About Steve
Crutchley
Founder & CEO
Steve Crutchley is a cybersecurity, risk, and compliance professional with more than 40 years of hands-on experience helping organizations navigate complex regulatory and operational challenges. He has worked across government, financial services, technology, and regulated industries, building and implementing programs that have stood up to real scrutiny from auditors, regulators, and executive leadership.
Steve founded C2C Smart Compliance out of necessity. After years of leading ISO, cybersecurity, and business continuity projects, he saw a consistent problem. The tools on the market looked impressive in demos but failed during real implementations. They were difficult to configure, disconnected from how teams actually work, and often became obstacles rather than enablers of compliance.
Instead of forcing clients to adapt to ineffective tools, Steve built better ones. C2C’s risk and compliance tools reflect how risk, compliance, and governance actually function inside organizations, not how they are described in theory. Beyond technology, Steve is known for his ability to translate complex requirements into clear, actionable steps. He focuses less on checklists and more on helping teams understand what matters, why it matters, and how to implement it in a way that fits their organization.
In recent years, Steve has been helping organizations address the rapidly evolving risks of AI. As a co-founder of Vision AI+, he works with leadership and technical teams to assess AI risk, develop governance frameworks, and align programs with emerging standards and regulations. Similar to his approach with C2C, his focus is on building governance that is executable, auditable, and adaptable as technology changes.
The C2C approach
Compliance, risk management, and governance aren’t checkboxes. They’re strategic business functions. The B-GRC (Business-focused Governance, Risk, and Compliance) framework applies a business-first lens to what many organizations treat as a technical exercise.
Start with the business
Compliance should be part of your business strategy, not a side project. We align compliance to business objectives, not the other way around.
Map once, use everywhere
We make compliance enterprise-wide, not just a siloed IT issue. The B-GRC method brings in all stakeholders, from business units to leadership, to ensure organization-wide adoption.
Operationalize requirements
We build a living compliance framework, not a static policy manual. Compliance, risk, and governance need to be embedded across the organization.
Stay audit-ready
Compliance is never “done,” so our framework is built to evolve, adapt, and stay aligned to changing requirements.
Qualifications and certifications
Approved PECB trainer for ISO 27001, ISO 20000, and ISO 22301 certificate # CT02346-07-2018
PECB Certified Management System Auditor for ISO 27001, ISO 20000-1, and ISO 22301 certificate # MSA0040-2
PECB Management System Snr Auditor and Implementer for ISO 27701 PIM
PIMSLA1031242-2020-02& PIMSLI1031242-2020-02
Recipient of the 2013 GRC Innovation Award
ISACA Accredited Trainer for CobIT
Instructor for the IRCA 802 Certified Lead Auditor for ISO 27001 and ISO 27001 Implementation Courses
Qualified Lead Auditor & Implementer for ISO 27001, ISO 20000, and ISO 22301
Certified and endorsed ISC² Security Subject Matter Expert-II (SSME-II)
Certified Information Security Manager (CISM)
Certified in the Governance of Enterprise IT (CGEIT)
Bachelor of Science in Management Information Systems (B.Sc. Management Information Systems) with a concentration in Information Systems
.png)
.png)