How Our Assessment Process Works

Practical, Evidence-Driven Assurance fully aligned with the NCSC CRTF standard

At Securlab.io, every assessment follows a repeatable, transparent, evidence-led process.

Our approach mirrors the NCSC CRTF structure, ensuring assurance that is both credible and operationally useful.

Below is the full lifecycle we use for Cyber, AI, and PBA assessments.

1 Scoping & Context Definition

Understanding what we are assessing and why it matters.

We begin by working with your technical and business leads to establish:

  • What system, service, or model is in scope

  • The environment it operates in (users, data, dependencies, platforms)

  • The threat landscape and regulatory drivers

  • What "success" or "trust" needs to look like

  • Boundaries, constraints, and known risk areas

This aligns directly with CRTF Stage 1: Establish context.

2 Evidence Collection & Artefact Ingestion

Gathering the information required to produce meaningful assurance.

We securely collect relevant documentation and technical evidence, such as:

  • Architecture diagrams

  • Threat models

  • Code or configuration snippets

  • AI model details, evaluation metrics, datasets

  • Security policies, logs, operational runbooks

  • Controls documentation and governance materials

  • Our platform supports encrypted upload and structured evidence tagging.

Aligned to CRTF Stage 2: Collect information.

3 Technical Analysis & Behavioural Assessment

Deep technical review, combined with operational behaviour assessment.

We analyse the evidence using a PBA-aligned lens:

🔹 Technical Evaluation

  • Security control effectiveness

  • Model behaviour (for AI)

  • Engineering quality and design robustness

  • Data flow and dependency mapping

  • Known vulnerabilities and systemic weaknesses

🔹 Behavioural & Operational Evaluation

  • How teams operate the system

  • Change control maturity

  • Monitoring, response, and governance patterns

  • Competence indicators (UKCSC-aligned)

This corresponds to CRTF Stage 3: Analyse and assess.

4 Workshops & SME Interviews

Validating evidence, clarifying assumptions, and building a complete picture.

Workshops allow us to:

  • Confirm risk assumptions

  • Validate how controls operate in practice

  • Explore system behaviours under stress or misuse

  • Establish operational competence

  • Test alignment between documentation and real-world practice

  • These interviews ensure the assessment reflects the actual system, not just the paperwork.

Aligned to CRTF Stage 4: Validate findings.

5 Assurance Judgement & Trust Profile Creation

Structured, defensible assurance outputs.

Using a combination of principles-based analysis and CRTF evidence handling, we produce:

Your Trust Profile

A structured, evidence-backed view that includes:

  • System context summary

  • Assurance strengths

  • Gaps and issues

  • Risk prioritisation

  • Behavioural & competence insights

  • Clear recommendations and next steps

The Trust Profile is designed to be read by:

  • Engineers

  • Leadership

  • Boards

  • Regulators

This corresponds to CRTF Stage 5: Produce assessment output.

6 Executive Briefing & Recommendations

Clear, decision-ready outputs for leadership.

We translate technical findings into:

  • Business impact

  • Operational risk levels

  • Regulatory alignment

  • Recommended remediation steps

  • Longer-term improvements (people, process, and technology)

This ensures organisations can act on the assurance, not just read it.

7 Continuous Assurance (Optional)

Because systems change fast.

For clients adopting AMP (Assurance Maintenance Plan-as-a-Service), we offer:

  • Ongoing scenario-based testing

  • (As appropriate) AI model drift and behaviour monitoring

  • Quarterly Trust Profile updates

  • Competence re-evaluation

  • Continuous risk insight

This aligns with CRTF’s “maintain assurance posture” intent.