How ECP Works
Understanding the model behind the platform makes everything else obvious. Read this once and the rest of the manual will make sense.
The full flow at a glance
From partner login to audit-ready client. Connect M365 and EDR first so entities, users, and endpoint-protection state flow in automatically; CSV import stays as a fallback. The assessment and the audit punch list are cross-linked — findings on one always lead back to the other.
flowchart TD
A([Partner logs in]) --> B[Partner Dashboard]
B --> C[Add client]
C --> D[Client workspace created]
D --> E{No framework yet}
E -->|Next step| F[CyFun Level Assessment]
F --> G[Select tier: Small or Basic]
G --> H[Apply this level]
H --> I[Framework provisioned]
I --> J([Continue to Dashboard])
J --> K{No data yet}
K -->|Next step| L[Intake: Assets tab]
L --> M1[Connect Microsoft 365]
L --> M2[Connect EDR - Sophos/Bitdefender]
L --> M3[Declare your estate]
L -.CSV fallback.-> M4[Import entities]
M1 --> N[Entities streamed in]
M2 --> N
M3 --> N
M4 --> N
N --> O{Entities exist}
O -->|Next up| P[Intake: Assessment tab]
P <-->|Finding badges ↔ View answer link| S[Audit punch list]
S -->|Per finding: Upload evidence / Fix type / Confirm scope| T[Linked policy document]
T -->|Attach artefact| U[Finding resolves]
U --> V[Reports: Export PDF]
V --> W([Share with CAB auditor])
style E fill:#fef3c7,stroke:#f59e0b,color:#78350f
style K fill:#dbeafe,stroke:#3b82f6,color:#1e3a8a
style O fill:#d1fae5,stroke:#10b981,color:#064e3b Documents are the compliance record
Most compliance tools ask you to tick checkboxes. ECP works differently: the compliance work is filling in your actual policy documents. The platform creates a set of pre-built documents for you — Security Policy, Risk Assessment, Backup Procedure, and so on — each containing guided fields specific to that document type.
When an auditor visits, they don't review your checkbox state. They read your policies. By filling in ECP's guided documents, you produce the real artefacts the auditor will inspect — not a summary of them.
All documents are accessible from the Documents tab in the top navigation. The tab shows a collapsible folder tree — Policies, Procedures, Registers, Reports, Intake & Assessments, Plans, Gap Snapshots, Getting Started, and Governance. From the Audit punch list, each finding has a prescriptive action button (Upload evidence, Fix artifact type, Confirm scope, Refresh evidence, or Reconcile integration) that takes you directly to the linked document with the right section pre-focused.
What this means in practice
- → Fill in the Security Policy document, not a "security policy" checkbox
- → Complete the Risk Assessment document, not a risk register form
- → Each field you fill in becomes a verifiable, printable statement in the document
Controls resolve automatically — you never tick them manually
The CyFun framework has 34 controls. ECP knows exactly which fields in which documents are required to satisfy each control. As you fill in the documents, controls turn green on their own — no extra steps.
This is why controls are read-only: they are outcomes, not tasks. The tasks are the fields inside the documents.
Other tools
Mark control GV-PO-01 as complete → control shows green → auditor asks "where's the policy?" → scramble
ECP
Fill in Security Policy → GV-PO-01 turns green automatically → auditor reads the actual policy → done
Connect your data — entities define the scope
Some controls require you to prove coverage across your entire organisation. "All devices have antivirus" only resolves if ECP knows what "all devices" means. That's why the Intake → Assets tab is organised as a connect-first funnel: Microsoft 365 and EDR integrations at the top stream real devices, users, and endpoint-protection state into the platform, and the Declared estate card locks down what "all" actually means so the punch list can detect population gaps.
Entities can also be organised into groups (e.g. HQ, Remote Office, Contractors). Once groups exist, assessment answers can diverge per group — maybe HQ has MFA enforced but the remote office doesn't yet. Any non-"Yes" answer surfaces on the Audit punch list as a finding with its own prescriptive action.
How the data flows
- Connect Microsoft 365 and your EDR (Sophos / Bitdefender) — or import a CSV as a fallback
- Confirm the Declared estate so the punch list knows your true population
- Run the assessment — M365 auto-detection banners pre-answer what they can; scope overrides handle per-group divergence
- Every answered question shows a finding badge (Ready / At risk / Will fail) linking straight to the matching entry on the punch list; the punch list links back with View assessment answer
Registers turn ongoing work into evidence automatically
Eleven registers ship with every CyFun client — Risk, Vulnerability, Supplier, Incident, Tabletop, Training, Phishing test, Backup test, Change, Policy review, Employee onboarding. Each row you add is virtual evidence for the controls that register satisfies: the punch list recalculates as soon as the row lands, without any separate file upload or approval step.
This is how the "ongoing work" side of CyFun gets counted. An incident-response policy on paper is not enough — an auditor wants to see the incident register populated. Populate it and the matching controls close on their own.
ECP makes you audit-ready — it does not certify you
A green compliance score in ECP means your documents are complete and your evidence is in order. It does not mean you have passed a CyFun audit. Certification is issued by accredited CAB auditors after an independent review.
Think of ECP as the preparation engine: it tells you exactly what the auditor will check, helps you prepare it, and lets you generate a report to share with the auditor before the visit. The auditor then validates that your documents reflect reality.
CAB audit pass = an independent auditor confirmed it reflects your actual practices.
Your IT partner drives the process
ECP is designed for MSPs. Your IT partner creates your workspace, imports your asset register, provisions the framework, and guides you through the open controls. As a client, your main job is to answer the guided questions in the documents — your IT partner handles the technical setup.
When you're ready to export a compliance report or share evidence with an auditor, your partner can do that on your behalf, or you can log in directly if your partner has given you access.