Home Capabilities How We Work M365 E7 Partnering About Contact

ACCREDITATION AS A CHECKPOINT. NOT A PROJECT.

The Forge Method™ produces accreditation artefacts in lockstep with architecture and implementation. By the time the build is complete, the IRAP evidence package is already assembled.

Discuss your accreditation → Our capabilities
The problem with traditional accreditation
DOCUMENTATION SHOULDN’T BE RETROSPECTIVE

Most programmes treat accreditation as a separate phase that begins after the build. By that point, the build decisions are made — and the documentation has to be reverse-engineered from a finished system.

The result is predictable: months of delay between build complete and authority to operate. Architecture decisions that don’t map cleanly to ISM controls. Risk registers assembled in a hurry. SSPS documents written by someone who wasn’t in the design room.

Assessors see the seams. Programmes spend more time on remediation than on the original build. And the eventual authorisation is held together by exception requests rather than evidence.

Northforge designed The Forge Method™ specifically to break this pattern — architecture and accreditation artefacts produced together, not sequentially.

The Forge Method™
FOUR PHASES. ONE EVIDENCE TRAIL.
01Assess
Security Posture Review
We begin with a complete picture: existing environment, classification handling, ISM control gaps, on-prem to cloud transition risks. The output is a risk register and a baseline statement of where the programme stands today — established before a single architecture decision is made.
ISMGap analysisRisk registerClassification
02Design
Accreditation-Ready Architecture
Every architectural decision is made with the ISM control mapping recorded as it happens. Architecture Decision Records (ADRs), Statement of Applicability (SoA), and the System Security Plan Summary (SSPS) are written alongside the high-level design — not after. The assessor reads decisions in the form they were made.
SSPSHLD / LLDADRsSoASRA
03Implement
Secure Platform Build
Implementation against validated, pre-approved architectural patterns. Build evidence is captured continuously: configuration baselines, deployment logs, control test results, exception decisions. By build complete, the evidence package is assembled rather than reconstructed.
AzureEntra IDIntuneM365Evidence
04Operate
Continuous Compliance
Accreditation is not a one-time event. We design operational governance so evidence is continuously refreshed, exception decisions are tracked, and posture changes are documented as they happen. The next assessment is already prepared.
GovernanceMonitoringUpliftEvidence refresh
Artefacts produced
WHAT THE ASSESSOR RECEIVES
SSPS

System Security Plan Summary

The primary accreditation artefact. Describes the system, its classification, its boundaries, and how it implements applicable ISM controls. Authored during design, refined through implementation, finalised before assessment.

SRA

Security Risk Assessment

Identifies threats, vulnerabilities and consequences. Maps residual risks against the system’s risk appetite. Updated as design and implementation decisions are made, not at the end.

ISM SoA

Statement of Applicability

Control-by-control statement of which ISM controls apply, how they are implemented, and what evidence exists. Each row traces back to a design decision and a configuration baseline.

RISK REGISTER

Risk Register & Treatment Plan

Live record of identified risks, their treatment, their residual exposure and their owners. Established at Assess phase. Maintained through operate phase.

ADRs

Architecture Decision Records

Decisions captured in the moment, with context, alternatives considered, and the rationale. The assessor reads how the architecture came to be — not just what it is.

EVIDENCE

Control Evidence Pack

Configuration exports, screenshots, policy documents, test results. Captured during implementation rather than retrofitted. Indexed to the SoA row it supports.

IRAP support
ASSESSMENT SUPPORT

Northforge prepares programmes for IRAP assessment. We do not perform the assessment itself — that’s the assessor’s role and theirs alone.

What we do is ensure that when the assessor arrives, every artefact they need is present, current, and traceable. Configuration baselines match the SSPS. The SoA matches what’s deployed. Risk decisions match the risk register. Exception requests are scoped and justified.

We work alongside the programme during assessment, responding to clarification requests, providing supplementary evidence, and tracking remediation items to closure. Assessments that ordinarily take months close faster, with fewer corrective actions.

Engage Northforge
READY TO ACCELERATE
YOUR ACCREDITATION?

Building Strength. — Forging Futures.