English

|

Back to Sprint

What We Don’t Offer

Baseline Security Sprint – Scope Boundaries

The Baseline Security Sprint is deliberately focused and time-limited.
To keep it practical and decision-oriented, there are specific activities we explicitly do not take on within the Sprint.

These boundaries are intentional. They protect delivery quality, keep scope controlled, and ensure you get clear decisions rather than an open-ended project.

We do not run compliance audits

The Sprint is not an ISO 27001, Cyber Essentials, SOC 2, or regulatory compliance audit.
We do not certify compliance, produce pass-fail outcomes, or map controls exhaustively to standards.

However, where material compliance gaps create real exposure, we will identify them and prioritise them as risks.

We do not inventory everything

The Sprint does not attempt to catalogue every asset, account, device, system, or configuration item.
We do not build a complete inventory or run a broad discovery programme.

  • No full asset registers
  • No exhaustive configuration reviews
  • No line-by-line policy analysis

Evidence gathering stops when additional detail would not materially change priority or sequencing decisions.

We do not design full security architectures

The Sprint does not produce detailed target architectures, multi-year roadmaps, tool comparison exercises, or vendor selection work.
Those activities may be appropriate later, but they are intentionally out of scope when the goal is establishing a defensible baseline.

We do not implement changes during the Sprint

The Sprint is independent of implementation. We do not make changes to systems, deploy controls, or modify configurations during discovery and analysis.
Any implementation work, if required, is discussed and scoped separately.

This separation keeps the Sprint objective and avoids pressure to buy follow-on work.

We do not optimise for tools or vendors

The Sprint is not driven by particular tooling, preferred vendors, or resale relationships.
Where tools are discussed, it is only in the context of whether they reduce risk effectively in your environment.

There are no reseller targets, commissions, or product sales agendas.

We do not chase theoretical or low-impact risks

The Sprint does not aim to identify every conceivable issue.
We focus on risks that are most likely to cause real harm, and on actions that reduce exposure in a sensible order.

  • Low-impact issues may be explicitly deprioritised
  • Some risks may be consciously deferred or accepted
  • We avoid busy work that looks impressive but does not change outcomes

We do not proceed without decision ownership

The Sprint only works if decisions can be made. We do not proceed when decision ownership is unclear or when there is no willingness to act on outcomes.

Producing a report without the ability to implement or agree priorities does not reduce risk.

Why these boundaries exist

Security work only delivers value when it leads to clear choices and practical action.
These boundaries prevent scope creep and analysis paralysis.

The Sprint is designed to reduce risk faster by preventing time and budget being spent on low-impact or premature controls.

What the Sprint does deliver

  • Clarity on where risk is concentrated
  • A realistic prioritised action plan with clear sequencing
  • Explicit deferrals and out-of-scope items to keep focus tight
  • Documentation suitable for internal reporting and external assurance conversations

Next step

If you want a clear view of your current security position and a sensible plan for the next 30 to 90 days, book a short discovery call.

Book a discovery call
Back to the Baseline Security Sprint