How Much Documentation and Evidence Does CyFun Basic Need? We Counted
Everyone asks how long CyFun Basic takes. Fewer people ask what you actually end up with: a body of documents and evidence you have to build, and then keep alive. We instrumented one real implementation and counted it, read-only, from the event log.
How much you actually have to track
People picture compliance as a form you fill in. It is closer to a small library you build and then keep alive. Thirty-four controls, each needing a document and the evidence that backs it.
| What you build | In this implementation |
|---|---|
| Documents (policies, procedures, registers, assessments) | ~38 |
| Words the person actually wrote | ~7,000 |
| Revisions across those documents | ~950 |
| Pieces of evidence | 123 |
| Distinct evidence types | 11 |
| Evidence-to-control links | 294 |
| Controls, each scored on two axes | 34 |
Counts from one organisation's event log, rounded. The platform supplied the framework text and templates; the ~7,000 words are what the implementer actually wrote and tailored.
What one control actually needs
Three controls that show the range, from proof a tool can hand you to judgment only a person can make.
Access and multi-factor login
A short written policy saying which systems require MFA and which exceptions are allowed, plus live proof that it is switched on, an enrolment export from your identity system. The policy is brief. The proof can be pulled automatically.
Backups
A backup-and-recovery procedure covering what is backed up, how often, and how a restore is tested, plus an actual restore-test result. A procedure like this is rarely right first time; it takes several passes to match how the business really runs.
Legal and regulatory register
A list of the laws and obligations that apply to your organisation. Nothing about it is automatic. Deciding which laws apply is judgment, and it is where a non-specialist most often needs to ask an expert.
The part nobody warns you about: knowing what is left
Producing the documents and evidence is only half the work. The other half is keeping a live answer to three questions: which controls are done, which are missing evidence, and what has drifted since last quarter. By hand that is a spreadsheet you re-check forever, and it is wrong the moment a laptop is added or a policy lapses. This is where the platform earns its place. It is a scoreboard, not the gym.
- It drafts the documents. Each one mapped to the control it satisfies, so you edit and decide rather than write from a blank page. It does not decide what a policy should say. That stays yours.
- It collects the evidence. From the tools you already run. Here, 19 of the 34 controls ended fully carried by automated evidence, and 1,321 evidence records materialised on their own over the project.
- It shows you what is left. One control at a time, and it will not let you mark a control audit-ready while its evidence is missing. You see the to-do; you do not guess it.
- It keeps the picture current. The auto-collected evidence refreshes after go-live, so the score moves when reality moves. Build effort happens once; freshness is forever.
Who does what
The platform removes the grind of drafting, harvesting and tracking. The judgment stays human: what a policy says, which evidence counts, which laws apply. That is why a non-specialist could carry most of this, and why the parts that needed an expert still needed one. It is a scoreboard, not the gym.
Frequently Asked Questions
Is this a lot of documentation for a small company?
It is more than most people expect and less than a consultant's quote implies. About 38 documents and 123 pieces of evidence, most of the evidence collected automatically once your tools are connected.
Do I have to write it all myself?
No. The platform drafts each document, mapped to the control it satisfies. You decide the content and sign it. The evidence for routine controls is pulled from the tools you already run.
What is the hardest part?
Not the writing. Knowing what is still missing and keeping it current as the business changes. That is what the readiness view and the automated evidence are for.
Is audit-ready the same as compliant?
No. Audit-ready means the evidence would plausibly survive a CAB auditor's review. The CAB runs the audit and issues the certificate.