How ECP Works
Five ideas explain the platform. Read this once and the rest of the manual clicks into place.
The full flow at a glance
From partner login to an auditor-ready client. The Client tab feeds data into Audit Readiness, which drives evidence attachment on individual control pages, which in turn feeds the CCB self-assessment export.
flowchart TD
A([Partner logs in]) --> B[Partner Dashboard]
B --> C[Add client]
C --> D[Client workspace]
D --> E{Framework?}
E -->|Next step| F[CyFun Level Assessment]
F --> G[Pick tier: Small / Basic / Important / Essential]
G --> H[Framework provisioned]
H --> J([Continue to Dashboard])
J --> K{Data?}
K -->|Next step| L[Client tab]
L --> M1[Integrations: M365 + EDR]
L --> M2[Declared environment]
L --> M3[Risk assessment]
L -.CSV fallback.-> M4[Asset register]
M1 --> N[Entities + answers flow in]
M2 --> N
M3 --> N
M4 --> N
N --> O{Ready?}
O -->|Next up| P[Audit Readiness]
P -->|Click Upload evidence| T[Control page: doc + impl evidence]
T -->|Attach typed artifact| U[Control moves to Ready]
U --> V[Snapshot + CCB export]
V --> W([Share with CAB auditor])
style E fill:#fef3c7,stroke:#f59e0b,color:#78350f
style K fill:#dbeafe,stroke:#3b82f6,color:#1e3a8a
style O fill:#d1fae5,stroke:#10b981,color:#064e3b 1. Five tabs, top-down
Every workspace has the same shape: Dashboard, Client, Audit Readiness, Documents, Access. Dashboard is the cockpit (next step, progress, maturity). Client is where you describe the organisation. Audit Readiness is where you see how a CAB auditor would grade you today. Documents is the wiki where policies, procedures, registers and reports live. Access is user management.
Work flows top-down: populate Client → read Audit Readiness → attach evidence on control pages under Documents → snapshot and export when ready.
2. Documents are the compliance record
Most compliance tools ask you to tick checkboxes. ECP works differently: the compliance work is filling in your real policy documents. The platform ships with a pre-built tree — Security Policy, Risk Assessment, Backup Procedure, Incident Response Plan, and a full set of registers — each containing guided fields specific to that document type.
An auditor doesn't review your checkbox state. They read your policies and spot-check your registers. By filling in ECP's guided documents you produce the real artefacts the auditor will inspect — not a summary of them.
What this means in practice
- → Fill in the Security Policy document, not a "security policy" checkbox
- → Add rows to the Risk Register, not a placeholder for "risk assessed = yes"
- → Each field you fill in becomes a verifiable, printable statement in the document
3. Every control has two sides: documentation and implementation
A CyFun auditor checks two things for each control: what you say you do (policies, procedures, standards) and what you actually do (logs, config snapshots, acknowledgments, test results). ECP makes this split explicit on every control page.
The Evidence section splits into two columns — Documentation and Implementation — each listing the template requirements that framework control expects. Every row has an accepts type (policy / acknowledgment / log / …) so the attach picker is pre-filtered to what actually counts.
Common failure mode
Policy exists, but no logs / acknowledgments / test results to prove it's real → auditor marks the control as observed-only
ECP enforces both
A Ready control has every documentation row filled and every implementation row filled (or explicitly marked N/A with justification)
4. Connect your data — entities define the scope
Some controls require coverage across the whole estate. "All devices have antivirus" only resolves if ECP knows what all means. That's why the Client tab is organised as a connect-first funnel: Integrations pull devices, users and endpoint state from Microsoft 365 (the Office/Outlook/Teams suite most small businesses already run) and your EDR (Endpoint Detection and Response — the antivirus-style agent on each laptop, e.g. Sophos, Bitdefender, SentinelOne), and Declared environment locks down what "all" actually is so Audit Readiness can detect population gaps.
Answers in the Risk assessment sub-tab then drive Audit Readiness: anything that isn't a clean "Yes" (unanswered, Partially, No, N/A) surfaces on Audit Readiness with a prescriptive next action.
How the data flows
- Connect Microsoft 365 and your Endpoint Detection & Response tool (Sophos / Bitdefender / SentinelOne) — or drop a CSV as fallback
- Confirm the Declared environment so Audit Readiness knows your true population
- Answer the Risk assessment — M365 banners pre-answer what they can with one-click Apply
- Open Audit Readiness — every failing control has an Upload evidence link straight to the control's two-column evidence panel
5. Registers turn ongoing work into evidence
Eleven registers ship with every CyFun client — Risk, Vulnerability, Supplier, Incident, Tabletop & Recovery Exercise, Training & Awareness, Phishing test, Backup & Restore test, Change, Policy review, Employee onboarding. Each row you add is evidence for the controls that register satisfies: Audit Readiness recalculates as soon as the row lands.
This is how the "ongoing work" side of CyFun gets counted. An incident-response policy on paper is not enough; an auditor wants the incident register populated. Populate it and the matching controls close on their own.
Audit-ready vs. certified
ECP makes you audit-ready. It does not certify you. Certification is issued by accredited CAB auditors after an independent review.
A green readiness score in ECP means your documents are complete, the two-sided evidence is attached, and the CCB maturity scores pass. Think of ECP as the preparation engine: it tells you exactly what the auditor will check, helps you prepare it, and generates the exact v2026-02-20 CCB workbook you'll submit.
CAB audit pass = an independent auditor confirmed it reflects your actual practices.
Your IT partner drives the process
ECP is built for Managed Service Providers (MSPs). The partner creates your workspace, runs the CyFun level assessment, connects Microsoft 365 and your endpoint protection, and drives the asset register import. As a client, your main job is to answer the Risk assessment honestly and to keep the registers live (incidents, training, phishing tests) — your partner handles the technical setup.
When you're ready to request the audit, your partner takes a Snapshot on the Audit Readiness tab and shares the CCB (Centre for Cybersecurity Belgium) self-assessment workbook or a read-only link for the Conformity Assessment Body (CAB) auditor.