Outputs you take away

Tangible artefacts. Not slide decks.

Every engagement produces a concrete set of documents, registers and records — version-controlled, clause-tagged, and formatted for your team to maintain after we leave.

01 — Core deliverables

Organised by GRC function.

Four groups cover the operating backbone of any implementation — governance, risk, compliance and documentation. These appear in every engagement regardless of framework.

Group A · Governance

Governance

  • ISMS scope & context document
  • Information security policy (master)
  • Roles & responsibilities matrix
  • Acceptable use policy
  • Supplier & third-party policy
  • Communication & awareness plan
  • Management review pack (recurring)
  • Objectives & KPI set
  • Continuous improvement register
Group B · Risk

Risk

  • Risk assessment methodology
  • Information asset inventory
  • Risk register (asset-based, inherent + residual)
  • Risk treatment plan
  • Vendor / third-party risk assessments
  • Business Impact Analysis (BIA)
  • Business continuity & recovery plan
  • Vulnerability management programme
  • Control effectiveness dashboard
Group C · Compliance

Compliance

  • Statement of Applicability / TSC matrix
  • Cross-framework crosswalk (ISO / NIST / SOC 2 / CIS)
  • Legal, regulatory & contractual obligations register
  • Internal audit programme & schedule
  • Internal audit reports
  • Non-conformity & corrective action tracker
  • Evidence library & sampling plan
  • Auditor request-list response pack
  • Certification / attestation readiness memo
Group D · Documentation

Documentation

  • Access control policy & procedure
  • Change management policy
  • Incident response plan & runbooks
  • Cryptography & key management policy
  • Secure development lifecycle procedure
  • Backup & recovery procedure
  • Data classification & handling
  • Physical & environmental security
  • Logging, monitoring & audit trail policy
02 — Per-framework bundles

Framework-specific artefacts.

On top of the core set, each framework has its own required documents. Below is what ships with each engagement type.

ISO/IEC 27001:2022

ISMS programme bundle

  • Scope & context document
  • SoA for all 93 Annex A controls
  • 24+ clause-mapped policies
  • Internal audit pack + mgmt review
  • Stage 1 / Stage 2 evidence binder
NIST CSF 2.0

CSF profile bundle

  • Current Profile baseline
  • Target Profile & tier roadmap
  • Cross-function control matrix
  • IR & recovery playbooks
  • Supply-chain risk programme
SOC 2 readiness

Attestation readiness bundle

  • System description
  • TSC matrix (CC1–CC9 + add-ons)
  • Policy set (access, change, incident, vendor, BCDR)
  • Evidence library & sampling plan
  • CPA auditor response pack
GDPR · DPDP 2023

Privacy operating bundle

  • Records of Processing Activities
  • Privacy notice suite + cookie framework
  • DSAR playbook & templates
  • Processor agreement pack (Art. 28)
  • Transfer Impact Assessment + DPIAs
HIPAA

ePHI safeguards bundle

  • ePHI inventory & data-flow
  • Risk analysis & management plan
  • Administrative / physical / technical policies
  • Business Associate Agreement set
  • Breach notification runbook
Cross-framework

Unified control programme

  • One control catalogue
  • Mapping to every framework in scope
  • Single evidence library
  • Consolidated internal audit
  • Lower ongoing operating cost
See a sample on call

Request a redacted sample deliverable.

On a scoping call we can walk through a redacted sample SoA, risk register, or policy to calibrate standards and depth.

Book consultation See frameworks