Risk and ResponseAudit Services
Jonathan Major, Lead ISO Internal Auditor at Risk and Response

Jonathan Major

Lead ISO Internal Auditor

Founder of Risk and Response Audit Services. 25 years across engineering, information security, and compliance — building, defending, and assessing the systems regulated industries depend on.

LinkedIn audit@riskandresponse.com

Background

Jonathan started his career in regulated finance and infrastructure, then moved into senior security and engineering leadership for data-intensive companies. He held engineering roles at IBM, BlackRock, and Barclays Global Investors before serving as founding VP of Engineering and Chief Security Officer at Crux Informatics, a financial-data infrastructure company.

Risk and Response is built on that operating experience. Internal audits at this practice are performed by someone who has run the programs being audited — not by a checklist generalist. That changes what gets seen, what gets prioritized, and how findings are framed for the engineering teams that have to remediate them.

Selected experience

  • Crux Informatics — Founding VP of Engineering and Chief Security Officer. Stood up the security and compliance program from zero.
  • Proga Digital — Co-founder. Low/no-code application platform.
  • BlackRock — Senior engineering roles in trading and risk infrastructure.
  • Barclays Global Investors — Trading and portfolio infrastructure engineering.
  • IBM — Early-career engineering roles.

Track record

Risk and Response has delivered ISO 27001 internal audits across four consecutive years. Numbers below reflect the practice's engagements from 2022–2025.

7
ISO 27001 internal audits delivered
5
Organizations audited
3
Consecutive fiscal years engaged with one client
100%
Reports delivered to schedule

Sectors served

  • Healthcare technology
  • Cybersecurity / OSINT tooling
  • Data analytics consulting
  • SaaS infrastructure
  • Growth-stage SaaS

Client identities are confidential. Sectors listed above are anonymized categories drawn from completed engagements.

Specialties

• ISO 27001:2022 (ISMS)
• ISO 42001:2023 (AIMS)
• ISO 9001:2015 (QMS)
• ISO 19011 audit methodology
• SOC 2 program design
• HIPAA compliance
• Cloud security architecture
• Drata, Vanta, Sprinto auditor portals
• Infrastructure as code
• Risk-based auditing

Independence and Impartiality

ISO 19011 §4 requires internal auditors to act with independence and impartiality. Risk and Response Audit Services applies these principles on every engagement:

  • No prior engagement conflicts. We do not audit management systems we previously designed, implemented, or operated.
  • Not a certification body. We perform internal audits only. Certification body relationships and external audit work are kept separate.
  • Evidence-first reporting. Findings are tied to specific evidence items and the clauses or controls they relate to. No findings without traceable evidence.
  • Confidentiality. NDAs are standard. Audit working papers, evidence, and findings are not shared outside the engagement.

Talk about your audit

Pick the standard you need audited and book a 30-minute scoping call.

ISO 27001 ISO 42001 ISO 9001