Discipline 01 / Compliance

Hold the
documentary line.

The papers, registers and proof that make any submission supportable. Built as a working set, kept current, and ready to defend.

Send a brief What we build
REF · POL-001 Verified
Information Security Policy
v3.2 · Issued 14 Mar 2026 · Renew 14 Mar 2027
REF · CRT-018 Verified
ISO 27001 Certificate
Issued 02 Sep 2025 · Renew 02 Sep 2027
REF · REG-007 Verified
Risk Register
Quarterly · Last reviewed Q1 2026
12 categories
Standard evidence taxonomy
1 index
Single source of record
6 checks
Pre-submission gates
reuse
Across all future bids
§ A — What we build

The complete
evidence environment.

Every category. Every owner. Every renewal date. Held in one place, in one shape, with one standard.

— 01

Policy suite

Information security, data protection, anti-bribery, modern slavery, environmental, quality — the standard set, written to your operating reality.

  • Drafted to recognised frameworks
  • Version-controlled and signed off
  • Renewal cadence built in
— 02

Evidence library

Certificates, statements, declarations and proof — indexed, named consistently, owners assigned, retrieval times measured in seconds.

  • Indexed taxonomy
  • Naming convention
  • Ownership and renewal log
— 03

Compliance matrix

Each requirement mapped to a response and a piece of evidence. Gaps visible. Remediation owned. The whole picture, in one view.

  • Requirement → response → proof
  • Gap and remediation tracking
  • Audit trail attached
— 04

Standard responses

The questions buyers ask again and again — answered once, written well, kept current. The next bid borrows from this one.

  • Reusable response library
  • Anchored to live evidence
  • Editable per opportunity
§ B — Standards

Frameworks
we work to.

The recognised frames we draft within. We don't issue certifications — we prepare you to obtain and maintain them.

ISO 9001
ISO 27001
ISO 14001
Cyber Essentials
UK GDPR
NIST CSF
§ C — Method

Three movements.
In sequence.

Compliance work is dull when described and meaningful when done. Here is the sequence we use, every time.

01 Index what exists

What happens

We catalogue every document, certificate, register and statement you currently hold. Names normalised. Dates verified. Owners identified. Gaps named.

What you receive

  • Master evidence index
  • Naming convention applied
  • Initial gap report

Why it matters

You can't defend what you can't find. The index makes everything that follows possible.

02 Build what's missing

What happens

Policies drafted to your operation. Registers populated. Statements written. Each piece sized to its purpose — no boilerplate, no decoration.

What you receive

  • Drafted policy suite
  • Populated registers
  • Standard responses to recurring questions

Why it matters

Documents written to your reality survive scrutiny. Documents written to a template don't.

03 Maintain over time

What happens

Renewal calendar runs. Quarterly reviews captured. Changes logged. The system stays current as you change, as buyers change, as requirements change.

What you receive

  • Renewal schedule and reminders
  • Quarterly maintenance log
  • Change-controlled updates

Why it matters

A library that decays is worse than no library. Maintenance is the work.

§ D — Fit

Best applied
when.

Honest indicators that compliance work is the right step right now.

Evidence is hard to find

You know the document exists somewhere. Finding it for an evaluator takes a day. Sometimes longer.

Repeat bids start from zero

Each new submission feels like the first one. The work that just won doesn't help the next attempt.

Documents contradict each other

Two policies disagree. Three registers describe the same thing differently. The cracks are visible to evaluators.

§ Next step

Show us
what you hold.

We'll give you back an honest assessment of where things stand, and a plan for what to build first.

Send a brief — 24h response, Mon–Fri