01
Executive Summary
3–5 sentence summary of overall findings, key risks, and top recommendations. Complete last.
02
Scope & Approach
2.1 Scope
| Item | In Scope | Notes |
|---|---|---|
| Codebase(s) reviewed | ||
| Repositories assessed | ||
| Delivery pipeline | ||
| Security practices | ||
| Regulatory compliance | ||
| Team structure & practices | ||
| Third-party / supply chain |
2.2 Approach — Methods Used
Tools Used
| Tool | Purpose | Output |
|---|---|---|
2.3 Limitations & Caveats
03
Delivery Performance — DORA Metrics
Benchmark against DORA elite / high performer thresholds from the State of DevOps Report.
| Metric | Measured Value | Elite Threshold | High Threshold | Rating |
|---|---|---|---|---|
| Deployment Frequency | On-demand (multiple/day) | Weekly–monthly | ||
| Lead Time for Changes | < 1 hour | 1 day – 1 week | ||
| Change Failure Rate | < 5% | 5–10% | ||
| Time to Restore Service | < 1 hour | < 1 day |
Observations
Findings
Recommendations
04
Code Quality
4.1 Static Analysis
| Measure | Value | Target | Pass/Fail |
|---|---|---|---|
| Code coverage — unit tests | ≥ 80% | ||
| Code coverage — integration tests | ≥ 60% | ||
| Critical issues (SonarQube / CodeClimate) | 0 | ||
| High severity issues | < 5 | ||
| Cyclomatic complexity (avg) | ≤ 10 | ||
| Cognitive complexity (avg) | ≤ 15 | ||
| Duplicated code | < 3% | ||
| Dependency vulnerabilities — critical | 0 | ||
| Dependency vulnerabilities — high | 0 |
4.2 Design Principles & Patterns
| Principle / Pattern | Rating | Evidence / Notes |
|---|---|---|
| SOLID principles | ||
| Separation of concerns | ||
| DRY (Don't Repeat Yourself) | ||
| Appropriate use of design patterns | ||
| Error handling strategy | ||
| Logging & observability | ||
| Configuration management (no secrets in code) | ||
| API design consistency | ||
| Data validation & sanitisation |
4.3 Technical Debt — Fowler's Quadrant
| Category | Examples Found | Impact | Priority |
|---|---|---|---|
| Reckless / Deliberate | |||
| Reckless / Inadvertent | |||
| Prudent / Deliberate | |||
| Prudent / Inadvertent |
Overall Debt Assessment
Recommendations
05
Delivery Pipeline & DevOps
5.1 CI/CD Pipeline
| Stage | Present | Automated | Quality Gate | Notes |
|---|---|---|---|---|
| Source control (branching strategy) | ||||
| Build automation | ||||
| Unit testing | ||||
| Integration testing | ||||
| Static code analysis (SAST) | ||||
| Dependency vulnerability scanning | ||||
| Container image scanning | ||||
| Infrastructure as Code (IaC) | ||||
| Automated deployment | ||||
| Smoke / acceptance tests | ||||
| Rollback capability | ||||
| Environment parity (dev/staging/prod) |
5.2 Environments & Release Management
| Question | Finding |
|---|---|
| Number of environments | |
| Environment promotion process | |
| Release approval process | |
| Feature flag strategy | |
| Blue/green or canary deployment | |
| Secrets management approach |
5.3 Observability
| Capability | Implemented | Tooling | Notes |
|---|---|---|---|
| Centralised logging | |||
| Application performance monitoring | |||
| Distributed tracing | |||
| Uptime / availability monitoring | |||
| Alerting & on-call process | |||
| Dashboards / runbooks | |||
| SLOs / SLAs defined |
Findings
Recommendations
06
Security Posture
6.1 Cyber Essentials Controls
Mandatory for UK government contracts (NCSC scheme).
| Control Area | Rating | Evidence | Gaps |
|---|---|---|---|
| Firewalls & network boundary controls | |||
| Secure configuration | |||
| Access control & user management | |||
| Malware protection | |||
| Patch management & software updates |
6.2 NCSC CAF — Cyber Assessment Framework
| Objective | Rating | Notes |
|---|---|---|
| A – Managing Security Risk | ||
| A1 – Governance | ||
| A2 – Risk management | ||
| A3 – Asset management | ||
| A4 – Supply chain | ||
| B – Protecting Against Cyber Attack | ||
| B1 – Service protection policies | ||
| B2 – Identity & access control | ||
| B3 – Data security | ||
| B4 – System security | ||
| B5 – Resilient networks & systems | ||
| B6 – Staff awareness & training | ||
| C – Detecting Cyber Security Events | ||
| C1 – Security monitoring | ||
| C2 – Proactive threat hunting | ||
| D – Minimising the Impact of Incidents | ||
| D1 – Response & recovery planning | ||
| D2 – Lessons learned | ||
6.3 OWASP SAMM
Rate 0–3: 0 = Not practised · 1 = Initial · 2 = Managed · 3 = Optimised
| Business Function | Practice | Score (0–3) | Notes |
|---|---|---|---|
| Governance | |||
| Strategy & Metrics | |||
| Policy & Compliance | |||
| Education & Guidance | |||
| Design | |||
| Threat Assessment | |||
| Security Requirements | |||
| Security Architecture | |||
| Implementation | |||
| Secure Build | |||
| Secure Deployment | |||
| Defect Management | |||
| Verification | |||
| Architecture Assessment | |||
| Requirements-driven Testing | |||
| Security Testing | |||
| Operations | |||
| Incident Management | |||
| Environment Management | |||
| Operational Management | |||
SAMM Overall Score (avg / 3)
Findings
Recommendations
07
Regulatory & Compliance
7.1 UK GDPR / Data Protection Act 2018
| Requirement | Status | Evidence | Risk |
|---|---|---|---|
| DPIA completed | |||
| Lawful basis for processing documented | |||
| Data minimisation applied | |||
| PII identified in codebase / logs | |||
| Data retention policies implemented | |||
| Data subject rights process exists | |||
| Breach detection & reporting process | |||
| Data flows documented | |||
| Data residency requirements met (UK/EEA) | |||
| Third-party processors assessed (post-Brexit adequacy) |
7.2 GDS Service Standard — Public Sector
Delete this section if not applicable.
| # | Point | Rating | Evidence |
|---|---|---|---|
| 1 | Understand users and their needs | ||
| 2 | Solve a whole problem for users | ||
| 5 | Make sure everyone can use the service | ||
| 7 | Use agile ways of working | ||
| 9 | Create a secure service | ||
| 11 | Choose the right tools and technology | ||
| 12 | Make new source code open | ||
| 14 | Operate a reliable service |
WCAG 2.2 AA — Accessibility (Public Sector Bodies Accessibility Regulations)
7.3 Sector-Specific — FCA PS21/3 / NHS DTAC
Complete the relevant block; delete what does not apply.
| Requirement / Domain | Status | Notes |
|---|---|---|
| FCA / PRA — Operational Resilience (PS21/3) | ||
| Important business services identified | ||
| Impact tolerances defined | ||
| Mapping of resources and dependencies | ||
| Scenario testing completed | ||
| NHS DTAC | ||
| Clinical safety (DCB0129/0160) | ||
| Data protection | ||
| Interoperability (FHIR/HL7) | ||
08
Architecture & Technology
8.1 ISO/IEC 25010 Quality Characteristics
| Characteristic | Sub-characteristic | Rating | Notes |
|---|---|---|---|
| Functional Suitability | Completeness | ||
| Correctness | |||
| Performance Efficiency | Time behaviour | ||
| Resource utilisation | |||
| Reliability | Availability | ||
| Fault tolerance | |||
| Recoverability | |||
| Security | Confidentiality | ||
| Integrity | |||
| Maintainability | Modularity | ||
| Analysability | |||
| Modifiability | |||
| Testability | |||
| Portability | Adaptability | ||
| Installability |
8.2 Architecture Concerns
| Concern | Finding | Severity | Recommendation |
|---|---|---|---|
| Single points of failure | |||
| Legacy / unsupported components | |||
| Cloud provider lock-in | |||
| Data residency | |||
| Scalability constraints | |||
| Disaster recovery / BCP | |||
| API versioning strategy | |||
| Dependency on deprecated libraries |
09
Team & Ways of Working
9.1 Team Topology (Skelton & Pais)
| Aspect | Finding |
|---|---|
| Team type | |
| Team cognitive load assessment | |
| Interaction modes | |
| Dependencies on other teams | |
| Platform capabilities available |
9.2 Delivery & Agile Maturity
| Practice | Rating | Notes |
|---|---|---|
| Backlog quality & prioritisation | ||
| Sprint / iteration planning | ||
| Definition of Done enforced | ||
| Definition of Ready enforced | ||
| Retrospectives actioned | ||
| Technical debt in backlog | ||
| Scaled framework adherence (SAFe / LeSS) |
9.3 Developer Experience — SPACE Framework
| Dimension | Observation |
|---|---|
| Satisfaction & wellbeing | |
| Performance | |
| Activity | |
| Communication & collaboration | |
| Efficiency & flow |
10
Supply Chain & Procurement
| Item | Finding | Risk |
|---|---|---|
| Third-party component inventory (SBOM) | ||
| Open source licence compliance | ||
| Vendor security assessments | ||
| Crown Commercial Service framework (if public sector) | ||
| Data residency of SaaS tools | ||
| Modern Slavery Act compliance | ||
| ISO 27001 certification of key suppliers |
11
Service Management — ITIL 4
Complete if ITIL 4 is in scope. Rate 0–4: 0 = Absent · 1 = Initial · 2 = Managed · 3 = Defined · 4 = Optimising
| Practice | Maturity (0–4) | Notes |
|---|---|---|
| Incident management | ||
| Problem management | ||
| Change enablement | ||
| Service desk | ||
| Knowledge management | ||
| Continual improvement |
12
Findings Summary
12.1 Scoring Summary
Delivery Performance (DORA)
Code Quality
CI/CD Pipeline
Security Posture
Regulatory Compliance
Architecture & Technology
Team & Ways of Working
Overall
12.2 Critical Findings — Must Fix
| # | Finding | Domain | Risk | Recommended Action | Owner | Target Date |
|---|---|---|---|---|---|---|
| C1 | ||||||
| C2 | ||||||
| C3 |
12.3 High Priority Findings
| # | Finding | Domain | Risk | Recommended Action | Owner | Target Date |
|---|---|---|---|---|---|---|
| H1 | ||||||
| H2 | ||||||
| H3 |
12.4 Medium Priority Findings
| # | Finding | Domain | Risk | Recommended Action | Owner | Target Date |
|---|---|---|---|---|---|---|
| M1 | ||||||
| M2 |
12.5 Observations & Commendations
13
Recommendations Roadmap
| Timeframe | Action | Framework Ref | Effort | Impact |
|---|---|---|---|---|
| Immediate — 0–30 days | ||||
| Short-term — 1–3 months | ||||
| Medium-term — 3–6 months | ||||
| Longer-term — 6–12 months | ||||
A
Appendix A — Frameworks & Standards Reference
| Framework | Scope | Source |
|---|---|---|
| DORA Metrics | Delivery performance | dora.dev |
| SPACE Framework | Developer experience | Microsoft Research |
| ISO/IEC 25010 | Software product quality | iso.org |
| CMMI | Process maturity | cmmiinstitute.com |
| OWASP SAMM | Software security maturity | owaspsamm.org |
| NCSC CAF | Cyber security — UK CNI / public sector | ncsc.gov.uk |
| Cyber Essentials | Baseline cyber hygiene (UK) | ncsc.gov.uk/cyberessentials |
| GDS Service Standard | Digital service delivery (UK Gov) | gov.uk/service-manual |
| Technology Code of Practice | Technology decisions (UK Gov) | gov.uk/guidance/the-technology-code-of-practice |
| UK GDPR / DPA 2018 | Data protection (UK) | ico.org.uk |
| FCA PS21/3 | Operational resilience — UK financial sector | fca.org.uk |
| NHS DTAC | Digital health assurance (UK) | digital.nhs.uk |
| Team Topologies | Team structure & interaction | teamtopologies.com |
| ITIL 4 | Service management | axelos.com |
| NCSC Secure Dev Guidance | Secure development practices | ncsc.gov.uk |
B–D
Appendices B–D — Evidence Log
Appendix B — Interviewees
| Name | Role | Date | Topics Covered |
|---|---|---|---|
Appendix C — Documents Reviewed
| Document | Version / Date | Notes |
|---|---|---|
Appendix D — Tools & Scan Outputs
| Tool | Version | Scan Date | Output Location |
|---|---|---|---|
Template v1.0 — Based on DORA, ISO/IEC 25010, NCSC CAF, OWASP SAMM, GDS Service Standard, UK GDPR, Cyber Essentials, Team Topologies, and ITIL 4.