain, Fig also delivers Defence Cyber Certification (DCC L0/L1) alongside Cyber Essentials.
01
Real-time visibility
Continuous monitoring of MSP security posture, not an annual snapshot.
02
Automated reporting
Evidence and attestations flow from every vendor into one live view.
03
Risk-based scoring
Third-party controls scored by coverage, responsiveness, and breach history.
04
Audit trail evidence
Complete documented history of every third-party risk review and remediation.
05
Continuous monitoring
Always-on signals replace stale annual questionnaires and point-in-time attestations.
48-hour go-live
Live in 48 hours. Not 6 months.
Your MSP deploys Fig across your environment in two business days.
01
Define
Your MSP selects the frameworks and configures your internal policies and governance requirements.
02
Connect
Fig connects to your vendor and internal tooling via 300+ integrations. No migration, no disruption.
03
Visibility
Within 48 hours you see your full compliance and risk posture. Your MSP manages it. You oversee it.
Insurance impact
Connect assurance work to insurance conversations.
Use the same evidence gathered for oversight and resilience work to support renewals and insurer discussions.
- Continuous, real-time monitoring
- Evidence-based compliance data
- Documented due diligence history
- Underwriters see real controls, real risk
15-25%
Average premium reduction with documented compliance
50%
Lower deductibles for proven third-party risk management
24 / 7
Real-time compliance monitoring
Beyond compliance monitoring
Capabilities enterprise GRC platforms charge separately for.
01Reporting
Board-ready reporting
AI-powered executive narratives generated from live compliance and risk data. Board packs assembled from real evidence, not quarterly spreadsheet exercises.
02Privacy
Privacy management
ROPA, DPIA, DSAR management, consent lifecycle, and breach notification with GDPR 72-hour deadline tracking. Connected to your compliance engine, not a separate tool.
03Change
Change governance
7-state change workflow with AI risk scoring, policy compliance gates, and DPIA integration. Every change checked against your governance requirements before deployment.
Your data, your terms
No lock-in. No proprietary traps. Full portability.
01Portability
Full data portability
Your compliance data, evidence, and audit trails belong to you. Export everything in standard formats at any time. No exit fees.
02Coexistence
Works with existing GRC
Fig feeds data into your existing GRC platform. It does not replace it or compete with it. Your investment in Archer, ServiceNow, or OneTrust is protected.
03Pricing
No cost surprises
The price agreed is the price you pay. No mid-contract increases. No hidden charges for additional frameworks or users. No consultant fees.
FAQ
Questions?
Everything you need to know before you speak to the team.
Why should we care about our MSP's compliance if they're insured?
Insurance doesn't cover negligence or lack of due diligence on your part. If a breach happens and you can't show you monitored your MSP's compliance, you share the liability. Fig lets you document that oversight.
How does Fig help us if our MSP isn't using Fig?
Fig can still assess your MSP's compliance through our questionnaire module and document your review process. We also encourage MSPs to use Fig so you get direct, real-time visibility instead of annual questionnaires.
Can we use Fig alongside our existing GRC platform?
Yes. Fig integrates with most enterprise GRC tools. We can feed compliance data into your existing systems and act as a specialised overlay for MSP/third-party monitoring.
How do we actually enforce compliance on our MSP if they're not meeting standards?
Fig gives you the evidence to have data-driven conversations. You can identify gaps, set remediation timelines, and track progress. We provide the documentation for your contracts and legal requirements.
What frameworks do you support?
We support NIS2, DORA, ISO 27001, SOC 2, CMMC, GDPR, and custom frameworks. We can configure Fig to match your specific compliance requirements.
How does better compliance data lead to better insurance terms?
Underwriters want to see that you have strong third-party risk management and documented controls. When you can show continuous compliance monitoring and audit trails, insurers see lower risk, which translates to better premiums and lower deductibles.
How is Fig different from enterprise GRC platforms like Archer or OneTrust?
Enterprise GRC platforms cost £30,000 to £500,000, can take 3-6 months to deploy, and require dedicated teams to operate. Fig deploys in 48 hours through your MSP, enforces your actual policies operationally, and connects your compliance evidence directly to insurance underwriting.
Do we work with Fig directly or through our MSP?
Fig works through your MSP. They manage the platform, handle onboarding, and run day-to-day operations. You get independent visibility into the compliance posture they are delivering.
How quickly can we be live?
Most organisations are live within 48 hours. Your MSP configures the frameworks and policies, connects your tooling via 300+ integrations, and you have real-time compliance visibility within two business days.
What happens to our data if we stop using Fig?
Your data belongs to you. Export everything in standard formats at any time. No exit fees. No proprietary data traps.
Does Fig enforce our internal policies or just framework minimums?
Both. Fig enforces your selected compliance frameworks and your internal policies - the commitments from your DDQs, your board-approved standards, and your client-facing obligations.
Contact
Take control of your third-party risk.
Get real visibility into your MSP's compliance posture and document your due diligence.