Most programmes treat accreditation as a separate phase that begins after the build. By that point, the build decisions are made — and the documentation has to be reverse-engineered from a finished system.
The result is predictable: months of delay between build complete and authority to operate. Architecture decisions that don’t map cleanly to ISM controls. Risk registers assembled in a hurry. SSPS documents written by someone who wasn’t in the design room.
Assessors see the seams. Programmes spend more time on remediation than on the original build. And the eventual authorisation is held together by exception requests rather than evidence.
Northforge designed The Forge Method™ specifically to break this pattern — architecture and accreditation artefacts produced together, not sequentially.
The primary accreditation artefact. Describes the system, its classification, its boundaries, and how it implements applicable ISM controls. Authored during design, refined through implementation, finalised before assessment.
Identifies threats, vulnerabilities and consequences. Maps residual risks against the system’s risk appetite. Updated as design and implementation decisions are made, not at the end.
Control-by-control statement of which ISM controls apply, how they are implemented, and what evidence exists. Each row traces back to a design decision and a configuration baseline.
Live record of identified risks, their treatment, their residual exposure and their owners. Established at Assess phase. Maintained through operate phase.
Decisions captured in the moment, with context, alternatives considered, and the rationale. The assessor reads how the architecture came to be — not just what it is.
Configuration exports, screenshots, policy documents, test results. Captured during implementation rather than retrofitted. Indexed to the SoA row it supports.
Northforge prepares programmes for IRAP assessment. We do not perform the assessment itself — that’s the assessor’s role and theirs alone.
What we do is ensure that when the assessor arrives, every artefact they need is present, current, and traceable. Configuration baselines match the SSPS. The SoA matches what’s deployed. Risk decisions match the risk register. Exception requests are scoped and justified.
We work alongside the programme during assessment, responding to clarification requests, providing supplementary evidence, and tracking remediation items to closure. Assessments that ordinarily take months close faster, with fewer corrective actions.
Building Strength. — Forging Futures.