How ECP Works

Understanding the model behind the platform makes everything else obvious. Read this once and the rest of the manual will make sense.

The full flow at a glance

From partner login to audit-ready client — the order matters. Entities must come before the assessment, so that scoped answers per group are possible.

flowchart TD
    A([Partner logs in]) --> B[Partner Dashboard]
    B --> C[Add client]
    C --> D[Client workspace created]

    D --> E{No framework yet}
    E -->|Next step| F[CyFun Level Assessment]
    F --> G[Select tier: Small or Basic]
    G --> H[Apply this level]
    H --> I[Framework provisioned]
    I --> J([Continue to Dashboard])

    J --> K{No entities yet}
    K -->|Next step| L[Intake: Assets tab]
    L --> M[Import devices and employees]
    M --> N[Define entity groups]

    N --> O{Entities exist}
    O -->|Next up| P[Intake: Assessment tab]
    P --> Q{Answers vary by group?}
    Q -->|Yes| R[Intake: Gaps tab]
    Q -->|No| S[Roadmap]
    R --> S

    S --> T[Quick wins]
    S --> U[This month]
    S --> V[Later]
    T & U & V --> W[Reports: Export PDF]
    W --> X([Share with CAB auditor])

    style E fill:#fef3c7,stroke:#f59e0b,color:#78350f
    style K fill:#dbeafe,stroke:#3b82f6,color:#1e3a8a
    style O fill:#d1fae5,stroke:#10b981,color:#064e3b

Documents are the compliance record

Most compliance tools ask you to tick checkboxes. ECP works differently: the compliance work is filling in your actual policy documents. The platform creates a set of pre-built documents for you — Security Policy, Risk Assessment, Backup Procedure, and so on — each containing guided fields specific to that document type.

When an auditor visits, they don't review your checkbox state. They read your policies. By filling in ECP's guided documents, you produce the real artefacts the auditor will inspect — not a summary of them.

What this means in practice

  • Fill in the Security Policy document, not a "security policy" checkbox
  • Complete the Risk Assessment document, not a risk register form
  • Each field you fill in becomes a verifiable, printable statement in the document

Controls resolve automatically — you never tick them manually

The CyFun framework has 34 controls. ECP knows exactly which fields in which documents are required to satisfy each control. As you fill in the documents, controls turn green on their own — no extra steps.

This is why controls are read-only: they are outcomes, not tasks. The tasks are the fields inside the documents.

Other tools

Mark control GV-PO-01 as complete → control shows green → auditor asks "where's the policy?" → scramble

ECP

Fill in Security Policy → GV-PO-01 turns green automatically → auditor reads the actual policy → done

Entities define the scope — import them before the assessment

Some controls require you to prove coverage across your entire organisation. "All devices have antivirus" only resolves if ECP knows what "all devices" means. That's why importing your device and employee list isn't optional — it's the baseline the compliance engine measures against.

Entities can also be organised into groups (e.g. HQ, Remote Office, Contractors). Once groups exist, assessment answers can diverge per group — maybe HQ has MFA enforced but the remote office doesn't yet. ECP surfaces these as gaps in the Intake tab, so you know exactly where remediation is needed.

Why entities must come first

  1. Import devices and employees (Intake → Assets)
  2. Define groups if your organisation has distinct sites or roles
  3. Run the assessment — answers can now be scoped per group
  4. Gaps tab shows where groups diverge
  5. Roadmap items target the right scope automatically

ECP makes you audit-ready — it does not certify you

A green compliance score in ECP means your documents are complete and your evidence is in order. It does not mean you have passed a CyFun audit. Certification is issued by accredited CAB auditors after an independent review.

Think of ECP as the preparation engine: it tells you exactly what the auditor will check, helps you prepare it, and lets you generate a report to share with the auditor before the visit. The auditor then validates that your documents reflect reality.

ECP score 100% = everything the framework requires is documented and evidenced.
CAB audit pass = an independent auditor confirmed it reflects your actual practices.

Your IT partner drives the process

ECP is designed for MSPs. Your IT partner creates your workspace, imports your asset register, provisions the framework, and guides you through the open controls. As a client, your main job is to answer the guided questions in the documents — your IT partner handles the technical setup.

When you're ready to export a compliance report or share evidence with an auditor, your partner can do that on your behalf, or you can log in directly if your partner has given you access.

← User Manual Quick start →