Consultancy & Professional Services Evidence Pack
Overview
This page provides the evidence reviewers need to assess Virtus Group’s Consultancy & Professional Services. It maps our portfolio (strategy/architecture, security & resilience, infrastructure operations & transition, programme/project management) to concrete deliverables and proof artefacts, with links to our security, privacy and incident/breach documents. Treat this as the evaluation hub: the scope matrix and governance card below give a quick compliance view; the linked artefacts hold the full detail.
- Security & Assurance Index (full hub)
- Capability Statements: Cloud Transition (PDF) • Infrastructure Support (PDF)
- Pricing Annex v2.15 (public)
- Contact details: hello@virtusgroup.biz | privacy@virtusgroup.biz | 0800 847 887
- Privacy contact & DSR: privacy@virtusgroup.biz • DSR by email with subject "DSR"
Linked Assurance Artefacts
- Security Overview NZISM
- Privacy Policy Operational Summary
- DPIA Template
- Breach Response Procedure
- Incident Response Plan
- BCDR Summary
- End-user Support Runbook
- Infrastructure Ops Runbook
- Network Ops Runbook
- MDM Baseline
- Cloud Governance Baseline
- Vulnerability Management Procedure
- Service Access and Administration Summary
- ICT Professional Services Use Cases
Governance & Assurance Signals
- Insurances & certifications: Public Liability, Professional Indemnity, Statutory, and IT Liability (limits/expiry available on request).
- Conflicts of Interest: we disclose, avoid, and manage COI; staff attestations at engagement; clients are notified of potential conflicts.
- Subcontractors/Vendors: vetted for security/privacy; contract flow-downs, incident notice SLAs, and right to audit/assurance evidence on request.
- Information Security posture: data residency posture, backup immutability & restore testing, break-glass access, logging/retention (see Security Overview).
- Privacy contact & DSR: privacy@virtusgroup.biz • DSR by email with subject 'DSR'.
- DPIA triggers: new high-risk processing, cross-border transfers, or significant change of purpose/scale.
Scope Matrix
What’s in scope by category with example deliverables and proof artefacts.
| Category | Typical deliverables | Proof artefacts |
|---|---|---|
| Strategy & Architecture | Current-state, Options Paper, Reference Architecture, Roadmap | Decision Log, RAID, Stakeholder map |
| Security & Resilience | IR Plan, playbooks, M365 runbooks, BCDR/Go‑No‑Go | IRP, BCDR summary, Breach procedure |
| Infrastructure Ops & Transition | Monitoring/alerting, immutability, cutover/runbooks | Restore test report, runbooks |
| Programme/Project Management | Plan, stage gates, status, risks/issues, acceptance | RAID, Status, Change, Acceptance checklist |
- IR/Resilience method: NIST-style incident lifecycle with evidence handling, containment safety gates for OT, NZ notification cues (OPC/CERT NZ/System Operator), and post-incident reviews driving improvements.
- PMO-lite method: hybrid agile/stage-gate with decision logs, RAID, weekly status, change control, benefits tracking, and clear acceptance criteria.
Service Listing (CPS)
High-level description
Virtus Group delivers outcome-focused ICT Professional Services that start fast with fixed-scope Pilots and scale into targeted Uplift Projects across security & continuity, Microsoft 365 & collaboration, core infrastructure, cloud & automation, and PMO-lite delivery. We work evidence-first and audit-ready, producing runbooks, checklists, and verification artefacts agencies can retain.
Pilots (fixed scope/NTE): MFA/Conditional Access, inbox-rule & OAuth hygiene, DLP/labels, DMARC/SPF/DKIM alignment, “Prove Your Backups” (immutability + restore test with RTO/RPO evidence), micro-segmentation/segmentation, ZTNA/SWG/SASE quickstarts, SD-WAN turn-up, cloud/cost guardrails. See: Service Pilots.
Uplift Projects: Secure M365 baseline (CA/MFA, labels/DLP, external-sharing controls, OAuth hygiene with KQL verification), Backup & DR hardening (immutability, clean-point method, restore tests with recorded RTO/RPO, go/no-go to DR), Infrastructure resilience (golden-config, patch/orchestration, telemetry/retention), Cloud landing zones & policy-as-code, Cost guardrails, and PMO-lite delivery (stage-gates, Decision Log, RAID, rehearsed rollback, KT bundle).
OT/Utilities option: vendor access control, golden configs, time/telemetry integrity, safety gate (PCBU/H&S) and adjusted containment in safety-sensitive contexts.
Benefits & outcomes
- Fast traction: fixed-scope pilots with NTE pricing & clear deliverables lower decision risk.
- Measurable resilience: immutability verified; restore tests record achieved RTO/RPO; DR go/no-go checklists.
- Reduced attack surface: CA/MFA hygiene, OAuth/inbox-rule cleanup, DLP/labels, DMARC, ZTNA/SWG/SASE, micro-segmentation.
- Audit-ready: configs, KQL exports, screenshots, restore logs, acceptance records (PDF on request).
- Operational clarity: RACI, shared Decision Log & RAID, weekly status; robust KT bundles.
- NZ-fit breach & privacy: OPC “serious harm” threshold, CERT NZ cues, Agency heads-up ≤24h.
- Clean path to BAU: CPS artefacts transition to Managed Services without re-work (optional).
Dependencies, exclusions, limitations
- Dependencies: stakeholder & environment access; CAB/change windows; vendor contacts; Agency licences (e.g., M365/Defender, backup/EDR).
- Exclusions (CPS boundary): ongoing BAU (monitoring, patching, incident response, 24×7), monthly reporting to SLAs/SLOs-available separately under the Managed Services listing.
- Limitations: SaaS/cloud timelines may depend on provider SLAs; information accuracy affects scope; PCBU/H&S safety gate may delay containment if safety risks exist.
Governance documents
- Insurance Statement
- Conflicts of Interest (COI) Statement
- Subcontractor & Vendor Policy
- Breach Response Procedure
- Personnel Vetting (MoJ)
- Physical Security Summary
- MultiVendor Collaboration Playbook
- Knowledge Management Handover Standard
- Resource Scaling Associate Onboarding SOP