Compliance automation

Run audits on a continuous evidence stream, not a scramble

Cyvex collects, maps, and timestamps the evidence behind your SOC 2, ISO 27001, Cyber Essentials Plus, and NIST CSF programmes — so engineering ships product and auditors get what they need on day one.

Book a scoping call

What the platform does

Continuous evidence collection

Pull access logs, change tickets, vulnerability scans, and policy attestations from your existing tooling on a schedule, with timestamped artefacts retained for the full audit window.

Multi-framework control mapping

One control set, many frameworks. Evidence is mapped to SOC 2 TSC, ISO 27001 Annex A, Cyber Essentials Plus, and NIST CSF so collecting it once satisfies several audits.

Policy lifecycle management

Versioned policies, scheduled reviews, and acknowledgement tracking with reminders that keep employees, contractors, and vendors current.

Vendor and access reviews

Recurring user-access reviews, joiner/mover/leaver checks, and vendor risk attestations with SLAs that auditors can verify.

Risk register & treatment plan

Quantitative risk scoring with linked treatments, residual risk tracking, and management-review-ready reports.

Audit workspace

A read-only auditor workspace exposes the latest evidence pack, narrative answers, and policy set without granting access to your live systems.

How it works

1
1. Connect
OAuth into the systems you already run. Cyvex schedules read-only collectors so evidence flows in without giving up admin access.
2
2. Map
Each artefact is tagged to one or more control IDs across SOC 2, ISO 27001, CE+, and NIST CSF. Gaps are flagged before an auditor sees them.
3
3. Review
Quarterly management reviews land in your inbox with everything pre-filled — risks, exceptions, training completion, vendor list, and incident summaries.
4
4. Audit
Hand the auditor a workspace, not a SharePoint folder. Evidence is timestamped, hashed, and exportable to PDF or CSV on demand.

Integrations out of the box

AWS, Azure, GCP (configuration & access)
GitHub, GitLab, Bitbucket (change management)
Okta, Google Workspace, Microsoft Entra ID (identity)
Jira, Linear, ServiceNow (tickets)
CrowdStrike, SentinelOne, Microsoft Defender (endpoint)
AWS Inspector, Cyvex platform scans, Snyk (vulnerability)

Need something else? We add a connector inside any signed engagement.

Frequently asked questions

Is this a replacement for a GRC tool?

For most UK SMEs, yes. The Cyvex platform covers continuous evidence, control mapping, policy management, and the audit workspace in one place. We integrate with Drata, Vanta, and Sprinto if you already run one of those.

How long does onboarding take?

Two weeks for a typical SaaS stack. We pre-build connectors for the systems above; if you have a custom system we add it under our standard engagement.

Will my auditor accept the evidence?

Yes. We work with the major UK and US audit firms. Evidence is timestamped, hashed, and reproducible from source so auditors can verify integrity at any time.

Does it work outside SOC 2 and ISO 27001?

Yes — the same control set maps to Cyber Essentials Plus, NIST CSF, NHS DSPT, and HIPAA. We add custom frameworks on request.

Ready to put your evidence on autopilot?

Book a scoping call and we will map your existing controls to SOC 2, ISO 27001, Cyber Essentials Plus, and NIST CSF in one engagement.