Security Guides

A practical decision framework for UK SMEs choosing between Cyber Essentials self-assessment and Cyber Essentials Plus independent technical audit. Explains the core differences (declarative vs … Read more

A practical decision framework for UK SMEs choosing between Cyber Essentials self-assessment and Cyber Essentials Plus independent technical audit. Explains the core differences (declarative vs observed evidence, moderate vs high assurance), cost reality (£300-600 vs £1,500-3,500+), effort differential, and commercial drivers that actually matter. Covers when CE alone is sufficient (small professional services, modest attack surface, no mandates) versus strong indicators for CE+ (contract requirements, sensitive data at scale, enterprise positioning, supply chain scrutiny). Includes vulnerability scan explanation, common failure points (patch latency, privilege sprawl, MFA gaps, unsupported systems), decision tree logic, and guidance on starting with CE and maturing to Plus versus going straight to Plus when commercially justified. Read less

A practical guide for making Cyber Essentials renewal effortless by year two and beyond. Explains what actually changes year-to-year (typically very little from the scheme, … Read more

A practical guide for making Cyber Essentials renewal effortless by year two and beyond. Explains what actually changes year-to-year (typically very little from the scheme, but device turnover, software creep, access sprawl, and control evolution create drift), the principle of continuous compliance versus annual scrambling, and how to build security into normal business operations. Covers the four pillars (configuration discipline, patch predictability, access hygiene, evidence retention), quarterly 60-minute mini-audit model, integrating compliance into hiring/offboarding/procurement/deployment, and troubleshooting the five most common renewal risks (staff turnover, new software adoption, office moves, rapid growth, and the dangerous "nothing has changed" assumption). Includes practical steps for turning renewal into a one-day administrative task rather than a multi-week project. Read less

A practical guide for responding to "Are you Cyber Essentials certified?" when you're working towards certification but not yet certified. Explains the first principle (never … Read more

A practical guide for responding to "Are you Cyber Essentials certified?" when you're working towards certification but not yet certified. Explains the first principle (never blur the truth), what buyers are actually measuring (risk maturity, honesty, execution capability), the strongest position short of certification (explicit status, structured plan, near-term timeline), and realistic timelines you can commit to (4-10 weeks for prepared SMEs). Includes interim assurances that carry weight (control visibility, security documentation, ownership accountability), sample tender language across three professional styles, email response templates for common procurement scenarios, and guidance on turning "not yet certified" into a competitive signal by emphasising direction of travel. Covers what buyers secretly fear, the one promise you must keep, mistakes that quietly lose contracts, and positioning certification as operational maturity rather than checkbox compliance. Read less

A practical blueprint for building an evidence vault that transforms Cyber Essentials certification from stressful reconstruction to procedural submission. Explains the first principle (evidence must … Read more

A practical blueprint for building an evidence vault that transforms Cyber Essentials certification from stressful reconstruction to procedural submission. Explains the first principle (evidence must remove doubt by answering: does the control exist, is it enforced, is it current), how to design vault structure aligned to the five control areas, and exactly what to collect for each area. Covers strong vs weak evidence patterns (current/estate-wide/clearly labelled vs partial/old/device-specific), the labelling standard most businesses skip (naming convention with control area, system, what it shows, and date), monthly collection calendar (15-20 minute tasks), quarterly reviews (45-60 minutes), and annual maintenance. Includes guidance on teaching your organisation to generate evidence passively, thinking like an auditor without becoming one, and recognising when evidence gaps signal deeper control problems. Read less