Report types
- PDF executive reportA polished, branded PDF (8–14 pages) summarising posture score, top priority actions, framework readiness, and trend since the previous report. One-click generate from any completed scan.
- CSV — findingsEvery open finding from the most recent scan: severity, category, control mapping, affected entity count, and remediation guide. Suitable for piping into a ticketing system.
- CSV — controlsEvery control evaluated, with pass/fail/skipped status and the count of supporting findings. Suitable for evidencing a specific control to an auditor.
- Scheduled emailA short HTML summary delivered on a configurable cadence (daily, weekly, monthly). Default is weekly, on Mondays at 09:00 in the tenant timezone.
- Framework readinessPer-framework scorecards for Cyber Essentials, ISO 27001, GDPR, NIST, CIS and the Cyber Essentials Plus self-assessment. The same findings, re-projected against each framework.
Who each output is for
The audiences that have come up most in onboarding calls — and the output that tends to fit each one best.
- Leadership / board: the PDF executive report. One artefact, low jargon, trend over time.
- Customers / procurement: the framework-readiness scorecard for whichever framework they’re asking about. Often Cyber Essentials in the UK, ISO 27001 in the EU.
- Insurers: the PDF report plus the controls CSV. Insurers want both an at-a-glance view and per-control evidence.
- Internal governance: the findings CSV piped into your ticketing system, plus the scheduled weekly email so the team sees drift between scans.
- External assessors / auditors: the controls CSV and the underlying skipped-checks list (so you can pre-empt the “why isn’t this evaluated” question with a documented reason — usually a missing licence or an opted-out batch).
- MSP customers: the same outputs, optionally co-branded with the MSP’s logo and colour palette.
Scheduled email summaries
Scheduled summaries land from noreply@scanposture.comwith a deep link back to the dashboard for any number that catches a recipient’s eye. Cadence is configurable per recipient, so the CISO can take a weekly digest while the SecOps lead takes daily.
The summary is read-only-safe
Framework readiness — what’s mapped where
ScanPosture maintains a control-mapping table from each check to the relevant clauses of each supported framework. Mappings are sourced from the public framework spec text — for Cyber Essentials, from the IASME-published v3.3 question set; for ISO 27001, from Annex A 2022; for NIST, from CSF 2.0; and so on. The full mapping table lives in the production check registry and is what powers the per-framework scorecards.
The scorecard for any framework returns three things: readiness percentage (controls evidenced as passing / total mapped controls), blocking gaps (controls that are explicitly failing), and evidenced controls (controls that pass and have a supporting finding to point to). The third one is what auditors actually want.
Generating a report
From any completed scan, hit Generate PDF in the report toolbar, or Export CSV for a flat findings/controls dump. PDFs are rendered server-side and delivered as a download (no browser-side print step). Generation typically takes 4–8 seconds. CSVs are immediate.
Branding
Direct customers can upload a logo and a brand colour pair (primary + accent) which apply to the PDF cover page and the email summary header. MSPs can apply per-customer branding from the MSP portal — useful when a customer wants the report to land under their own house style.
Still got questions? Email hello@scanposture.com — UK working days, real human, same-day reply.