Thinkwerke Documentation

Implementation guides, reference architectures, evidence models, and compliance mappings for regulated and core-industry organisations operating in vendor-hosted cloud environments.

Start here

• Getting Started
  • What this documentation is
  • What this documentation is not
  • Who this documentation is for
  • How to use this documentation
  • Guiding principles
  • Where to go next
• Glossary of Terms
  • Audit-ready evidence
  • CI/CD (Continuous Integration / Continuous Delivery)
  • CNAPP (Cloud-Native Application Protection Platform)
  • Compliance mapping
  • Control
  • Control-to-proof
  • CSPM (Cloud Security Posture Management)
  • Evidence by design
  • Operating model
  • Shared responsibility
  • SIEM (Security Information and Event Management)
  • SSLM (Secure Software Lifecycle Management)
  • Supply-chain security
  • Tender evidence
  • Vendor-hosted environment
  • Vulnerability lifecycle
• How to Use This Documentation
  • Who this documentation is for
  • How the documentation is structured
  • How to read a page
  • What this documentation is not
  • How to use this for audits and tenders
  • Living documentation
  • How to engage Thinkwerke

Solutions & Architectures

• Solutions & Architectures
  • Purpose of this section
  • What these solutions are designed to achieve
  • How to use this section
  • Scope and assumptions
  • Relationship to Compliance Mapping
  • Solution areas covered
  • What this section does not replace
  • Next steps
• Secure Software Lifecycle (SSLM)
  • Why SSLM matters in regulated environments
  • Core principles
  • Lifecycle stages
  • Evidence-by-design
  • Alignment with regulations
  • What SSLM does not solve alone
  • Next steps
• Vulnerability Lifecycle Management
  • Purpose
  • Why Vulnerability Management Fails in Practice
  • Thinkwerke Vulnerability Lifecycle Model
  • 1. Detection
  • 2. Triage
  • 3. Remediation
  • 4. Verification
  • 5. Closure and Escalation
  • 6. Evidence Generation
  • Architecture Overview
  • SLA Guidance (Example)
  • Business Outcomes
  • Compliance Mapping
  • Related Topics
• Cloud Security Foundations
  • Purpose
  • Why Cloud Security Foundations Matter
  • Design Principles
  • Core Foundation Components
  • Operating Model
  • Evidence and Audit Readiness
  • Relationship to Other Solutions
  • Compliance Mapping
  • Key Takeaway
• SOC & SIEM Modernisation
  • Purpose
  • Why Traditional SOC Models Fail
  • Design Principles
  • Core Components
  • Operating Model
  • Evidence and Audit Readiness
  • Relationship to Other Solutions
  • Compliance Mapping
  • Key Takeaway
• CNAPP & Kubernetes Security Architecture
  • Purpose
  • Why Kubernetes Changes the Security Model
  • Design Principles
  • What CNAPP Covers (Practically)
  • Kubernetes Security Architecture
  • Operating Model
  • Evidence and Audit Readiness
  • Relationship to Other Solutions
  • Compliance Mapping
  • Key Takeaway

Compliance Mapping

• Compliance Mapping
  • From Regulatory Requirements to Executable Controls
  • Purpose
  • What Compliance Means in Practice
  • The Mapping Model
  • Frameworks Covered
  • Cloud & Vendor-Hosted Context
  • Evidence-Centric Compliance
  • How to Use This Section
  • Relationship to Other Sections
  • Key Takeaway
• ISO/IEC 27001: Compliance Mapping
  • Purpose
  • Scope of ISO/IEC 27001
  • Mapping Approach
  • ISMS as an Operating Model
  • Clause-to-Control Mapping (Examples)
  • Annex A Controls in Cloud Environments
  • Vendor-Hosted & Shared Responsibility
  • Evidence Expectations
  • Common ISO 27001 Failure Patterns
  • Relationship to Other Documentation
  • Key Takeaway
• NIS2 Directive: Operational Security & Resilience
  • Purpose
  • What NIS2 Changes
  • Key Challenges in Practice
  • Thinkwerke Interpretation Model
  • Risk Management Measures
  • Incident Handling and Reporting
  • Monitoring and Logging
  • Executive Accountability
  • Evidence and Audit Readiness
  • Relationship to Other Frameworks
  • Key Takeaway
• Cyber Resilience Act (CRA): Product & Software Engineering
  • Purpose
  • What the CRA Actually Targets
  • Core CRA Expectations
  • Common Failure Patterns
  • Thinkwerke Implementation Model
  • Secure Software Lifecycle (SSLM)
  • Vulnerability Handling
  • Software Supply-Chain Governance
  • Vendor-Hosted Responsibility
  • Evidence and Audit Readiness
  • Relationship to Other Frameworks
  • Key Takeaway
• GDPR: Privacy Engineering & Data Protection by Design
  • Purpose
  • What GDPR Actually Requires
  • Common GDPR Failure Patterns
  • Thinkwerke Privacy Engineering Model
  • LINDDUN Privacy Threat Modeling
  • Applying LINDDUN in Practice
  • Data Flow Mapping
  • Technical Control Implementation
  • DPIA as a Living Artefact
  • Incident Detection and Breach Response
  • Evidence and Audit Readiness
  • Relationship to Other Frameworks
  • Key Takeaway
• Compliance Crosswalks: One Control, Many Obligations
  • Purpose
  • Why Crosswalks Matter
  • Thinkwerke Crosswalk Philosophy
  • Core Crosswalk Dimensions
  • Example: Vulnerability Management Crosswalk
  • ISO 27001 ↔ NIS2 Crosswalk
  • NIS2 ↔ CRA Crosswalk
  • GDPR ↔ Security Framework Crosswalk
  • Customer & Tender Alignment
  • Evidence Reuse Model
  • Maintaining Crosswalks Over Time
  • Key Takeaway

Evidence Library

• Evidence Library
  • Purpose
  • What We Mean by “Evidence”
  • Evidence-by-Design Principle
  • Evidence Categories
  • Evidence Lifecycle
  • Who Uses the Evidence Library
  • Relationship to Compliance Mapping
  • Automation and Tooling
  • Design Goals
  • Key Takeaway
• Tender Evidence Packs
  • Purpose
  • Why Tender Processes Break Down
  • Thinkwerke Approach
  • What a Tender Pack Contains
  • Standards and Regulations Covered
  • Reusable by Design
  • Engineering Involvement
  • Business Impact
  • Relationship to Other Evidence
  • Key Takeaway
• Security Questionnaires
  • Purpose
  • Why Questionnaires Become a Bottleneck
  • Thinkwerke Approach
  • Questionnaire Structure
  • Evidence-Backed Answers
  • Mapping to Standards
  • Reuse and Consistency
  • Engineering Involvement
  • Business Impact
  • Relationship to Other Evidence
• Control to Proof
  • Purpose
  • Why Control Statements Fail Without Proof
  • Thinkwerke Control Model
  • 1. Control Definition
  • 2. Control Implementation
  • 3. Control Proof
  • Traceability Model
  • Evidence Lifecycle
  • Example: Vulnerability Management
  • Applicability to Regulations
  • Engineering Ownership
  • Relationship to Other Documents
  • Key Takeaway
• Exportable Artifacts
  • Purpose
  • What Is an Exportable Artifact
  • Common Artifact Types
  • Artifact Design Principles
  • Artifact Generation Model
  • Example: Tender Evidence Pack
  • Example: Audit Artifact
  • Versioning and Retention
  • Reusability Across Contexts
  • Roles and Responsibilities
  • Relationship to Other Documents
  • Key Takeaway

Whitepapers & Research

• Whitepapers & Research
  • Purpose
  • How to Use These Whitepapers
  • Whitepaper Scope
  • Audience
  • Available Whitepapers
  • How Whitepapers Evolve
  • Relationship to Other Documentation
  • Key Takeaway
• NIS2 Engineering Guide
  • From Directive to Defensible Implementation
  • Purpose
  • What NIS2 Actually Changes
  • Engineering-Centric Interpretation
  • Core Engineering Domains Affected
  • Risk Management as an Operating Model
  • Evidence Expectations
  • Vendor-Hosted & Shared Responsibility
  • Management Accountability
  • Common Failure Patterns
  • A Practical Path Forward
  • Relationship to Other Materials
  • Key Takeaway
• Cyber Resilience Act (CRA): Practical Implementation Guide
  • From Legal Obligation to Engineering Reality
  • Purpose
  • What the CRA Introduces
  • Engineering Impact of the CRA
  • Core Engineering Domains
  • Evidence Expectations Under CRA
  • Vendor-Hosted & Shared Responsibility
  • Common Implementation Pitfalls
  • A Practical Implementation Model
  • Relationship to Other Materials
  • Key Takeaway
• ISO 27001: Evidence by Design
  • From Documentation Compliance to Operational Proof
  • Purpose
  • The Problem with Traditional ISO 27001 Implementations
  • What “Evidence by Design” Means
  • Control Implementation Model
  • Policy, Implementation, Proof
  • Evidence Sources
  • Continuous Assurance
  • Vendor-Hosted Environments
  • Business Impact
  • Relationship to Other Materials
  • Key Takeaway
• Vendor-Hosted Responsibility
  • Clarifying Ownership in Cloud & Managed Environments
  • From Assumed Trust to Defensible Accountability
  • Purpose
  • The Reality of Vendor-Hosted Environments
  • The Shared Responsibility Model — and Its Limits
  • Responsibility Categories
  • From Responsibility to Evidence
  • Validating Vendor Controls
  • Regulatory Expectations
  • Common Failure Patterns
  • A Practical Operating Model
  • Relationship to Other Materials
  • Key Takeaway