Logo

Assuric

Sign inBook a demo

How Assuric uses Assuric to Assure Assuric

See how we use the Assuric product to manage internal compliance - as a tech company and NHS supplier. Learnings from our own ISO 27001 certification process including Product overview.

Matt Jennings

Matt Jennings

How Assuric uses Assuric to Assure Assuric

As a compliance platform, we naturally take our own internal business and product information security very seriously. Startup compliance can be tricky, but it's made easier with Assuric's built in features. We recently went through the ISO 27001 certification process, so let's talk about how Assuric assures Assuric... using Assuric!

The Challenges of Startup Compliance

At Assuric, we’re lucky to have a lot in common with many of our customers.

  • We're building a rapidly evolving tech product - shipping new features in an ever-changing threat landscape
  • We face multiple framework overload - maintaining a host of certifications, including Cyber Essentials Plus and an independently verified ISO 27001 certificate
  • We must demonstrate our compliance - to security sensitive customers, including enterprises and the NHS, regular audits and due diligence checks are paramount to showing we maintain compliance
  • Time is precious - we must stay on top of compliance in the context of an early stage company / startup where ultimately, resources are limited

So, like many of our customers, to achieve all of this we need smart tools... like Assuric!

How we use Assuric to Manage Compliance

We choose to build, track and manage all our internal compliance workflows using our own product and tooling. The process of 'eating our dog food' ensures we deeply understand how best a platform can solve these problems and we bake all learnings back into the Assuric product features we offer.

Framework Tracking and Management

Managing compliance across multiple frameworks effectively starts with turning high-level requirements into clear, actionable work. In Assuric, we structure frameworks into practical controls and tasks that reflect how security is actually implemented and maintained in a modern tech company. This gives us a real-time view of progress, ownership, and evidence, rather than a static snapshot that quickly becomes outdated.

Assuric frameworks

One of the biggest advantages we see from using our own platform is the automatic consolidation of overlapping requirements across frameworks. By mapping controls once and reusing them where appropriate, we significantly reduce duplicated effort while maintaining confidence that our security controls are comprehensive and consistently applied.

For example, prior to getting our ISO 27001 certification, we used Assuric for our NHS DSPT, Cyber Essentials Plus and GDPR compliance. With many of the tasks overlapping, the Assuric platform ensures standardisation across these frameworks, meaning we do not have to complete duplicative work for each requirement. This also helps minimise the risk of duplicated or out-of-date policies, ensuring everything remains consistent and up to date.

Managing Workforce Staff Compliance

Security and compliance ultimately depend on people doing the right things, consistently. Assuric allows us to group staff based on role and risk profile - such as developers, contractors, or internal team members - and assign tailored onboarding and ongoing compliance checklists to each group.

Workforce Staff Portal

The Assuric staff portal gives team members a single place to access training, policies, and outstanding actions, making compliance part of normal working life rather than an occasional interruption. It also gives compliance leads clear visibility into progress, showing which actions have been completed and which are still outstanding.

From dog-fooding the platform, we’ve learned that reducing friction for staff dramatically improves completion rates and helps build a stronger security culture across the business.

Streamlining Compliance Documentation

Keeping documentation accurate, consistent, and up to date is one of the most time-consuming aspects of compliance. We use Assuric’s in-platform document editor to manage all of our internal policies and procedures, starting from proven templates and adapting them to how we actually operate.

Assuric's document management

Smart placeholders allow documents to stay in sync with live platform data, eliminating the need for repetitive manual updates and reducing the risk of inconsistencies. Built-in review and approval workflows have helped us formalise governance without slowing us down, a balance we’ve found critical in a fast-moving startup environment.

Managing Supplier Risk with Assuric

Third-party risk is a major focus for both ISO27001 and GDPR, particularly for cloud-based startups that rely heavily on SaaS providers. In Assuric, we track all of our suppliers in one place, enriched with pre-populated security and data protection information for commonly used tools.

Supplier due diligence reviews, risk assessments, and ongoing monitoring are managed directly in the platform. This gives us confidence that supplier risks are being actively managed and provides clear evidence during audits and customer due diligence.

Tracking Risks and Security Incidents Effectively

Effective risk management requires more than a static spreadsheet. Assuric allows us to maintain a living risk register that links risks directly to the ISO 27001 Annex A controls and processes designed to mitigate them, giving us a clear view of where our real exposure lies.

We also track security incidents within the same system, from initial report through investigation and resolution. Using our own tooling has reinforced the importance of connecting risks, incidents, and controls - ensuring that lessons learned from real events feed directly back into improved security practices.

Streamlining Device and Asset Management

Maintaining a clear understanding of what assets you have and how data flows through them is foundational to good security. We use Assuric to manage our information asset register, linking data to processing activities, suppliers, and internal owners.

Assuric Asset Tracking

On the operational side, device and asset tracking allows us to manage company devices and BYODs, ensuring security configurations, ownership, and lifecycle management are clearly documented. This directly supports Cyber Essentials requirements around device security while reducing operational overhead.

Compliance Integrations and Simplified Monitoring

Compliance works best when it fits naturally into existing workflows. Assuric integrates with the tools we already rely on, such as Slack for reminders and notifications and incident tooling for real-time reporting.

These integrations help ensure that tasks, reviews, and incidents are surfaced at the right time and don’t quietly fall through the cracks. One clear lesson from dog-fooding is that automation and timely nudges are far more effective than relying on periodic manual reviews.

Sharing Compliance and Building Trust

Finally, compliance only delivers value if you can clearly demonstrate it to customers, partners, and auditors. We use Assuric’s customisable Trust Centre to share our certifications, policies, and compliance status with security-sensitive stakeholders such as enterprises and the NHS.

Access-controlled pages allow us to tailor what different audiences see, whether it’s high-level assurances or detailed evidence during due diligence. This dramatically reduces the time spent responding to questionnaires and builds trust by making our security posture transparent and easy to understand.

External Audits and Certification

Audits are where compliance efforts are truly tested, and Assuric is built to make them as straightforward as possible. The platform provides auditors with a clear, structured view of controls, evidence, policies, and approvals, all linked and easy to navigate without relying on scattered documents or manual coordination.

Most recently, we completed our own independently verified, UKAS-witnessed ISO 27001 audit entirely through Assuric and successfully achieved certification in minimal time. Running the full audit lifecycle within the platform validated not only our internal security practices, but also strengthened our belief in Assuric’s ability to support real-world certification and audit requirements at the highest level.

Takeaways from Using Assuric for Compliance

Using Assuric to manage our own compliance has fundamentally shaped how we build the platform. It’s shown us that compliance tools need to be opinionated enough to provide structure, but flexible enough to reflect how companies actually operate. Just as importantly, we’ve learned that even the best-designed workflows fail without clear, intuitive UX - compliance only works when people can easily understand what’s required of them and why.

By dog-fooding Assuric, we feel the same friction points our customers do, which pushes us to simplify flows, reduce cognitive load, and remove unnecessary complexity. Every improvement we make is grounded in real, day-to-day use, ensuring the platform not only meets compliance requirements but is genuinely usable (and useful!) for the teams responsible for maintaining them.

See all posts

Make your life easier
and talk to us to simplify compliance

Goodbye manual processes, hello automation. Let Assuric manage compliance and security, so you can focus on growth.

Talk to us
CTA Image