Purpose of this stage: Every finding was formally documented with evidence, gap narrative, recommendation, and traceability ID. This is the written record that makes the assessment defensible and actionable.
The Legalise stage produces the documentation layer of the engagement. This is where analysis becomes a usable output. Three major deliverables were produced at this stage.
Gap Analysis Report v1.0
Thirty-six findings documented across ISO 27001:2022, NIST CSF v1.1, and GDPR. Each finding includes a Finding ID (GA-001 to GA-036), compliance status, evidence reviewed or logged as absent, gap narrative, specific recommendation, priority tier, named owner, and target remediation timeline. An evidence log and phased remediation roadmap are included as appendices.
Mitigation Recommendation Report v1.0
Step-by-step implementation guidance for all 36 findings. Organised by remediation phase. Written for technical leads and control owners, not executives. Tool-specific where relevant. Each recommendation includes acceptance criteria so the client knows when the gap is closed.
Risk Assessment Report v1.0
Executive-level synthesis of the full engagement. Risk scoring summary, findings overview by domain and priority, strategic recommendations, and overall risk posture assessment. Written for senior leadership and board-level review.
| Detail | |
|---|---|
| Inputs | Scored findings, evidence log, remediation roadmap |
| Outputs | Gap Analysis Report v1.0, Mitigation Recommendation Report v1.0, Risk Assessment Report v1.0 |
| Field | Detail |
| --- | --- |
| Stage Status | Complete |
| SHIELD Stage | L — Legalise |