Documentation

Security Compliance Hub — Knowledge Base

Guides, references, and glossary for every assessment, feature, and compliance framework on the platform.

Getting Started

🏠What is Security Compliance Hub?

Security Compliance Hub (SCH) is a client-side web platform that helps organisations assess their readiness across the major UK and EU cybersecurity compliance frameworks. It runs entirely in the browser — assessments are saved locally and submitted to the platform only when you run a Phronesis AI analysis.

Frameworks covered

Free
Compliance Readiness

30-question cross-framework health check. Best starting point.

CE
Cyber Essentials v3.3

NCSC-backed UK certification. 6 controls, 45+ questions.

CAF
NCSC CAF

Critical National Infrastructure. 14 principles, 83 questions.

DORA
DORA

EU financial sector resilience. 5 pillars, 49 questions.

ISO
ISO 27001:2022

ISMS certification. 8 clauses, 58 questions.

AI
AI Governance

EU AI Act, ISO 42001, NIST AI RMF. 42 questions.

CRMA
Cyber Resilience Maturity

IASME-aligned maturity scoring across 14 themes. 70 questions.

Two specialist assessments — PE Cyber Due Diligence and SOC Maturity & AI Readiness — are available via the Consultancy Partnership Hub and require access credentials.

How results work

Every question maps to a scoring axis. Scores of 70 % or above are considered compliant / in good standing. 40–69 % indicates partial compliance. Below 40 % signals critical gaps requiring priority remediation. These thresholds apply across all frameworks with consistent meaning.

🚀Quick Start

  1. Visit securitycompliancehub.io and click Sign In. Create an account with email or Google — your 7-day free trial begins automatically.
  2. From the landing page, click Compliance Readiness (the "START HERE" card). This 30-question assessment maps your current posture across all frameworks and recommends where to focus next.
  3. Answer each question honestly. Use the Phronesis AI button at any point during an assessment for context-aware guidance on a specific question.
  4. Click Analyse with Phronesis to generate your full AI report — scores, critical gaps, strengths, and a prioritised roadmap.
  5. Open My Hub to see all your results in one place, track progress over time, and access the Compliance Passport for a printable summary.
Tip
Auto-save runs every second — you can close the browser mid-assessment and pick up exactly where you left off on the same device.

🗺️Choosing a Framework

Start with Compliance Readiness if you're unsure — it identifies your priority framework in 10–15 minutes. Otherwise use this guide:

By organisation type

  • UK public sector / government supplier / CNI operatorNCSC CAF
  • EU bank, insurer, investment firm, or payment institutionDORA (mandatory from January 2025)
  • Any UK or international organisation seeking ISMS certificationISO 27001
  • SME, charity, or supplier wanting a demonstrable UK baseline certCyber Essentials
  • AI developer, deployer, or public-sector AI userAI Governance
  • Want a broad maturity baseline before picking a single certificationCyber Resilience Maturity Assessment — recommends your next framework based on the strongest readiness signal
  • Private equity investor or M&A team assessing a targetPE Due Diligence (contact for access)
  • SOC team or MSSP assessing operational maturitySOC Maturity (contact for access)

Framework relationships

Frameworks are not mutually exclusive. A strong Cyber Essentials result significantly overlaps with the ISO 27001 technical controls (Annex A), which in turn covers much of the DORA ICT risk requirements. Achieving CAF Achieved/Partially Achieved across all principles provides strong evidence for NIS2 Article compliance. The Compliance Readiness Assessment cross-maps all four simultaneously.

🔑Trial & Access

7-day free trial

All new accounts automatically receive a 7-day trial of the Assessment Bundle, giving access to all five core assessments (Compliance Readiness is always free). Trial restrictions:

  • PDF and JSON export are disabled on trial — you can run assessments and view results, but cannot download them.
  • Sharing (generating shareable result links) is also disabled on trial.
  • Phronesis AI analysis is capped at one run per assessment type during the trial (Phronesis chat and per-question guidance are unlimited).

Subscription options

  • Assessment Bundle — Full access to all 5 core assessments, unlimited analysis runs, PDF/JSON export, and sharing. See Pricing.
  • CE One-Shot — Single Cyber Essentials analysis with 30-day read-only access. Useful for one-off assessments.
  • PE Due Diligence / SOC Maturity — Delivered via the Consultancy Partnership Hub. Contact for access and pricing.
  • Demo access — Sales-demo accounts (demo_access claim) get unlimited access to every assessment in the platform including PE Due Diligence and SOC Maturity, with no trial restrictions, no export gate, and no one-shot lifecycle.
Access claims
Access is controlled by Firebase custom claims on your account. After an admin grants access, you may need to sign out and back in (or wait up to 1 hour) for the new permissions to take effect.
Assessment Guides

🔍Compliance Readiness Assessment Free

A 30-question cross-framework health check that simultaneously maps your posture against Cyber Essentials, ISO 27001, NCSC CAF, and DORA. Designed as a starting point — takes 10–15 minutes and requires no login for analysis (anonymous session).

Questions
30
Domains
7
Access
Always free
Export
Trial+

Domains covered

Governance & Risk, Identity & Access, Network Security, Endpoint Protection, Data Governance, Incident Response, and Supplier & Third-Party Risk. Each question maps to one or more of the four target frameworks.

Output

Phronesis produces a cross-framework readiness matrix showing which framework you're closest to achieving, a prioritised gap list, and a recommended roadmap sequencing your compliance journey.

Anonymous session limit
Anonymous sessions are capped at 3 analysis runs per day to prevent abuse. After 3 runs you'll be prompted to sign in.

🛡️Cyber Essentials CE

Aligned to the NCSC Cyber Essentials v3.3 scheme — the UK government-backed baseline certification covering five technical controls plus an optional supply chain module.

Controls
6
Questions
45+
Supply chain
Optional
Access
Trial / Bundle / One-Shot

The six controls

  1. Boundary Firewalls & Internet Gateways — Controlling inbound and outbound network traffic.
  2. Secure Configuration — Removing unnecessary accounts, services, and default credentials.
  3. Security Update Management — Patching operating systems, firmware, and third-party software within 14 days of critical releases.
  4. User Access Control — Principle of least privilege, MFA for all internet-facing services and admin accounts.
  5. Malware Protection — Anti-malware, application allow-listing, or sandboxing.
  6. Scope — Defining and documenting the in-scope boundary for certification.

Conditional questions

Some questions only appear based on your earlier answers (e.g. if you confirm cloud services are in scope, cloud-specific questions become visible). Answers to hidden questions are automatically cleared to avoid stale scoring.

Supply chain module

An optional 7th section lets you assess each vendor individually across 8 weighted questions. Vendor risk is scored 0–100 and adjusted by access level (system, network, data, physical, cloud, limited). Vendors scoring below 40 are flagged as high risk.

🏛️NCSC Cyber Assessment Framework CAF

The NCSC CAF is the assurance framework for Operators of Essential Services (OES) and relevant digital service providers under NIS Regulations. The assessment covers all 14 principles across four objectives.

Principles
14
Questions
83
Objectives
4
Access
Trial / Bundle

Scoring

Each question uses a four-point scale: Achieved (100), Partially Achieved (50), Not Achieved (0), N/A (excluded from averages). A principle is considered achieved at ≥70 %, partially achieved at 40–69 %, not achieved below 40 %.

NIS2 cross-mapping

CAF scores are used in the Unified Compliance Dashboard to derive NIS2 Article coverage scores. If you complete both CAF and DORA, the dashboard generates a full NIS2 gap analysis by averaging mapped principle scores for each of the 15 NIS2 Articles (EU 2022/2555).

NHS DSPT mode

If you set your sector to Health & Social Care, an NHS DSPT Mode bar appears. Enabling it adds Objective E — Using & Sharing Information Appropriately: the 8 NHS Information Governance outcomes (privacy & transparency, data subject rights, consent, the national data opt-out, information sharing for direct and secondary care, records management, and clinical coding) that the NHS CAF-aligned Data Security and Protection Toolkit layers on top of the standard 39 CAF outcomes — a full 47-outcome assessment.

Tell the tool your organisation type (NHS Trust, ICB, GP practice, supplier, or other) and it tailors the experience: ICBs don't perform clinical coding, so that question is hidden and scored N/A automatically, and the independent-assessment expectation is set correctly per type (Trusts and ICBs typically require an independent audit before publication; designated suppliers face a mandatory DSPT audit; GP practices and others follow a self-assessment route).

Your results gain a DSPT Readiness card showing your CAF score, your Objective E score, and a combined DSPT readiness percentage with a plain-English status — On track for Standards Met (≥70 %), Approaching Standards (50–69 %), or Not yet meeting Standards (<50 %). Any outcome rated "Not Achieved" is flagged as a DSPT-blocking risk, and a second radar chart maps all eight Objective E outcomes beside your 14 CAF principles. Phronesis analysis, per-question guidance, and the chat panel all become DSPT-aware, referencing NHS outcome codes (E1.a–E4.b), UK GDPR articles, and the Caldicott Principles. DSPT mode is opt-in and doesn't affect standard CAF assessments.

DORA DORA

The Digital Operational Resilience Act (EU 2022/2554) applies to EU-regulated financial entities from January 2025. The assessment maps to Articles 5–45 across five pillars.

Pillars
5
Questions
49
Entity type
Selector
Access
Trial / Bundle

The five pillars

  1. ICT Risk Management (Arts. 5–16) — Governance framework, risk identification, protection, detection, response, recovery.
  2. ICT Incident Management (Arts. 17–23) — Classification, reporting, post-incident review.
  3. Digital Operational Resilience Testing (Arts. 24–27) — Including Threat-Led Penetration Testing (TLPT) for significant entities.
  4. ICT Third-Party Risk (Arts. 28–44) — Provider registers, contractual requirements, concentration risk.
  5. Information Sharing (Art. 45) — Participation in cyber threat intelligence communities.

Entity type selector

Selecting your entity type (credit institution, investment firm, insurance, payment institution, crypto-asset service provider, CSD, fund manager, or ICT third-party provider) tailors the Phronesis guidance to the applicable regulatory Technical Standards and proportionality provisions.

📋ISO 27001:2022 ISO

An ISMS assessment aligned to the 2022 revision of ISO/IEC 27001, covering both the mandatory management system clauses (4–10) and the Annex A control catalogue.

Sections
8
Questions
58
Standard
ISO/IEC 27001:2022
Access
Trial / Bundle

Sections

Clause 4 (Context), Clause 5 (Leadership), Clause 6 (Planning), Clause 7 (Support), Clause 8 (Operation), Clause 9 (Performance Evaluation), Clause 10 (Improvement), and Annex A technical controls. The Annex A section maps to the 93 controls reorganised across 4 themes in the 2022 revision (Organisational, People, Physical, Technological).

Tip
ISO 27001 certification requires an external audit by an accredited certification body. This assessment identifies gaps and readiness level — it does not constitute certification.

🤖AI Governance AI

An AI governance readiness assessment aligned to the EU AI Act (Regulation 2024/1689), ISO/IEC 42001:2023, and NIST AI RMF across six domains.

Domains
6
Questions (full)
42
Questions (deployer)
33
Access
Trial / Bundle

Organisation type

A modal on first use asks whether your organisation is an AI Deployer/Consumer, AI Builder/Provider, or Both. Deployer-only organisations see 33 questions — 9 builder-specific questions about training data, model development, and AI security are auto-scored N/A. An inline toggle lets you change this at any time during the assessment.

The six domains

  1. AI Strategy & Governance
  2. Risk Management
  3. Data Governance
  4. Transparency & Fairness
  5. AI Security & Robustness
  6. Lifecycle & Accountability

🎯Cyber Resilience Maturity Assessment CRMA

A broad-based cyber maturity assessment aligned to the IASME Governance maturity model. Designed as a paid alternative to the free Compliance Readiness check — deeper coverage (70 questions across 14 themes), maturity-tier scoring, and an automatic recommendation of which certification framework you are closest to achieving.

Themes
14
Questions (med/large)
70
Questions (micro/small)
46
Access
Trial / Bundle

Organisation size

A modal on first use asks whether your organisation is micro/small (under 50 staff), medium (50–249), or large/enterprise (250+). Micro/small organisations see 46 questions — 24 enterprise-only questions (board reporting, dedicated SOC, formal pen-testing programmes, etc.) are hidden and auto-scored N/A. An inline toggle lets you change this at any time.

The 14 themes

  1. Governance
  2. Risk Management
  3. Asset Management
  4. Identity & Access Management
  5. Data Protection
  6. Network Security
  7. Endpoint Security
  8. Vulnerability Management
  9. Incident Response
  10. Business Continuity & Disaster Recovery
  11. Supply Chain
  12. Awareness & Training
  13. Secure Development
  14. Compliance

Maturity scoring

Each answer scores against the IASME maturity scale: Verified = 100, Partially Verified = 50, Not Verified = 0, N/A = excluded from averages. Theme scores roll up to an overall maturity tier:

  • Advanced — 75 % or above
  • Established — 50–74 %
  • Developing — 25–49 %
  • Foundation — under 25 %

Framework readiness derivation

The Phronesis analysis applies a weighted mapping across your theme scores to estimate readiness against five target frameworks: Cyber Essentials, NCSC CAF, DORA, ISO 27001, and AI Governance. The framework with the strongest readiness signal is flagged as Recommended, with a direct link to start that assessment. AI Governance readiness is capped at 65 % because CRMA does not include AI-specific domains.

Output

Results include: an overall maturity tier badge, a 14-axis radar chart with grid rings at 25/50/75/100 % and a dashed red threshold polygon at 50 %, per-theme score bars colour-coded by tier, critical gaps (max 3), warnings (max 3), strengths (max 3), a 90-day roadmap with 4 milestones across 12 weeks, framework readiness cards with progress bars, a Phronesis summary, practitioner analysis notes derived from your evidence, and PDF/JSON/share export.

Supporting evidence

Every question has an optional evidence text field. Evidence text is included in the Phronesis payload and synthesised into a practitionerAnalysis[] section in the JSON response — useful for audit-ready documentation and for justifying maturity scores during certification preparation.

MSP / multi-tenant support

The CRMA can be run on behalf of a client from the MSP / vCISO Portal — assessment state is scoped per client (the localStorage key becomes crma_assessment_v1__msp_<clientId>) and scores are persisted to the MSP client record rather than the operator's personal account.

When to choose CRMA over Compliance Readiness
Use the free Compliance Readiness Assessment for a quick (10–15 min) sense check. Use CRMA when you want a deeper baseline, evidence capture, a 90-day improvement plan, and an explicit framework recommendation backed by IASME-aligned scoring.

💼PE Cyber Due Diligence Restricted

Access required
This assessment requires either the pedd_access custom claim (granted after offline payment via the Consultancy Partnership Hub), platform admin, or demo_access for sales-demo accounts. Demo accounts bypass the one-shot lifecycle and have unlimited re-runs.

A cyber risk assessment framework for private equity investors evaluating target companies, aligned to the IASME Governance maturity model. 14 themes, 70 questions, with enterprise-only questions filtered for micro/small targets.

Themes
14
Questions (enterprise)
70
Questions (micro/small)
46
Output
IASME tier + RAG rating

Scoring

IASME tier scoring: Verified = 100, Partially Verified = 50, Not Verified = 0, N/A = excluded. Results include an IASME Tier badge (1–4), a RAG Deal Risk Rating (Red/Amber/Green), a 100-day remediation plan, and an estimated remediation cost band.

One-shot lifecycle

After analysis completes, the assessment locks. Results remain available in read-only mode for 30 days (PDF/JSON export available). After 30 days an expired overlay appears with a re-purchase option.

📡SOC Maturity & AI Readiness Restricted

Access required
This assessment requires either the soc_access custom claim (granted after offline payment via the Consultancy Partnership Hub), platform admin, or demo_access for sales-demo accounts. Demo accounts bypass the one-shot lifecycle and have unlimited re-runs.

A SOC capability and AI readiness assessment across 7 domains and 70 questions. Enterprise-only questions are hidden for Small/Mid-size SOC and MSSP configurations.

Domains

  1. Detection & Response
  2. Threat Intelligence
  3. Vulnerability Management
  4. Identity & Access
  5. Data Protection
  6. Incident Management
  7. AI & Automation Readiness

SOC type

Select Enterprise, Small/Mid-size, or MSSP on the welcome modal. Enterprise-only questions (board reporting, SIEM, SOC-specific tooling, etc.) are hidden for non-enterprise types. The inline toggle lets you switch type at any time — hidden question answers are auto-cleared.

Practitioner evidence

Every question has an optional evidence text field. Evidence text is included in the Phronesis payload and contributes to a practitionerAnalysis[] section in the JSON response — useful for creating audit-ready documentation.

Features

📊My Hub

The central hub for your compliance posture. Sign in and navigate to My Hub to see all completed assessments, in-progress drafts, peer benchmarks, and your Compliance Passport.

Framework coverage radar

A 6-axis SVG radar showing your latest scores across all frameworks you have access to. Hidden when fewer than 3 frameworks are visible or none are completed. Axes are coloured per framework; a dashed red outline marks the 70 % compliance threshold.

Peer benchmark ribbon

Compares your scores against anonymised sector peers. Set your industry sector in the Dashboard Settings panel to unlock benchmarking. Chips are colour-coded: Top quartile (teal), Above median (green), 25–50th percentile (amber), Below 25th (red). Benchmarks build as more organisations in your sector contribute data (minimum 10 organisations per segment).

Compliance Passport

A printable one-page compliance summary. Click the Compliance Passport button in the Framework Coverage section. The passport includes your organisation name, sector, issue date, a framework scores table with RAG ratings and sector positions, and a plain-English summary. Print or Save as PDF from your browser.

Remediation summary

Shows per-framework completion progress for your Phronesis-generated action items. Links to the relevant assessment to continue working through items. When all items across all frameworks are complete, a green completion panel replaces the chips.

Security Tool Integrations

The Security Tool Integrations section on My Hub (and on each client detail view in the MSP Portal) shows connected security tools whose live data surfaces as hints inside assessment questions. Currently available: Microsoft Entra ID (MFA coverage, Conditional Access, device compliance, Secure Score), Okta Identity Engine (MFA enrolment + policy, password policy, group membership, lifecycle), CrowdStrike Falcon (sensor coverage, prevention policies, Spotlight vulnerabilities, detections, incidents), and Google Workspace (2-Step Verification coverage, account lifecycle, Chromebook + mobile MDM). Further integrations on the roadmap: Qualys, Tenable, Splunk, SentinelOne.

Private Frameworks

If your organisation has been granted access to one or more bespoke assessment frameworks (e.g. a sector-specific or confidential compliance programme), a Private Frameworks section appears at the bottom of the Status tab. Each card links directly to the relevant assessment page. Access is controlled via the custom_frameworks claim — contact your administrator to request access to a specific framework.

🧠Phronesis AI

Phronesis is the AI analysis layer built into every assessment. It runs via a secure server-side Cloud Function that adds authentication, rate limiting, and prompt engineering — your data is never sent directly to any external AI service from the browser.

Three modes

  • Analysis — Full assessment report: scores, critical gaps, strengths, next steps, timeline, and action items. Triggered by the main "Analyse with Phronesis" button. Capped at 1 run per assessment type on free trial.
  • Guidance — Per-question help explaining what the question is really asking, what good evidence looks like, and common pitfalls. Available during the assessment; not subject to the trial cap.
  • Chat — Conversational follow-up after analysis. Ask Phronesis to explain specific gaps, suggest remediation approaches, or compare frameworks. Not capped on trial; individual messages are limited to 2,000 characters.

Rate limits

Authenticated users: 20 API requests per minute. Anonymous users (Compliance Readiness only): 3 analysis runs per day. These limits are enforced server-side and cannot be bypassed.

Privacy note
Only scores and labels are sent to the server for structured analysis — full question text and your free-text responses do not leave the browser for the structured analysis mode. Chat and guidance modes send only the specific question or message you submit.

📎Evidence Vault

Attach supporting evidence files to individual assessment questions. The Evidence Vault is available on CAF, DORA, ISO 27001, AI Governance, and PE Due Diligence assessments. Requires Assessment Bundle, PE DD access, or SOC access.

How to upload

A paperclip icon appears on each question. Click it to select a file — the upload uses a signed GCS resumable URL, so large files transfer directly to Google Cloud Storage without going through Cloud Functions. Once confirmed, a chip appears below the question showing the file name.

Storage quota

500 MB per account across all assessments. The Dashboard shows your current usage in the Evidence Vault section. Files are stored per-user and per-question; deleting a chip removes the file from storage and reclaims the quota.

Supported formats

Any file type is accepted. Common evidence types: PDF policy documents, Excel risk registers, Word procedure documents, screenshots, network diagrams, and penetration testing reports.

Importing from SharePoint

If your organisation's Microsoft 365 / Entra integration is connected, a SharePoint button appears beside the paperclip on each question. Click it to open the SharePoint file browser, navigate your connected libraries, and attach a file directly from SharePoint — no download required. The file is copied to the Evidence Vault and counts against your 500 MB quota in the same way as a local upload. Supported file types mirror the standard Vault list (PDF, Word, Excel, PowerPoint, images, text, CSV, JSON). See Integrations for how to connect Microsoft 365.

Remediation Tracker

After a Phronesis analysis, action items are automatically created in the Remediation Tracker — a collapsible panel at the top of each assessment page and summarised on My Hub.

Supported assessments

The tracker is wired on all 8 assessments: Cyber Essentials, NCSC CAF, DORA, ISO 27001, AI Governance, PE Due Diligence, SOC Maturity, and Cyber Resilience Maturity (CRMA).

Action item properties

  • Urgency — Critical, High, or Medium. Items are sorted by urgency.
  • Effort estimate — Time estimate provided by Phronesis (Quick win / 1 day / 1 week / 1 month+).
  • Owner — Free-text assignee field (e.g. "IT Lead", a colleague's name).
  • Due date — Optional target completion date.
  • Status — Tick to complete; progress bar shows X of N done.

Standalone tracker page

The My Hub "Continue →" links open remediation.html?type=<framework> — a dedicated page showing only the tracker for that framework, without loading the full assessment. This is the preferred entry point when you want to review or update action items without re-running the assessment.

For MSP practitioners, each framework row in the MSP Portal's remediation widget has a "Continue →" link that opens the tracker scoped to that client and framework directly. A "View full tracker →" link at the bottom of the widget opens all frameworks for the client in one view. When opened in MSP context, the page shows a teal 🏢 MSP Client: <name> chip so you can confirm you are viewing a client's actions, not your own.

Share a read-only link

From the standalone tracker page, click Share read-only link to generate a public URL (no login required) showing all action items, urgency, effort, due dates, owner, and status. Options:

  • Expiry — 7, 30, or 90 days, or no expiry.
  • Anonymise owners — replaces all assignee names with "[assigned]" before snapshotting. Recommended when sharing with external parties (auditors, board).

The shared viewer (shared-remediation.html?token=…) is a static read-only page with a "Print / Save as PDF" button. Tick, edit, and delete controls are not available to viewers.

Behaviour

Re-running analysis on the same assessment replaces existing action items — there is no duplication. The tracker collapse state is persisted per assessment type. When all items are ticked, a green "all done" banner appears in-session (and on My Hub).

Team and MSP scoping

For Team Tenant subscribers, action items are shared across all team members automatically — any teammate can tick, edit, or assign items. Members with the Viewer role can see but not modify items. For MSP users, each client's action items are isolated under their client namespace.

Requires
Remediation Tracker requires Assessment Bundle, admin, or demo access. Action items sync to Firestore and are visible across devices. The share feature is available to the same access tiers.

☁️Collaborative Drafts

In-progress assessments are saved to the cloud automatically so you can pick up where you left off on a different device, and — for Team Tenant subscribers — share an in-progress assessment with teammates.

Cross-device sync

While you work through an assessment, your answers are saved locally first and synced to the cloud when you hide the tab, navigate away, or every 30 seconds (whichever comes first). When you open the same assessment on another device, a teal banner appears at the top of the page:

☁ Progress from another device found — 26% complete, saved 4 minutes ago. Load it? [Load progress] [Dismiss]

Choosing Load progress replaces your local state with the cloud version and reloads the page. Dismiss keeps your current local state untouched.

Team sharing (Team Tenants only)

If your account is part of a Team Tenant (owner + members), draft assessments are scoped to the tenant rather than to a single user. Anyone in the tenant can open the same in-progress CRMA, CAF, DORA, ISO 27001, AI Governance, or Compliance Readiness assessment and continue editing.

  • CE, PE Due Diligence and SOC Maturity are always personal (user-scoped) regardless of tenant membership — these are typically single-author assessments.
  • Trial users do not get tenant sharing. Upgrade to the Assessment Bundle (or join a tenant) to enable it.

"Last saved by" and live presence

On My Hub, each in-progress card shows the last person who edited it:

  • Last saved by [Name] — appears under the progress bar when no-one currently has the assessment open.
  • 🔒 Being edited by [Name] — amber chip that appears when a teammate has the assessment open right now (presence pings every 60 s; the chip clears within 2 minutes of them closing the tab).

Tenant owners, tenant admins, and platform admins also see a Take over button on locked cards — clicking it clears the active presence so they can open the assessment without conflict (useful if a teammate has left a tab open and won't be returning).

Conflict resolution

If two teammates save changes to the same assessment at the same time, the second save will trigger an amber banner:

[Teammate] saved newer changes 2 minutes ago. Load their version, or overwrite? [Load newer] [Overwrite]

Load newer pulls in their changes and discards yours; Overwrite retains yours and discards theirs. The dashboard's presence indicator is designed to prevent this by warning you before you start editing — the banner is a safety net for the rare case it happens anyway.

Retention
Cloud drafts are retained for 30 days from the last save. After a successful Phronesis analysis the retention drops to 7 days (you can always re-run from your completed score on My Hub).

🔗Sharing Results

Generate a tokenised read-only link to share your assessment results with stakeholders, auditors, or clients — no account required to view the shared page.

Creating a share link

Click the Share button in the results panel of any assessment (CE, CAF, DORA, ISO 27001, AI Governance, PE Due Diligence). Set an optional title and pick expiry: 7, 30, or 90 days, or no expiry (30 days is pre-selected). Copy the generated link and share it.

What the recipient sees

The shared page (shared-result.html) shows score overview, section bars, critical issues, strengths, next steps, and the Phronesis summary. It includes a "Save as PDF" button. No login is required.

Expiry and revocation

Expired or revoked tokens return HTTP 410 to recipients. You cannot revoke a link from the UI directly — if needed, contact support. Sharing is not available during the free trial.

⬇️PDF, JSON & PPTX Export

PDF export

Available on all assessments. Click Save as PDF in the results panel. You'll be prompted to enter your organisation/company name; this is added to the report header. The browser's native print dialogue opens — choose "Save as PDF" as the destination.

The PDF includes scores, radar chart, critical gaps, remediation steps, and the Phronesis AI narrative. The nav bar and browser chrome are automatically hidden before printing.

PowerPoint export (PPTX)

Available on all 8 assessments after a Phronesis analysis. Click 💾 Export PPTX in the results panel to download a branded slide deck generated entirely in the browser — no server round-trip required.

Each deck contains a cover slide, executive summary (score badge, stat chips, and the AI summary), a radar chart (for frameworks with ≤8 sections), per-section score bars coloured green/amber/red, critical issues, strengths, next steps, and a 90-day roadmap slide (CRMA only). The deck is ready to drop into a board report or client presentation and can be edited in PowerPoint or Google Slides.

JSON export

Available on CAF, DORA, ISO 27001, AI Governance, PE Due Diligence, and SOC Maturity. The exported JSON contains your raw responses, calculated scores per section, and the full Phronesis analysis result — useful for feeding into GRC tools or for records retention.

Trial restriction
PDF, PPTX, and JSON export are disabled during the 7-day free trial. Upgrade to Assessment Bundle or CE One-Shot to enable export.

📋Policy Coverage Checker

The Policy Coverage Checker analyses whether your existing security policies adequately cover the controls where your assessment score is below 70%. It appears inside the CE and ISO 27001 results panels after a Phronesis analysis completes, and uses a short structured questionnaire (no document upload required) to assess coverage without sensitive policy content ever leaving your organisation.

How it works

  1. Run a Phronesis analysis on a CE or ISO 27001 assessment.
  2. A Check Policy Coverage → button appears in the results panel for any control or section scoring below 70%.
  3. A slide-in panel shows 2–3 targeted questions per weak control: does a relevant policy exist, how specifically does it address the control, and is there supporting evidence?
  4. Answers are sent to Phronesis (structured data only — no document content), which returns a per-control coverage verdict and a prioritised action list.
  5. Suggested policy templates are shown with a Generate → deep-link that opens the Policy Generator pre-scrolled to the relevant template.

Coverage verdicts

  • Covered — a specific, relevant policy exists and there is evidence of implementation
  • Partially covered — a policy exists but it is generic, outdated, or lacks evidence of enforcement
  • Not covered — no relevant policy exists or it is missing for this control area
Supported assessment types
Currently available on Cyber Essentials (all 5 controls: Firewalls, Secure Configuration, Security Updates, Access Control, Malware Protection) and ISO 27001 (all 8 sections: Clauses 4–7, 8–10, and Annex A groups). CAF, DORA, and AI Governance support can be added without endpoint or schema changes.
Subscription required
Policy Coverage Checker requires Assessment Bundle, admin, or demo access. It uses the mode: 'guidance' path and counts against the existing Phronesis guidance cap (trial: 20 total turns; Assessment Bundle: 100/day). No document upload is used — only your structured answers are sent to Phronesis.

📦Audit Pack

The Audit Pack generates a certifier-ready ZIP bundle containing your assessment data and evidence files. Designed for external auditors, certification bodies, and procurement partners who need a structured, verifiable evidence set rather than a PDF screenshot.

What's in the ZIP

  • README.txt — pack metadata, generation timestamp, organisation name, and a summary of included files
  • assessment-data.json — your full assessment snapshot: overall score, section scores, critical issues, strengths, next steps, and Phronesis summary
  • assessment-report.html — a self-contained HTML report with inline styles and a SHA-256 integrity hash of the JSON file for tamper detection
  • evidence/{questionId}/{fileName} — all evidence files attached to the assessment, downloaded via 1-hour signed URLs at generation time

Generating an Audit Pack

  1. Complete your assessment and run a Phronesis analysis so a score snapshot is saved to your account.
  2. Upload evidence files via the paperclip buttons on individual questions (Evidence Vault must be enabled).
  3. Click 📦 Audit Pack in the results export bar.
  4. A progress modal appears while the pack is assembled. The ZIP downloads automatically when ready.
Supported assessment types
Audit Pack is available on all 8 assessment types: CE, CAF, DORA, ISO 27001, AI Governance, CRMA, SOC Maturity, and PE Due Diligence. Evidence files are only included for types with Evidence Vault support (CAF, DORA, ISO 27001, AI Governance, PE Due Diligence). Other types return files: [].
Subscription required
Audit Pack is gated behind the Assessment Bundle subscription (or admin / demo access). Signed URLs expire 1 hour after generation — download the ZIP promptly.

🏢Trust Centre

Your Trust Centre is a permanent, publicly accessible security posture page at a unique URL. Share it with clients, partners, and procurement teams so they can verify your compliance posture without requesting a report or signing an NDA.

What it shows

  • Framework score cards for any assessment types you choose to publish, with section bars and RAG ratings
  • A SOC 2 Readiness chip derived from your CE and ISO 27001 scores (shown when both are present)
  • Microsoft Entra ID signals: MFA coverage rate, Conditional Access status, device compliance rate, and Secure Score (requires Entra integration)
  • Active certifications and accreditations you list manually (up to 10 per organisation)
  • An embeddable trust badge SVG you can add to your website or email footer

Setting up your Trust Centre

  1. Go to My Hub and scroll to the "Your Trust Centre" panel.
  2. Toggle visibility to Public and select which framework scores to publish.
  3. Add certifications, an optional headline, and configure Entra signal display.
  4. Click Save. A unique slug is generated on first save and your public URL is shown.
  5. Share the URL or copy the badge snippet to embed on your website.
Regenerating your slug
If you need to invalidate the existing public URL (e.g. after an org name change or ownership transfer), click Regenerate Link in the Trust Centre panel. A new slug is created immediately and the old URL stops working.

📈Sector Benchmarking

After each completed analysis, your overall and section scores are anonymously contributed to a sector benchmark dataset. Once 10+ organisations in your sector have contributed, you'll see a "How You Compare" block in the results.

How scores are collected

Scores are hashed (SHA-256 of your user ID) before storage — your identity is never linked to the benchmark data. You can opt out at any time in Dashboard Settings.

What the benchmark shows

  • Your score vs. sector median and mean
  • A percentile badge (Top quartile / 50–75th / 25–50th / Bottom quartile)
  • A colour-coded distribution bar (p25 → median → p75)
  • Dual bars for each section: your score vs. sector mean

Benchmarks are aggregated every 6 hours by a scheduled Cloud Function. Sector categories are standardised — see Dashboard Settings to ensure your sector is correctly set.

🔗Supply Chain Risk Manager

A supplier security questionnaire distribution and portfolio risk tracking system. Requires supply_chain_access custom claim. Supports up to 200 suppliers. Custom questions (up to 100 authored, 100 per send) are included for all subscribers.

Core flow

  1. Add a supplier to your portfolio and send them a secure questionnaire link (no account required for the supplier).
  2. The supplier completes 8 domains of security questions. Optional per-question comments are included in your analysis.
  3. Trigger a Risk Purview scan against the supplier's domain — external verification signals covering DNS health, TLS certificate validity, open ports, breach history, and company registration are gathered and analysed.
  4. The platform detects contradictions between self-reported questionnaire answers and externally observed signals (e.g. "claimed MFA everywhere" vs exposed RDP on port 3389).
  5. A monthly automated re-scan diffs against the previous result and raises alerts for new signals, severity escalations, or score drops.

Risk scoring

Questionnaire risk: weighted radio answers (Achieved / Partial / Not Achieved / N/A) scored server-side. Risk Purview score: composite 0–100 across all probe signals. Levels: Strong / Moderate / Weak / Critical.

Questionnaire Library

Click the Custom Questions toolbar button to open the Questionnaire Library panel. The panel shows the 28 canonical questions (read-only, grouped by domain) alongside your authored custom questions. You can add, edit, and delete custom questions from the library, or import a batch via CSV (text,help,domain,weight columns — the importer validates each row before committing).

Custom questions

All subscribers can author up to 100 bespoke questions (weighted 1–3, same 4-option scale) and append up to 100 per send. Custom questions genuinely affect the risk score — they're not informational-only. A canonical-only benchmarkScore is computed separately so sector benchmarking remains comparable across organisations.

Sending a questionnaire (3-step flow)

After filling in the supplier details and clicking Next →, a 3-step overlay guides you through the send:

  1. Pick questions — tick which of your custom questions to append to the canonical 28 for this specific send.
  2. Preview — read the full questionnaire (canonical + selected custom) exactly as the supplier will see it, grouped by domain.
  3. Expiry + Send — choose the link expiry (7 / 30 / 90 days / No expiry) and click Send. The supplier receives a one-time link; no account required.

Annual renewal reminders

Once a supplier completes a questionnaire, the platform tracks the response and emails you when re-assessment is approaching — 30 days out, 7 days out, on the day, and once if overdue. All due suppliers for a given account are bundled into a single daily digest so a batch send a year ago doesn't produce dozens of separate emails. Configure the destination mailbox (e.g. infosec@acme.com) and on/off toggle via the 🔔 Reminders button on the Supply Chain portfolio toolbar; if left blank, reminders go to your account email. Completed supplier cards show a "Renews in Nd" chip within 30 days and a "Renewal overdue" chip if past due.

🏢MSP / vCISO Portal

The MSP/vCISO Portal lets managed service providers and virtual CISOs run and manage compliance assessments across an entire client portfolio from a single account. Requires the msp_access custom claim — contact the Consultancy Partnership Hub to arrange access.

Client cap
25 (unlimited for admin/demo)
Access
msp_access claim
Evidence
Per-client isolated
Teams
Viewer role supported

Portfolio view

The portal home shows all managed clients in a searchable grid with aggregate stats (total clients, assessed count, average score). Each client card links to a detail view showing per-framework assessment tiles, policy documents, and the Remediation Tracker for that client.

Above the grid, a chip bar lets you narrow the list to Unassessed, Stale (>90d), or Recent (<30d) clients — useful for spotting clients you haven't touched in a while or new clients you've added but never run an assessment against. Chips combine with the search box (AND logic), and the portfolio resets to "All" every time you reopen the portal.

Portfolio Insights

The Insights tab (next to the Clients tab at the top of the portfolio) gives you a risk-ranked view across your entire client portfolio. It shows four summary stats — stale assessments (>90 days since last run), open critical and high remediation actions, integration coverage, and number of ranked clients — plus a Top Risk Clients list ranked by a composite score that combines low assessment scores, critical gaps, open high-urgency actions, and staleness. Clicking a row opens that client's detail view directly.

Insights are computed on demand and cached for 30 minutes. Use the Refresh button to bypass the cache and recompute immediately.

Per-client assessments

From a client's detail view, open any assessment framework tile to run or view results scoped to that client. The View Results button calls GET /api/msp/get-snapshot, which returns the client's latest scores, strengths, next steps, and section-level control scores — the same shape as the standard results viewer. From the same view you can re-run a Phronesis analysis on behalf of the client.

Cross-Framework Map

Once you've completed two or more of CAF, DORA, ISO 27001, CRMA, or Cyber Essentials for a client, a Cross-Framework Map tile appears in the client's completed-assessments section. It opens the Unified Compliance Dashboard scoped to that client, showing how their scores cross-map into NIS2, NIST CSF 2.0, and SOC 2 readiness — useful for a single board-ready posture view that spans every framework you've measured.

Risk Scenarios

Once at least one framework assessment has been completed for a client, a Risk Scenarios section appears below the assessment tiles. It uses the client's saved section scores to surface the most relevant threat scenarios — ranked Critical → High → Moderate → Low — alongside defensive controls and an optional Phronesis narrative. When multiple frameworks are complete, framework selector pills let you switch the view between CRMA, CAF, DORA, ISO 27001, PE DD, and CE; the view defaults to CRMA (broadest coverage) or the lowest-scoring framework when CRMA is unavailable. No additional data fetch is required — scenarios compute from the section scores already loaded for the assessment tiles.

Supply Chain Portfolio (MSP add-on)

MSP subscribers who hold the Supply Chain add-on (msp_sc_access claim) can manage supplier security questionnaires scoped per client. The client detail view shows a Supply Chain Portfolio tile with four stat cards (high-risk suppliers, unacked alerts, total suppliers, awaiting response). Opening the tile launches supply-chain.html?mspClient=<id>&mspClientName=<name> — every API call automatically scopes to the client's supplier sub-collection rather than the practitioner's personal portfolio. The monthly Risk Purview re-scan also routes alerts to each client's sc_alerts sub-collection automatically.

Evidence Vault scoping

When uploading evidence files on behalf of a client, the optional clientId parameter namespaces files under evidence/{uid}/clients/{clientId}/…. This keeps each client's audit documentation isolated within the MSP account's storage quota (500 MB shared across all clients).

Multi-tenant teams access

MSP subscribers can invite colleagues to share their full client portfolio without purchasing an additional licence. Invited members receive Practitioner access — identical read/write capabilities to the portfolio owner. The only owner-exclusive actions are managing billing and sending further team invites.

Inviting a team member

  1. The portfolio owner clicks the Team button in the MSP Portal header, then enters a colleague's email address and clicks Send invite.
  2. The colleague receives a branded invite email containing a one-time token valid for 72 hours.
  3. They click the link, which opens msp-team-onboarding.html?token=…. They sign in with any provider (Google, Microsoft, or email/password). A new SCH account is created automatically if needed.
  4. On sign-in, the token is atomically consumed. The msp_access custom claim is set on their account along with a tenantId (linking them to the owner's portfolio) and tenantRole: 'editor'.
  5. The team view in the portal updates immediately to show the new Practitioner alongside any pending invites.
Token and sign-in
The invite system is sign-in-provider agnostic — the invitee can use Google, Microsoft, or email/password. The invite is matched by email address, not sign-in provider.

To remove a team member, open the Team view and click Remove next to their name. Their access is revoked immediately — they will be signed out of the portal on their next page load.

🔌Integrations — Bringing Tool Data into Assessments

SCH offers two complementary ways to enrich your assessments with real data from your existing security toolstack, replacing manual self-declaration with evidence pulled from live systems.

Option A — Live connection (Microsoft Entra ID)

Connect your Azure AD / Entra ID tenant once and SCH pulls live security signals directly into your Cyber Essentials, CAF, ISO 27001, and DORA assessments as inline hints alongside relevant questions.

What data is pulled

  • MFA coverage across user accounts
  • Authentication method policy (FIDO2 passkeys, Microsoft Authenticator, SMS)
  • Conditional Access policy state
  • Risky user counts from Entra ID Protection
  • Device compliance posture (Intune)
  • Microsoft Defender alerts — including Sentinel-routed alerts when Microsoft Sentinel is linked to your Defender XDR workspace
  • Security incidents (requires SecurityIncident.Read.All and a Sentinel licence)
  • Microsoft Secure Score and Secure Score control breakdown
  • Sign-in log availability
  • Guest / external user count

How hints appear in assessments

  • Blue hints — live tenant metrics shown beside the relevant question (e.g. "84 % of users have MFA enabled").
  • Amber hints — licence warnings flagging when a data point requires a licence you may not hold (Entra P1/P2, Intune, or Defender plans).
  • CE+ check (Cyber Essentials only) — a green/amber/red sub-line beneath the hint explaining what a Cyber Essentials Plus assessor will actually do to verify that control (for example, testing that MFA is enforced at sign-in, or running the authenticated patch scan), and whether your connected signal suggests you're ready for the audited test.
Cyber Essentials Plus readiness preview
When you connect a Microsoft 365 / Entra tenant, your Cyber Essentials results panel shows a "Cyber Essentials Plus — readiness preview" — a per-control traffic-light (On track / Needs review / Likely gap / Not measured) across all five technical controls, derived from your live signals. It's indicative only: Firewalls always reads "Not measured" because CE+ verifies firewalls with an external network scan your identity/endpoint tools can't see, and the preview never replaces the independent CE+ test itself.

How to connect

  1. Go to My Hub → Settings → Integrations.
  2. Under the Microsoft Entra ID card, enter your Azure Tenant ID and click Connect.
  3. An admin consent flow opens in a new tab. Grant the required application permissions (read-only Graph API scopes) on behalf of your tenant.
  4. Once consented, hints appear automatically on your next Cyber Essentials, CAF, ISO 27001, or DORA assessment visit. No per-user OAuth redirect is required — the integration uses an app-only (client credentials) flow.
Fault tolerance
If a specific Graph endpoint returns a 400 or 404 (e.g. because a licence is unavailable), that data point is treated as unavailable rather than as an error. One unlicensed feature will not abort the full data sync.

MSP Portal — connecting a client's M365 tenant

If you are an MSP practitioner running assessments on behalf of a client, you can connect that client's Microsoft 365 tenant separately from your own. When connected, their live Entra signals populate the assessment hints for that client with a teal Client tenant badge, keeping it visually distinct from your own data.

Steps for MSP practitioners

  1. Open the MSP Portal and click into the client's detail page.
  2. Scroll to the Microsoft 365 Integration section and click Get consent link.
  3. The portal generates a one-time consent link (valid for 1 hour). Copy it and share it with the client's Microsoft 365 global administrator — by email, Teams message, or ticket.
  4. The client admin visits the link, reviews the requested permissions, and clicks Accept in the Microsoft consent portal.
  5. Microsoft redirects to a confirmation page. Back in the MSP Portal, click Connect to perform the first data sync.

Hints for that client's assessments will now show live data from their tenant. The practitioner's own personal Entra integration is completely unaffected. If the client's tenant is later disconnected, hints revert to empty rather than ever falling back to personal data.

No Azure credentials needed from the client
The consent link uses Microsoft's standard admin consent URL. The client admin simply clicks Accept — they do not need to provide any API keys, client secrets, or credentials to you or to Security Compliance Hub.

For your Azure Global Administrator

When you (or your client) visits the Microsoft consent page, the Azure Global Administrator will be asked to approve a set of application permissions for Security Compliance Hub. Here is what each permission enables:

  • Reports.Read.All — MFA registration counts, authentication method usage, sign-in log availability. Requires: Azure AD Free / Entra ID Free.
  • Policy.Read.All — Conditional Access policy list and state, authentication methods policy (which methods are enabled tenant-wide). Requires: Entra ID P1 for CA data; Free tier for auth policy.
  • AuditLog.Read.All — Confirms that sign-in logs are available in the tenant. Requires: Entra ID Free.
  • User.Read.All — Guest / external user count. Requires: Entra ID Free.
  • Organization.Read.All — Tenant display name (shown in the integration card). Requires: Entra ID Free.
  • IdentityRiskyUser.Read.All — Risky user counts from Entra ID Protection. Requires: Entra ID P2.
  • DeviceManagementManagedDevices.Read.All — Intune device compliance posture (compliant / non-compliant / total). Requires: Microsoft Intune (or EMS E3/E5).
  • SecurityEvents.Read.All — Microsoft Defender alerts and Microsoft Secure Score. Requires: Defender for Business or Defender for Endpoint P1/P2.
  • SecurityIncident.Read.All — Security incidents and Sentinel-linked alert data. Requires: Microsoft Sentinel.

All permissions are application permissions (app-only) — SCH never signs in as a user and never performs write actions. Every permission is read-only.

Unlicensed permissions are skipped automatically
If your tenant doesn't hold the licence for a particular permission (for example, no Intune licence, no Defender licence, no Sentinel workspace), that data point is silently skipped — it never blocks other data from syncing. An amber licence required hint appears in the relevant question rather than an error.
Existing connections: re-consent required for Sentinel data
The SecurityIncident.Read.All permission was added in June 2026. If your tenant was connected before this date, a Global Administrator will need to re-consent to grant the new permission. Go to My Hub → Workspace → Integrations, disconnect the existing connection, then reconnect to trigger the updated consent flow.

Where to find your Tenant ID

  1. Sign in to the Microsoft Entra admin centre (entra.microsoft.com).
  2. Go to Identity → Overview.
  3. Copy the Tenant ID — a GUID in the format xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.
  4. Paste it into the Tenant ID field in My Hub → Workspace → Integrations → Microsoft Entra ID → Connect.

Option A2 — Live connection (Okta Identity Engine)

Connect your Okta organisation once and SCH pulls live IAM posture signals into your Cyber Essentials, CAF, ISO 27001, and DORA assessments as inline hints.

What data is pulled

  • MFA enrolment coverage across user accounts
  • Authenticator policy state (phishing-resistant methods vs SMS/voice)
  • Number of active sign-on policies
  • Assigned app count and group membership
  • Risk event counts

How to connect

  1. Go to My Hub → Settings → Integrations.
  2. Under the Okta card, enter your Okta domain (e.g. yourorg.okta.com), an API token (read-only), and choose the credential type (OAuth private-key or SSWS token).
  3. Click Connect. SCH performs an initial data sync. Hints appear automatically on your next assessment visit.
Credential storage
Your Okta API token is encrypted with AES-256-GCM under a Cloud KMS key and stored server-side. It is never returned in any API response. You can disconnect at any time to delete it.

Option A3 — Live connection (CrowdStrike Falcon)

Connect your CrowdStrike Falcon environment once and SCH pulls live EDR signals (sensor coverage, prevention policies, detections, vulnerabilities, incidents) into your Cyber Essentials, CAF, ISO 27001, and DORA assessments as inline hints.

What data is pulled

  • Sensor health: total devices, normally-reporting count, reduced-functionality-mode (RFM) count, healthy coverage percentage, stale sensor count
  • Prevention policies: enabled / total count, NGAV policy presence
  • Detections: open count, critical and high severity breakdown
  • Spotlight vulnerabilities (requires Falcon Spotlight licence): open count, critical, high, exploitable
  • Incidents (requires Falcon Insight access): active count, high fine-score (≥70) count

Assessment questions covered

Cyber Essentials
q3_2 (auto-updates), q3_3 (patch compliance), q5_2 (AV deployment), q5_3 (AV currency), q5_4 (AV effectiveness)
CAF
C1a_1 (log collection), C1c_1 (detection processes), D1a_1 (IR response plan)
ISO 27001
A.8.7 / AA4_1 (threat intel), AA4_4 (malware protection), AA4_7 (event logging)
DORA
P1_5 (incident detection), P1_7 (vuln management), P1_8 (anomaly detection), P2_2 (ICT risk posture)

How hints appear

  • CrowdStrike red hints — live Falcon signals shown beside the relevant question (e.g. "Falcon: 50 of 50 sensors reporting normally — 100% healthy coverage").
  • Amber hints — licence warnings when a data point requires a Falcon module you may not hold (Spotlight for vulnerability data, Falcon Insight for incident data).

How to connect

  1. Create a Falcon API client in your CrowdStrike console with read-only scopes: Detections:Read, Hosts:Read, Prevention policies:Read, Spotlight vulnerabilities:Read, Incidents:Read.
  2. Go to My Hub → Settings → Integrations.
  3. Under the CrowdStrike card, enter your Falcon Cloud URL, Client ID, and Client Secret.
  4. Click Connect. SCH performs an OAuth2 client-credentials sync. Hints appear automatically on your next assessment visit.
Credential storage
Your Falcon client secret is encrypted with AES-256-GCM under a Cloud KMS key and stored server-side. It is never returned in any API response. You can disconnect at any time to delete it.

Option A4 — Live connection (Google Workspace)

Connect your Google Workspace tenant once and SCH pulls live identity-layer signals (2-Step Verification coverage, account lifecycle, managed-device counts) into your Cyber Essentials, CAF, ISO 27001, and DORA assessments as inline hints. Designed for organisations on Google Workspace rather than Microsoft 365.

What data is pulled

  • 2-Step Verification — enrolment percentage (Google's own metric) and admin-enforced coverage percentage
  • Accounts — active / suspended / super-admin / delegated-admin counts
  • ChromeOS devices — active and disabled Chromebooks under enterprise enrolment
  • Mobile devices — Android and iOS devices under Google MDM (approved / blocked / compromised counts)

Assessment questions covered

Cyber Essentials
q2_4 (device sign-in), q4_2 (leavers), q4_3 (MFA), q4_5 (password & MFA scheme) — CE+ notes attached
CAF
B2a_1 (MFA), B2a_2 (MFA enforcement-as-audit-signal), B2b_1 (managed devices), B2b_2 (privileged users), B2d_1 (leavers)
ISO 27001
AA1_5 (access restriction), AA4_2 (privileged provisioning), AA4_7 (authentication), AA8_1 (mobile devices)
DORA
P1_6 (identity and access management)

How to connect

The auth flow differs from Microsoft Entra and Okta: Google Workspace uses Domain-wide Delegation (DWD), not OAuth admin consent. You will not need to generate any credentials — your Workspace super-admin grants access by pasting SCH's service account identity into Admin Console.

  1. Go to My Hub → Security Tool Integrations → Google Workspace (or, for MSPs, the client detail view in the MSP Portal).
  2. Enter your Workspace primary domain and a super-admin email. We recommend creating a dedicated account like sch-readonly@yourdomain.com with the Super Admin role used only for SCH impersonation — but a live human super-admin works as a fallback.
  3. Click Save & continue. SCH displays a modal showing its service account Client ID and the four read-only OAuth scopes — both copyable.
  4. Your Workspace super-admin signs in to admin.google.com, goes to Security → Access and data control → API controls → Manage Domain-wide Delegation, clicks Add new, and pastes the Client ID and scopes.
  5. Back in SCH, click Verify now. SCH probes Google to confirm DWD is live and the super-admin role is held, then flips the tile to Connected and runs the first data pull.

How hints appear

  • Google blue hints — live Workspace signals shown beside the relevant question (e.g. "Google Workspace: 87% of users have 2-Step Verification enrolled (87/100); 62% enforced by admin policy").
  • "Client tenant" badge — when an MSP practitioner is viewing in a specific client's context, every hint shows a teal badge so the source of the data is unmistakable.
  • CE+ readiness notes — Cyber Essentials questions also show a short note describing what a CE+ assessor would verify for that control, so you can judge readiness for the audited test.
Read-only scopes
SCH requests four read-only Admin SDK scopes: directory users (read-only), ChromeOS devices (read-only), mobile devices (read-only), and reports usage (read-only). No write access; no email, calendar, or document content. The audit log scope is intentionally not requested in this release.

Coming soon

The following integrations are on the roadmap. Contact us to register interest and get early access:

Qualys / Tenable
Vulnerability findings
Splunk / SentinelOne
SIEM & detection data

Option B — Developer JSON import

Build a script on your own infrastructure that pulls data from any security tool (RMM, SIEM, GRC, vulnerability scanner) and maps it to the SCH pre-fill JSON schema. Upload the JSON into your assessment and answers are pre-populated for your review. Your tool API credentials never leave your environment.

Three-step pipeline

  1. Pull — Write a script that authenticates with your security tool's API and extracts the relevant data. Credentials stay entirely on your infrastructure.
  2. Map — Transform the raw data into the SCH pre-fill JSON format, applying your own thresholds to decide whether a control is pass, partial, or fail.
  3. Import & review — Upload the JSON file inside your SCH assessment. Answers are pre-populated; you confirm or override each one before running Phronesis analysis.

Privacy boundary

What reaches Phronesis
Only the evidence_summary field in the schema (aggregated, identifier-free text) is ever transmitted to the Phronesis AI Service. The evidence_detail and raw_stats fields are stored in the Evidence Vault (GCS) and are never sent to Phronesis. Do not include hostnames, IP addresses, device names, or usernames in evidence_summary.

Supported schemas

Pre-fill schemas are available for all six core assessment types. Download them from integrations.html:

Cyber Essentials
Q IDs: q1_1–q6_4. Sources: NinjaOne, Ninite Pro, WUfB
CAF
14 principles. Sources: SIEM, vulnerability scanners
ISO 27001
8 clauses + Annex A. Sources: GRC tools, audit logs
DORA
5 pillars. Sources: ITSM, incident management platforms
AI Governance
6 domains. Sources: AI risk registers, model inventories
SOC Maturity
7 domains. Sources: SIEM, SOAR, threat intel platforms

Choosing between Option A and Option B

Option A — Live connection
Best for

Microsoft-centric environments wanting live hints with zero scripting. Connect once, data refreshes automatically on each assessment visit.

Option B — JSON import
Best for

Any toolstack. More control over thresholds and mapping logic. Suitable for automated pipelines that pre-populate assessments on a schedule.

Glossary

🏷️Platform Terms

A–C
Assessment BundleSubscription plan providing unlimited access to all five core assessments (CE, CAF, DORA, ISO 27001, AI Governance) plus the Cyber Resilience Maturity Assessment (CRMA), full PDF/JSON export, and sharing. Distinct from the CE One-Shot single-use product.
CE One-ShotA single Cyber Essentials analysis purchase. After analysis runs, the assessment enters read-only mode for 30 days. After 30 days access expires and re-purchase is required.
Compliance PassportA printable one-page compliance posture summary generated from My Hub. Includes all completed framework scores with RAG ratings, sector position, and a signed reference ID.
CRMACyber Resilience Maturity Assessment. A 70-question (46 for micro/small organisations), 14-theme broad-baseline assessment aligned to the IASME Governance maturity model. Produces a maturity tier (Foundation / Developing / Established / Advanced), a 90-day improvement roadmap, and an automatic framework-readiness recommendation (CE, CAF, DORA, ISO 27001, or AI Governance).
Custom ClaimA Firebase JWT field added by an admin that grants specific access levels (e.g. pedd_access, soc_access, supply_chain_access). Claims are signed by Google and cannot be spoofed client-side. Changes require a sign-out/sign-in to take effect.
E–P
Evidence VaultPer-question file attachment system for audit-pathway assessments (CAF, DORA, ISO 27001, AI Governance, PE Due Diligence). Files are stored in Google Cloud Storage at a 500 MB per-account quota.
PhronesisThe platform's AI analysis and guidance layer. Named after the Greek concept of practical wisdom. Runs via an authenticated server-side Cloud Function with server-side prompt engineering. Operates in three modes: analysis, guidance, and chat.
R
Remediation TrackerAction item tracking system populated from Phronesis analysis results. Items are categorised by urgency (Critical / High / Medium / Low), include effort estimates and owner fields, and sync to Firestore across devices.
Renewal reminderAn automated email digest from the Supply Chain Risk Manager that flags suppliers approaching their 12-month re-assessment date. Triggers at 30 days out, 7 days out, on the day, and once if overdue. Configurable destination mailbox; one digest per account per day to avoid notification spam.
Risk PurviewThe Supply Chain Risk Manager's external verification engine. Probes multiple external data sources covering DNS records, TLS certificate health, open ports, breach history, and company registration to produce a composite purviewScore (0–100) and contradiction flags.
S
Sector BenchmarkingAnonymous score comparison against organisations in the same industry sector. Scores are contributed after each analysis (opt-out available in Dashboard Settings). Minimum 10 contributors required before percentile data is shown. SHA-256 hashed UID used as document key — identity never linked to benchmark data.

📚Framework Terms

A
Annex AThe ISO/IEC 27001 control catalogue. The 2022 revision reorganised controls into 93 entries across 4 themes: Organisational (37), People (8), Physical (14), and Technological (34). A Statement of Applicability (SoA) must document which controls are included and why.
AI ActEU Regulation 2024/1689 on Artificial Intelligence. Applies a risk-based tiered approach: unacceptable risk (prohibited), high risk (strict obligations), limited risk (transparency requirements), minimal risk (no obligations). Suppliers of GPAI models face additional horizontal requirements.
C
CAFCyber Assessment Framework. NCSC framework for assessing the cyber resilience of Operators of Essential Services. Four objectives: Managing Security Risk; Protecting Against Cyber Attack; Detecting Cyber Security Events; Minimising the Impact of Incidents.
CNICritical National Infrastructure. UK sectors designated as essential for national security, including energy, transport, water, health, finance, telecoms, government, and defence. CNI operators are subject to NIS Regulations and the NCSC CAF.
Cyber Essentials PlusThe audited tier of UK Cyber Essentials. The same five technical controls as the self-assessed certification, but independently verified by an assessor through technical testing — an external vulnerability scan (firewalls), authenticated patch scans (high/critical fixes within 14 days), MFA enforcement checks, and live malware tests (e.g. EICAR). When you connect a Microsoft 365 / Entra tenant, SCH surfaces a per-control CE+ readiness preview and per-question "CE+ check" hints to indicate how that testing is likely to land.
D
DORADigital Operational Resilience Act (EU 2022/2554). Mandatory for EU-regulated financial entities from January 2025. Supersedes and consolidates ICT risk provisions in DSGVO, PSD2, and other sectoral regulations. Supervised by financial regulators (ECB, EBA, ESMA, EIOPA).
G–I
GPAIGeneral Purpose AI. Under the EU AI Act, GPAI models (e.g. large language models capable of many tasks) are subject to transparency obligations. GPAI models with systemic risk (>10²⁵ FLOPs training compute) face additional requirements including adversarial testing and incident reporting.
IASMEInformation Assurance for Small and Medium Enterprises. UK-based governance standard and certification body. The IASME Governance maturity model is used in the PE Due Diligence and Cyber Resilience Maturity (CRMA) assessments as the scoring model, with tiered outcomes reflecting assurance levels.
ISMSInformation Security Management System. The systematic approach to managing information security risk required by ISO 27001. Comprises policies, procedures, processes, and controls following a Plan-Do-Check-Act cycle.
N
NIS2Network and Information Systems Directive 2 (EU 2022/2555). Replaces the original NIS Directive with broader scope and stronger enforcement. The SCH Unified Compliance Dashboard derives NIS2 Article coverage scores by averaging mapped CAF principle and DORA pillar scores across 15 Articles.
NIST AI RMFNational Institute of Standards and Technology AI Risk Management Framework. Voluntary US framework structured around four core functions: Govern, Map, Measure, Manage. Cross-referenced in the SCH AI Governance assessment alongside the EU AI Act and ISO 42001.
O–T
OESOperator of Essential Services. Organisations designated under the UK NIS Regulations as providing services essential to the economy and society. Subject to NCSC CAF assessment and incident reporting obligations.
TLPTThreat-Led Penetration Testing. Advanced form of penetration testing required by DORA Article 26 for significant financial entities. Based on real threat intelligence and conducted by qualified testers against live production systems. Results shared with the competent authority.

🔐Security Terms

A–D
Access ControlMechanisms that restrict access to systems, data, or facilities based on identity, role, or attribute. Includes authentication (verifying identity), authorisation (controlling what an identity can do), and accounting (logging what was done). A core Cyber Essentials control.
Attack SurfaceThe total set of entry points an attacker could exploit to gain access to a system. Includes network interfaces, user accounts, APIs, cloud services, and physical access points. Reducing the attack surface is a foundational principle across CE, CAF, and ISO 27001.
DLPData Loss Prevention. Technologies and processes that detect and prevent sensitive data from leaving the organisation's control boundary — either accidentally or through malicious action. Relevant to ISO 27001 Annex A controls A.8.12 and DORA ICT risk management.
E–M
EDREndpoint Detection and Response. Security software that continuously monitors endpoint devices for suspicious activity and provides real-time response capabilities. Goes beyond traditional AV to detect behavioural indicators of compromise.
IAMIdentity and Access Management. The discipline of managing digital identities and their access rights. Encompasses directory services, single sign-on, MFA, privileged access management, and access reviews. A dedicated domain in the SOC Maturity assessment.
MFAMulti-Factor Authentication. Requiring two or more verification factors (something you know, have, or are) before granting access. Mandatory for all internet-facing services and administrative accounts under Cyber Essentials v3.3.
P–R
PAMPrivileged Access Management. Controls over accounts with elevated permissions (admin, root, service accounts). Includes just-in-time access, session recording, credential vaulting, and regular review. An enterprise-only question in PE Due Diligence and SOC Maturity.
Patch ManagementThe systematic process of applying updates to operating systems, firmware, and software to address known vulnerabilities. Cyber Essentials requires critical patches to be applied within 14 days of release. CAF Principle B2 covers this as "Identity and Access Control" at the network layer.
RPORecovery Point Objective. The maximum acceptable amount of data loss measured in time — i.e. how old can backups be before data loss becomes unacceptable? Used in ISO 27001 Clause 8 and DORA business continuity planning.
RTORecovery Time Objective. The maximum acceptable time to restore a service after an incident. Pairs with RPO to define the organisation's continuity requirements. Both are assessed in the DORA Pillar 1 and ISO 27001 Clause 8 sections.
S–Z
SIEMSecurity Information and Event Management. A platform that aggregates log data from across the IT estate, correlates events, and generates alerts for potential incidents. Central to SOC Detection & Response maturity. An enterprise-only question in the SOC Maturity assessment.
SOCSecurity Operations Centre. A dedicated team (internal or outsourced) responsible for monitoring, detecting, and responding to security events. The SCH SOC Maturity assessment measures capability across 7 domains for enterprise SOCs, small/mid-size SOCs, and MSSPs.
Zero TrustA security model based on "never trust, always verify" — no user or device is implicitly trusted based on network location. Every access request is authenticated, authorised, and continuously validated. Relevant to IAM controls in ISO 27001, CAF, and the AI Governance assessment's security domain.
Support

Frequently Asked Questions

My auto-save isn't working across devices — why?

Cross-device draft sync is included in the Assessment Bundle, demo accounts, and all paid one-shot products. Sign in on the second device and open the same assessment — a teal banner offers to load progress from the cloud. Trial users save to local browser storage only and cannot sync across devices. See Collaborative Drafts for the full sync behaviour, including tenant sharing and the "Last saved by" / "🔒 Being edited by" indicators on My Hub.

I ran analysis but I'm seeing the local analysis fallback (yellow banner)

When the Phronesis API returns a 502 or the response cannot be parsed, the platform falls back to a local JavaScript scoring engine. The yellow banner indicates this happened. Try clicking Analyse again — transient Cloud Function cold-starts are usually the cause. If the problem persists, check your internet connection or contact support.

My trial has expired but I can still see results — can I export them?

Results remain visible after trial expiry, but export (PDF/JSON) and sharing remain gated behind a subscription or one-shot purchase. Your saved scores in My Hub are retained indefinitely. Upgrade via Pricing or Consultancy.

I updated my sector in Dashboard Settings but benchmarks haven't changed

Benchmark data is pre-aggregated every 6 hours per (type × sector) segment. After changing your sector, re-run any completed assessment's analysis (or simply reload the dashboard after 6 hours) to see the updated sector comparison. Note that your historical scores contribute to the previous sector's dataset until the next aggregation run.

Can I share a PE Due Diligence report with a client?

Yes — the Share button is available on PE Due Diligence results. Shared links require no login to view and expire on the schedule you select (7/30/90 days or no expiry). The shared page includes scores, gaps, strengths, next steps, and the Phronesis deal analysis. Evidence Vault files are not included in the shared view.

The NCSC CAF assessment is very long — can I save progress and return later?

Yes. All assessments auto-save every second to localStorage. When you return to the page, your previous answers are automatically restored. The sidebar progress tracker shows your completion percentage per principle. On My Hub, in-progress drafts appear in the "In Progress" section so you can navigate back easily.

Do you use tracking cookies or web analytics?

No. The platform uses only essential browser storage (Firebase Authentication session cookies for sign-in) and functional localStorage entries that auto-save your assessment progress and remember dialog dismissals. We do not run Google Analytics, advertising, retargeting, or any third-party tracking. The first time you visit you will see a one-line consent banner; you can re-open the preferences (and a "Clear local data" reset) at any time from the Cookie preferences link in the page footer. Full breakdown in our privacy notice.

🐛Reporting Issues

The fastest way to get a technical issue investigated is the 🐛 Report button in the top navigation bar. Subscribers and paid one-shot users see it on every page; trial users do not (use the consultancy form instead).

What the Report modal captures

When you click 🐛 Report, a modal asks for three short fields:

  • Title (≤120 chars) — one-line summary.
  • Description (≤2000 chars) — what went wrong, what you saw on screen.
  • What were you trying to do? (≤500 chars) — helps the engineer understand the goal, not just the symptom.

Alongside what you type, the modal automatically attaches read-only context that helps diagnosis: your email, the page URL, browser and viewport, timezone, the precise timestamp, your active access claims, and the last 10 client-side errors captured silently in the background (network failures, JavaScript exceptions). None of this is hidden — it's shown in the modal before you submit. Personal information beyond your email is never collected.

What happens after you submit

Your ticket is created with a unique reference (e.g. SCH-20260602-A4F2) and you'll receive an on-screen confirmation. Two things then happen in parallel:

  1. Auto-triage — within seconds of submission, an AI support engineer reads your ticket alongside your recent Cloud Logging entries (scoped to your user ID and the time around your problem). It produces a first-pass diagnosis: what it thinks went wrong, what evidence supports that, and a suggested next step. This runs automatically — you don't need to do anything.
  2. Human review — a real support engineer reviews your ticket and the auto-triage analysis. They will reply by email when the ticket is closed, including a resolution note that explains what was found and any action taken.

What auto-triage cannot do

Auto-triage is intentionally diagnose only — it never modifies your account, your data, or your claims. It looks at logs and makes a recommendation; only a human engineer takes action. If the auto-triage gets the diagnosis wrong, the human review catches it.

Rate limits

To prevent accidental ticket floods (e.g. an automated retry loop), submissions are capped at 5 tickets per hour per user. If you genuinely have multiple unrelated problems, please consolidate them into one ticket or wait a few minutes between submissions.

Before clicking Report
A hard refresh (Ctrl+Shift+R / Cmd+Shift+R) fixes the majority of display-only issues. If the problem persists after refreshing, click 🐛 Report from the page where it happens — the captured context is most useful when fresh.

💬Getting Help

If you have a question not covered here:

  • Technical bugs and broken features — Use the 🐛 Report button in the top nav (see Reporting Issues above). Trial users without paid claims should use the consultancy contact form.
  • General enquiries and access requests — Use the contact form on the Consultancy Partnership Hub.
  • Billing and subscription — Contact via the consultancy page with "Billing" in the subject.
Before contacting support
Try a hard refresh (Ctrl+Shift+R / Cmd+Shift+R) and clear site data for securitycompliancehub.io. Most display issues are resolved this way.