For procurement and vendor risk · checked July 2026
For procurement and vendor risk.
This page exists so a vendor-risk review can be completed without a discovery call. Anything not covered below is available on request, within two working days.
Independence statement
We prepare organisations for certification. We do not certify anyone, and we never will. Certification is carried out separately by an independent, CSA-appointed certification body, appointed under the rules of the relevant scheme. That separation is not a courtesy; it is a requirement. It is set out in ISO/IEC 17021, the international standard governing how certification bodies operate, and it is mirrored in CSA's own scheme design for Cyber Essentials and Cyber Trust. The purpose is straightforward: the party assessing the evidence has no financial stake in the outcome, which protects the buyer relying on the mark. We accept no referral fees from any certification body, ever.
Methodology summary
Every engagement is scoped in an engagement letter before work begins. That letter fixes the scope, the fees, the gap promise and the data- handling terms, so nothing about the commercial or evidentiary basis of the work is left to be inferred later. A named consultant is assigned to the engagement from the day plan onward and signs every deliverable that leaves our hands. Evidence is assembled the way the relevant assessor expects to receive it: one control, one piece of evidence, one location in the pack, checked by an internal QA review before any submission goes to the client.
Credentials and insurance
The consultant credential matrix, professional indemnity details and data-handling terms are provided as a capability pack on request. The pack is issued in PDF and carries the entity's registration details. We do not list certificate names or policy numbers on this page; they are confirmed, current, and dated in the pack itself.
Data handling
- Client materials are stored in access-controlled systems, limited to the named consultants on the engagement, and are not copied to personal devices or shared drives outside that system.
- Engagement data is retained only as long as the engagement letter states, then deleted; the letter also sets the notification terms if an incident ever affects that data.
- No client data is used for marketing, case studies or references without separate written consent, and none is sold or shared with any third party outside the engagement.
Request the capability pack
Email hello@heartwoodcyber.com with the subject line "Procurement" and what your process needs. We reply within two working days, in the format your process needs.