First week checklist

Day 1 — open Settings, fill in your organisation name and default risk appetite. Day 1 — open Frameworks, toggle the ones you care about (NIST CSF 2.0, ISO 27001, Cyber Essentials, SOC 2, etc.). The built-in library seeds automatically on first login. Day 2 — browse the Controls library. The tool ships with a starter set; add any gaps your organisation has. Map each control to the relevant framework sections (Control detail → "frameworks"). Day 3 — enter your top 5–10 Risks using the 5×5 matrix. For each, open the detail and link the controls that mitigate it — this is what drives the residual score narrative. Day 4 — upload your first batch of Evidence (certificates, audit logs, training records) and link each item to a control or policy so it's discoverable. Day 5 — create a few Policies. From the view modal, link them to the controls they mandate and the risks they address. Add key Vendors and Assets, tag vendors with the data types they process.

That gives you a dashboard worth looking at and a graph of interconnected records — which is what external auditors will want to walk.