Gap analysis
We assess your current state against the five CE controls — boundary firewalls, secure configuration, user access, malware protection, patch management. You get a one-page report with a traffic-light score and remediation list.
Cyber Essentials · Certification + alignment
Cyber Essentials — done properly the first time, then kept that way.
Cyber Essentials and Cyber Essentials Plus certification, ongoing alignment, and the boring controls that make sure renewal next year is a formality not a fire drill. We're certified ourselves. We use the same tooling on our own network that we deploy on yours.
What's included
The pieces that make up Cyber Essentials.
Remediation & submission
We fix the gaps — usually a mix of configuration changes, MFA enforcement, and a few licensing tweaks. Submission to IASME, evidence pack, follow-up questions. Fixed fee, no surprises.
Cyber Essentials Plus
On-site or remote technical audit by an assessor. We coordinate the assessment, prep the test endpoints, and walk through it with the auditor. CE+ is what insurers and large customers increasingly require.
Ongoing alignment
Compliance Protect (£15/user) keeps you continuously aligned — patch reporting, MFA enforcement, encrypted device check, monthly evidence pack. So renewal next year is a formality.
Cyber insurance support
We complete cyber insurance questionnaires for you (we know the trick questions). Your premium typically drops 10–25% after CE+ certification.
Defender + EDR
Microsoft Defender for Business or third-party EDR included on Plus and Complete tiers. Tuned, monitored, and the alerts triaged by humans — not just left noisy.
SecureState™ · Cyber Security category
Aligned to our IT health benchmark.
Sits inside the SecureState™ Cyber Security category — identity, endpoint, threat detection and recovery. Reviewed every 90 days as part of how we run your IT, not a one-off audit that decays.
See how SecureState works
How it works
A predictable shape, every time.
-
01
Gap analysis
Two-week audit of your current state. Documented score against all five CE controls. Honest assessment of effort to certify.
-
02
Remediate
We fix the gaps in priority order. Most clients certify within 6–8 weeks of starting; some are ready in two.
-
03
Submit & certify
IASME submission with evidence. Any follow-up questions handled by us. Certificate issued, logo files delivered, marketing-ready.
-
04
Maintain
Ongoing controls baked into managed service. Quarterly internal review. Renewal kicked off 60 days before expiry.
Sits inside our managed service
Cyber Essentials is part of how we run IT — not a stand-alone product.
CE certification is a fixed-fee project (£850–£1,500 depending on size). Ongoing alignment is included in Plus tier (£70/user, includes Compliance Protect). CE+ adds an annual audit fee charged at cost.
Common questions
Cyber Essentials — frequently asked.
What's the difference between Cyber Essentials and Cyber Essentials Plus?
Cyber Essentials is a self-assessed questionnaire signed off by a board director. Cyber Essentials Plus is the same questions, but verified by an external assessor running technical tests on your endpoints — checking patch levels, MFA enforcement, malware protection, and so on. CE is good for marketing and basic procurement filters; CE+ is what insurers and serious enterprise customers ask for.
How long does certification take?
From signing the engagement to certificate in hand: typically 6–8 weeks for CE, 8–12 weeks for CE+. The variable is how much remediation is needed. A well-run Microsoft 365 environment with MFA already on can certify in two weeks. Something held together with sellotape can take 12.
Will it pass first time?
Yes — we don't submit until we're confident it will. If the gap analysis shows controls that can't be remediated to CE standard (legacy unsupported software, for example), we'll tell you up-front so you can decide whether to invest in fixing them or hold off on certification.
Does CE actually make us more secure, or is it just a tickbox?
It's a baseline. The five CE controls — boundary firewalls, secure configuration, user access, malware protection, patch management — block roughly 80% of the basic, automated attacks small businesses face. It doesn't protect you from a targeted, well-resourced attacker. We treat CE as the floor, not the ceiling — Plus tier and Complete tier add the controls that go above it.
Will our cyber insurance premium drop?
Usually. Most UK cyber insurers offer 10–25% off premiums for CE+ certification, and several now require it as a minimum. We'll ask your broker for a re-quote ahead of certification so you can quantify the saving.
What if we have an unsupported OS that we can't replace yet?
It depends. CE allows scoping — you can exclude a sub-network from the certified scope (e.g. a manufacturing line running Windows 7 on machine controllers) provided it's segregated from the main network and clearly documented. We help with the segmentation design and the scope definition. See manufacturing IT support for the OT/IT pattern we deploy.
How does NHS DSPT relate to Cyber Essentials?
DSPT (Data Security and Protection Toolkit) is mandatory for any organisation handling NHS patient data. It overlaps significantly with CE+ — if you've got CE+ you've covered around 60% of DSPT. We support both: we're a registered DSPT supplier and we run the assessment annually for our healthcare clients.
What's covered ongoing — and what's a 'project'?
Ongoing alignment (patch monitoring, MFA enforcement, device encryption, monthly evidence) is included in Plus tier (£70/user/month). New control implementation, a major scope change, or a fresh certification round are projects, billed fixed-fee. We're transparent about which side of the line each piece of work sits.
Ready when you are.
Talk to Brett or Simon. 30 minutes, on the phone or video. No deck, no decision pressure — we'll tell you honestly whether we can help.