← Get Audit Ready
<aside>
🧭
Choose a work stream to start. Each stream has a clear owner and a short list of evidence tasks.
</aside>
<aside>
👥
People & HR
Focus: HR, employees
- Who should do this: Founders or HR/Ops leads
- Key tasks: Employee descriptions, employee verification
Open People & HR
</aside>
<aside>
🏢
Physical Security
Focus: On-site safety and environmental controls
- Who should do this: Office Manager or Operations Lead
- Key tasks: Office access and door monitoring, building and workplace rules, secure storage, visitor control
Open Physical Security
</aside>
<aside>
🔐
Access Control (IAM)
Focus: Identity and access management across SaaS tools and internal systems
- Who should do this: IT Manager, Security Lead, or Operations Lead
- Key tasks: 2FA, access review log, employee access
Open Access Control (IAM)
</aside>
<aside>
⚖️
Governance, Risk & Compliance
Focus: Policies, risk management, and legal compliance
- Who should do this: Founders, Legal, or Operations Lead
- Key tasks: Public policies, internal security audit, Incident Response, ISO Statement of Applicability, GDPR tasks on data transfers, DPOs, third party relations
Open Governance, Risk & Compliance
</aside>
<aside>
☁️
Infrastructure & Operations
Focus: Service reliability, data integrity, and network defence — across cloud, hosted, or vendor-managed systems
- Who should do this: CTO, Lead Engineer, or Operations Lead
- Key tasks: Monitoring and alerting, access restrictions, backups and restoration testing, service availability, encryption at rest
Open Infrastructure & Operations
</aside>
<aside>
🛡️
Product & Application Security
Focus: Secure development and application-layer defence — or equivalent controls if you don't build software
- Who should do this: Development Lead, CTO, or Operations Lead for service-only orgs
- Key tasks: Input validation, vulnerability management, secrets & credentials, TLS and HTTPS, Data Masking, Separation of Environments
Open Product & Application Security
</aside>
<aside>
💻
Device Management
Focus: Endpoint security across laptops, mobile devices, and shared hardware
- Who should do this: IT Administrator or Operations Lead
- Key tasks: Secure devices, device list
Open Device Management
</aside>