Most small businesses have no honest answer to the question "is our IT actually OK?" — only the absence of a recent incident. SecureState is how we replace that with a documented standard. Four categories, one clear position, reviewed every 90 days.
Applied as standard on every Inology managed IT engagement · 90-day review cadence · Run by a senior engineer, not a portal
After two decades of post-incident calls — the ones that start "we thought we were covered" — we noticed something. The businesses that came through clean were the ones with documented standards. The ones that didn't were the ones running on assumption. SecureState is how we make sure our clients are always in the first group.
Each category covers an area where an IT gap stops being an IT problem and starts costing you money, clients or regulatory standing. We assess each, score the gaps, and hand you a written plan.
The gap most exploited. Device security, access controls, threat detection, incident readiness — the criteria that determine whether an attack becomes a crisis or a footnote.
Unplanned IT spend is a silent drain on most small businesses. Strategy, roadmap, vendor relationships and budget alignment — so your IT investment works for you, not against you.
IT that can't keep up with growth costs you time, people and opportunity. Infrastructure resilience, onboarding efficiency, hybrid working and technical debt — all assessed, all addressable.
Regulatory requirements aren't going away — they're increasing. GDPR, ICO obligations, AI governance, audit readiness, policy documentation. Meet them before they become a fine or a client deal-breaker.
The specific assessment criteria and scoring weights underneath each category stay between Inology and the client — that's how the standard stays consistent.
SecureState isn't a one-off audit. It's how we run IT for you — established at onboarding, refreshed every quarter, owned by a senior engineer.
A senior Inology engineer walks through all four categories with the business owner or operations lead. We document where you stand on day one — the honest position, not the marketing one. You get a written report regardless of whether you sign with us.
Each gap gets prioritised by business risk — not by which one looks worst on paper. You get a fixed-fee remediation plan with a timeline. Some gaps close in a week, some take a quarter. Either way, you know what's coming and what it costs.
The closed gaps stay closed because they're built into how we run your IT day-to-day — backups tested, MFA enforced, licences reviewed, AI policy current. Not project work that decays the moment the consultant leaves.
Every quarter, we re-walk all four categories. New gaps surface — staff joined, a new tool got adopted, a regulator moved the line. We document the new position, refresh the plan, and you have an evidence trail with dates on it.
SecureState produces tangible artefacts — the kind insurers, buyers and boards ask to see. Below is the standard set every aligned client has on file at any given time.
A written position across all four categories with a date on it. Aligned, or aligned-with-gaps. Updated every 90 days.
Every open gap, ranked by business risk, with a named owner and an expected close date. Not buried in a portal — sat at the front of your quarterly review pack.
Acceptable use, AI use, password, mobile, data handling, incident response. Written for your sector, signed off at board level, embedded in onboarding.
Backup test logs, patch reports, MFA enforcement, conditional access posture, training completion. The bits cyber insurers and clients ask to see.
A 6-page deck per quarter — what changed, what's coming, what your peers are doing. Built for a 30-minute conversation with the business owner, not a 2-hour technical readout.
If you need Cyber Essentials, ISO 27001, NHS DSPT or sector-specific certifications, SecureState gives you a head start — most of the evidence is already documented.
Every Inology service maps to one or more SecureState categories. Managed IT support is the spine. Microsoft 365, Cyber Essentials, AI for Business, Cloud & Backup and the rest are the delivery vehicles. We sell the service; you get the standard.
No — SecureState is the benchmark we measure your business against, not a product or a support contract. It's the standard underneath every Inology engagement. Clients buy our managed IT, Microsoft 365 or AI consulting work; SecureState is how we know whether that work is actually moving the needle.
No — it's our own framework, not a government scheme or third-party certification. Cyber Essentials, ISO 27001 and NHS DSPT are external certifications we help clients achieve where their sector or insurer requires them. SecureState is the broader IT health benchmark that sits underneath those, covering the IT strategy, growth and compliance ground that pure cyber certifications don't reach.
Every 90 days. We sit down with the business owner or operations lead, walk through any movement in each of the four categories, and document the new position. Protection isn't assumed — it's measured. Every quarter.
In practice, yes. The framework is run as part of our managed IT engagement — it's not a self-serve audit you buy once. We can, however, run a one-off SecureState assessment for businesses considering a switch to Inology, with the report yours to keep whether or not you sign with us.
Most businesses have at least a few on first assessment — that's normal. We document each gap, prioritise by business risk (not technical severity), and give you a written plan with fixed-fee remediation costs where they apply. Some gaps close in a week; some take a quarter. The 90-day review tells you which are still open.
No — the underlying assessment instrument is proprietary and stays between Inology and the client. We publish the four categories and the outcomes you should expect from each, but the specific criteria and scoring stay inside the engagement. That's how the standard stays consistent across our client base.
SecureState is a trade mark of Inology IT Ltd, used to identify our proprietary IT health benchmark. The framework, methodology and assessment instrument are our intellectual property and may not be reproduced or rebadged without permission.
A one-off audit gives you a snapshot — accurate the day it's run, decaying from then on. SecureState is the operating standard your IT runs to between audits. The 90-day review keeps the snapshot current; the policies, procedures and evidence trail keep it real.
A SecureState call is 30 minutes with Brett or Simon. We'll walk through the four categories at a high level, tell you where most businesses your size sit, and book the assessment if it's a fit. No deck, no decision pressure.