| User asset and ownership inventory | Accounts, subscriptions, projects, applications, data stores, owners, criticality, and environment tags. | Register and visual map | Discovery | Authorised access, billing data, architecture records, owner interviews |
| Issue and findings register | Evidence, severity rationale, affected assets, business impact, owner, recommendation, and status. | Prioritised register | Assessment | Context, issue appetite, known exceptions, validation support |
| Target support architecture | Trust boundaries, access, network, logging, key management, resilience, and shared services. | Diagrams and design notes | Design | Current architecture, future plans, technical constraints |
| Configuration baselines | Approved settings, control rationale, implementation guidance, exception handling, and ownership. | Standards and policy files | Design and setup | Platform choices, operational requirements, policy needs |
| Remediation implementation record | Changes made, approvals, tests, evidence, rollback details, unresolved dependencies, and acceptance. | Change log and evidence pack | Implementation | Change windows, approvers, test support, production access |
| Runbooks and response playbooks | Routine checks, triage steps, escalation, evidence handling, communication, and recovery actions. | Operational documentation | Handover | Contact routes, operating hours, existing processes |
| Support dashboard and report | Issue trends, findings age, control coverage, exceptions, decisions, and next actions. | Dashboard and written report | Reporting and support | Metric definitions, audience, reporting cadence, tool access |
| Training and knowledge transfer | Role-specific guidance for administrators, engineers, support teams, and business owners. | Sessions, guides, recordings where agreed | Handover | Participant roles, use cases, internal policy context |