Purpose of this stage: The core assessment work. Every control was examined against evidence. A control is only compliant if documentation confirms it.
The Inspect stage is where the assessment happens. Every control across all three frameworks was reviewed. Every piece of evidence was either confirmed as provided or explicitly logged as not provided. Items not provided were treated as Non-Compliant unless evidence was supplied through other means.
Methodology note: This assessment was conducted through document review. It did not include live stakeholder interviews or direct observation of controls in operation. All compliance statuses reflect what documentation demonstrates. Where documentation was absent, the finding was logged as Non-Compliant with the specific gap recorded. This limitation is acknowledged in the Risk Assessment Report.
| Ref | Document | Status |
|---|---|---|
| D-01 | Risk Management Scope Document | Provided |
| D-02 | Asset Inventory | Provided |
| D-03 | Data Mapping Table and Flows | Provided |
| D-04 | Risk Register V2 | Provided |
| D-05 | Vendor Evaluation — Intercom/SendGrid (Diivine) | Provided |
| D-06 | Vendor Evaluation — KYC / Fraud Detection (Zenny) | Provided |
| D-07 | Vendor Overview Register — Azure, Payment Gateway, Banking, Merchant (Steph) | Provided |
| D-08 | Information Security Policy | Not Provided |
| D-09 | Incident Response Plan | Not Provided |
| D-10 | Business Continuity and Disaster Recovery Plan | Not Provided |
| D-11 | Security Awareness Training Records | Not Provided |
| D-12 | Privacy Notice and Lawful Basis Register | Not Provided |
| D-13 | Data Processing Agreements (all vendors) | Not Provided |
| D-14 | Data Protection Impact Assessment | Not Provided |
| Detail | |
|---|---|
| Inputs | All provided documents, vendor evaluation files, framework control libraries |
| Output | 36 assessed controls with compliance status, evidence log, gap narratives |
| Field | Detail |
| --- | --- |
| Stage Status | Complete |
| SHIELD Stage | I — Inspect |