THE APPROACH
A clear process, with less audit overhead.
TRUSTYCYBER uses a structured digital workflow to collect, organise and analyse evidence before asking for your team's time. Live discussions and demonstrations are used selectively where they are needed to test implementation or resolve uncertainty.
Start with evidence, not a calendar full of meetings.
Once the engagement is accepted and the deposit is paid, TRUSTYCYBER releases a tailored questionnaire and evidence request through an approved Microsoft 365 environment.
The request is based on the agreed framework, scope, systems, applicable requirements and assessment objective. Your team can assign responses to the right people and upload evidence progressively.
The supplied material is inventoried and mapped to the relevant assessment criteria before targeted follow-up begins.
Questions follow the evidence.
Documentation alone does not always demonstrate that an arrangement operates effectively. Where further verification is required, TRUSTYCYBER may request:
- a written clarification;
- a representative sample;
- a configuration export;
- a system-generated report;
- a screenshot or recording;
- a short demonstration;
- a focused interview; or
- additional operating evidence.
Broad introductory interviews are not the default. Interaction is directed at matters the evidence has not already resolved.
Every conclusion should be traceable.
The assessment workflow maintains the relationship between:
- the requirement;
- the evidence expected;
- the evidence received;
- relevant source references;
- identified limitations;
- clarification and testing;
- the auditor's conclusion;
- the finding, where applicable; and
- the recommended response.
This improves consistency and makes the final report easier to understand, review and act on.
Professional judgment
AI assists the process. It does not make the audit decision.
AI-assisted tools may help extract, organise and summarise evidence, map material to assessment criteria, identify possible gaps and prepare draft analysis.
This output is treated as a working aid. It can be incomplete or wrong. Qualified auditors remain responsible for deciding whether evidence is sufficient, determining findings, resolving exceptions and approving the final report.
Technology may assist with
• Evidence inventory and classification
• Requirement-to-evidence mapping
• Identifying missing or inconsistent material
• Drafting focused clarification questions
• Preparing preliminary findings and report content
• Checking report consistency
Qualified auditors remain responsible for
• Engagement acceptance and independence
• Final scope and assessment method
• Evidence sufficiency
• Sampling and testing decisions
• Conformity and finding decisions
• Final recommendations and report approval
ENGAGEMENT STAGES
From qualification to final report.
Check your fit
Answer a few questions about the service, scope, management system, evidence readiness and timing. No documents are requested at this stage.
Review and acceptance
TRUSTYCYBER reviews the submission, checks independence, confirms that the engagement is suitable and decides whether it can be accepted.
Confirm scope and secure the engagement
The scope, criteria, timetable, fee, responsibilities and information-handling arrangements are confirmed. A 50% deposit secures the engagement.
Complete the evidence workflow
You receive a tailored questionnaire, evidence request and access-controlled Microsoft 365 workspace. Evidence is uploaded once and organised against the agreed assessment criteria.
Analyse and clarify
Technology assists with indexing, mapping and preliminary analysis. Missing or inconsistent evidence generates focused follow-up questions, requests or demonstrations.
Review and report
An appropriately qualified auditor evaluates evidence sufficiency, resolves outstanding matters and determines the findings and conclusions. You then receive a final report setting out the scope, criteria, evidence limitations, findings and prioritised actions, and the remaining balance is payable in accordance with the engagement terms.
Not a document-only review.
Policies and procedures can show what an organisation intends to do. They do not necessarily demonstrate that controls operate in practice.
The assessment may therefore include sampling, technical evidence, demonstrations, interviews or other verification appropriate to the agreed criteria and scope.
AI-assisted does not mean automated approval. No model produces a final audit conclusion without qualified human review.
See if the approach fits your organisation.
The fit check asks about your management system, scope and timing, then provides an immediate preliminary indication of fit.