The ComplianceReady System

Assess

Two weeks to a complete picture. We map your environment, find the gaps, and produce a prioritised remediation roadmap — not a 100-page report you'll never read.

What we do

• Scope definition. What's actually in scope for certification — and just as importantly, what isn't. Most engagements over-scope, driving cost and complexity. We define scope tightly.
• Environment review. We connect to your Microsoft 365 tenant (read-only) and map what's already in place — Conditional Access, Defender policies, Intune configurations, SharePoint structure, retention.
• Gap analysis against the framework. Every control in your target framework mapped to your current state: Met / Partial / Not met. No vague RAG ratings — concrete evidence of what's working and what isn't.
• Risk assessment. Risks identified with likelihood, impact, and treatment direction — aligned to the framework's published criteria, not a generic template.
• Prioritised remediation roadmap. Every gap ranked by impact, effort, and dependency. You get a sequenced plan, not a wishlist.

What you'll see

• A scope document — typically 4–6 pages, signed off by you before we proceed
• A gap analysis register — one row per control, with current state evidence and required action
• A risk register — populated with real risks, not framework-template placeholders
• A prioritised roadmap — week-by-week plan for Phase 2
• A fixed-price proposal for Phases 2–4, based on what we found

What we expect from you

• Two 60-minute interviews — typically one with leadership, one with whoever runs IT/security operations
• Read-only access to your Microsoft 365 admin centre and core SharePoint sites
• Existing security policies, risk registers, or audit reports — if any

Phase 1 can be delivered as a standalone engagement. If after the assessment you decide to pause, change direction, or take it in-house, you keep everything we produced. There's no obligation to continue to Phase 2.

Implement

Build the management system. Controls, policies, evidence capture, and governance — all running inside your existing Microsoft 365 environment, without overbuilding.

What we do

• Policy framework. Policies written specifically for your environment — not generic templates. Reviewed by you, approved through your normal governance process.
• Control implementation. Where controls aren't met, we build them. Conditional Access policies in Entra. Endpoint policies in Intune. DLP and information protection in Purview. Backup and recovery configurations. Every change ring-tested before broad deployment.
• Evidence capture automation. Evidence captured at the point of change — Power BI dashboards pulling from M365 audit logs, SharePoint document libraries with retention and approval workflows, automated reporting for control effectiveness.
• Risk treatment. Each risk identified in Phase 1 either treated, transferred, or formally accepted by the appropriate owner with documented rationale.
• Internal governance. ISMS steering committee structure, management review cadence, change management integration — embedded into your existing governance, not bolted on.
• Training and awareness. Role-specific training delivered through your existing platform (typically Viva Learning), tracked and evidenced for the audit.

What you'll see

• Weekly progress reports — what was delivered, what's next, what's blocked
• Milestone checkpoints every 2 weeks with deliverables you sign off before proceeding
• Live evidence dashboards as we build them — not a black box
• Configuration documentation for every change made in your environment
• A draft Statement of Applicability (for ISO frameworks) or equivalent control mapping

What we expect from you

• A nominated internal contact — typically 2–4 hours per week of their time
• Approval authority for policy changes within agreed boundaries
• Existing change management process — we work within it, not around it

Fixed price for this phase is set at the end of Phase 1 based on what we actually find. No scope creep, no surprise variations — milestone payments only released when you sign off on the deliverable.

Evidence

Evidence is captured at the point of change, never reconstructed the night before an audit. By the time we reach certification, the evidence pack is already audit-grade.

Why this phase runs continuously

The single biggest failure mode in compliance engagements is leaving evidence collection to the end. Auditors don't just want to see that a control exists — they want to see it operating over time. If you only start capturing evidence in week 8, your audit will fail or be heavily qualified.

We design every control so the evidence is generated automatically as the control operates. Conditional Access decisions logged in real-time. Approval workflows that produce audit trails by design. Configuration baselines that prove their own currency. By the time we hit Phase 4, you have months of operating evidence — not a frantic scramble.

How evidence is structured

• One library per framework. ISO 27001, SOC 2, Essential Eight — each gets its own evidence library in SharePoint, with controls mapped to source artefacts.
• Cross-framework mapping. A single piece of evidence (e.g. an access review log) maps to controls across multiple frameworks. No duplicated effort.
• QA review at every milestone. Every evidence pack reviewed for completeness, defensibility, and currency before sign-off. We find the gaps before the auditor does.
• Versioning and retention. Evidence retained with appropriate retention policies. Audit history preserved across multiple certification cycles.

What this means for surveillance audits

ISO certifications require surveillance audits annually for three years, then full recertification. Because the evidence pipeline is automated, surveillance audits become a routine confirmation rather than a fresh fire drill. Most clients report surveillance years 2 and 3 cost 80–90% less than the original implementation.

Certify

External certification with no surprises. 100% first-time pass rate across all our engagements — because by the time the auditor arrives, we've already QA'd everything they'll ask for.

What we do

• Certification body selection. We help you choose between accredited certification bodies (JAS-ANZ for ISO, AICPA-accredited for SOC 2) based on cost, scheduling, and industry fit. You contract directly with the auditor — we don't take referral fees.
• Stage 1 audit support. Documentation review by the auditor. We pre-package everything they'll ask for, with cross-references and audit trails.
• Stage 2 audit support. Operational audit, typically on-site or via video. We're on call throughout — answering auditor questions in real-time, pulling additional evidence as requested, addressing observations as they're raised.
• Findings response. If the auditor identifies any minor non-conformances (rare, but possible), we draft the corrective action plan and supporting evidence within 48 hours.
• Certificate issuance and ongoing support. Once issued, we help you make the most of it — procurement language, sales enablement, surveillance audit planning.

Why we pass first time, every time

Not magic — methodology. We've structured the previous three phases so that everything an auditor will ask for already exists, is current, and is defensible before we book the audit. We do an internal dress rehearsal of the audit two weeks before the external auditor arrives. If we wouldn't pass our own internal review, we don't book the external one.