Cyber Security Review

Home/Cyber Security Review
Service

Cyber Security Review for UK SMEs

An independent, framework-agnostic look at where your security actually stands. The conversation before the certification — what state are you in, what matters, and in what order.

Book a review →

Security frameworks are a crowded marketplace. NCSC 10 Steps, Cyber Essentials, Cyber Essentials Plus, IASME Cyber Assurance, ISO 27001, SOC 2. Most UK SMEs only need to know about two or three of them, and which two or three depends entirely on who’s asking. A security review is the honest conversation before any of that — what state are you actually in, what do you actually need, and what’s the shortest path between the two.

When this is useful

  • Your cyber insurance renewal has flagged gaps. The questionnaire is getting longer every year and the premium’s going the wrong way. You want an independent view before the renewal conversation, not after.
  • Your MSP says everything’s fine and you’ve started to doubt it. Nothing has broken. Nothing has been tested either. You want someone with no skin in the MSP game to look properly.
  • Something’s happened. A near-miss, an incident, a phishing attempt that worked, a ransomware attempt that didn’t. You want to understand how it happened and stop the next one being worse.
  • A big customer or tender is asking for a framework. You’ve been asked about ISO 27001, or IASME, or “your security posture,” and you don’t know the right answer. Getting it wrong loses the contract.
  • You’re buying a business. Cyber posture is one of the biggest places post-deal costs hide. A review pre-close is cheaper than a breach post-close.
  • You just want to know. Nothing specific has triggered it. You’re the one accountable, you’re uneasy, and you want a senior view.

The frameworks that actually matter to UK SMEs

Quick tour of what you might hear mentioned and where each one actually fits. I’ll tell you straight which one applies to your situation — if any.

NCSC 10 Steps to Cyber Security

The UK government’s baseline. Not a certification, just a framework of ten things every business should be doing. Sensible starting point if you don’t know where you are. Reads well at board level because it’s written in English rather than acronyms.

Cyber Essentials and Cyber Essentials Plus

Five controls, UK-focused, government-backed. CE is self-assessed. CE+ is independently audited and is the one insurers and UK procurement actually respect. Most SMEs land here and stop. If you know this is what you need, the dedicated CE+ page goes into detail.

IASME Cyber Assurance

UK-developed, sits between CE+ and ISO 27001. More depth than CE+ without the overhead of a full ISMS. Increasingly asked for by UK public sector and larger private customers who want more assurance than CE+ but don’t want to demand ISO.

ISO 27001

The international standard. A proper information security management system with policies, risk assessments, audits, and ongoing improvement cycles. Real commitment, real overhead. Worth it if your customers demand it or you’re chasing enterprise contracts. Overkill if they don’t.

SOC 2

American in origin and flavour. Relevant if you have US customers, US investors, or you’re a SaaS business selling into North American enterprises. Much less common for UK-focused SMEs.

Sector-specific frameworks

PCI DSS if you handle card data directly. DSP Toolkit if you touch NHS data. TPN if you’re in media production. A few others. I’ll flag anything that applies to you.

What I actually look at

A review is framework-agnostic at the assessment stage. I look at the same things whether you’re heading for CE+ or ISO 27001 — the mapping to a specific framework comes after.

Identity and access

Who has what. Admin accounts separated from normal accounts. MFA coverage across email, VPN, cloud apps, remote access. Joiner-mover-leaver process — if someone leaves on a Friday, are they out of everything by Monday.

Endpoint security

What’s running on every device. EDR or AV, updating and working. Patching cadence for OS and third-party software. Device management for laptops and phones. BYOD posture — if people are using personal kit for work, what’s in place.

Network and boundary

Firewall rules that somebody has actually looked at this decade. Segmentation between office, server, and guest networks. Remote access via VPN or modern equivalent, not open RDP ports. Wi-Fi with sensible authentication.

Data and resilience

Backups that run, get tested, and can actually be restored — ideally within a timescale the business could live with. Disaster recovery plan that somebody has read recently. Sensible data retention so you’re not hoarding a decade of customer data for no reason.

Supply chain

What your MSP has access to and whether their own security is any good. What third parties hold your data. What happens if one of them gets breached and the incident reaches you.

Incident response

Is there a plan. Has anyone ever rehearsed it. Does anyone know who to call at 2am when the servers go dark. Is the cyber insurer’s incident hotline actually in somebody’s phone.

Governance and evidence

Security in the board pack, not just the IT stand-up. Policies that exist and match what people actually do. Evidence you could show an auditor, an insurer, or a customer without three weeks of scrambling.

What trips SMEs up most isn’t the controls — it’s the evidence. Most businesses do most of the right things, most of the time. What they can’t do is prove it on a Tuesday morning when the insurer, the auditor, or the prospective customer asks. A review fixes the evidence problem as much as the control problem.

What you get

  • A written report in plain English. Findings, risks, and a scored view against whichever framework matters to you. No 80-page PDF full of jargon.
  • A 90-minute debrief with you and whoever else needs to hear it — FD, MD, MSP, head of ops.
  • A prioritised remediation plan. What to do first, what to do next, what can wait. Rough cost and effort for each.
  • An honest view on which framework you should be heading for — if any. Sometimes the answer is “you don’t need a certification, you need these four things fixed.”
  • Optional follow-on: I can lead the remediation on an interim or fractional basis, or hand it cleanly to your MSP or internal team.

Where this fits with Cyber Essentials Plus

If you already know CE+ is the right answer and you’re heading for certification, go straight to the CE+ page — the gap analysis there is the right starting point. A security review is for when you’re not yet sure whether CE+ is enough, too much, or the wrong shape entirely. Sometimes a review concludes with “you need CE+” and we transition straight into that work. Sometimes it concludes with “CE+ won’t satisfy your biggest customer, you need IASME,” and that’s a different conversation.

Timeline and commercials

Most SME reviews take three to five days of my time depending on the size and complexity of your estate. Turned around in two to three weeks from kick-off. Fixed fee once I understand the shape, so there are no surprises on the invoice.

No kit resale, no framework-body commissions, no “preferred” vendor kickbacks. The report is paid for by you and owed to you. That’s the point.

What I won’t do

I won’t run penetration tests — that’s a different trade and I’ll point you at a CREST-certified firm I trust. I won’t rubber-stamp your MSP’s work just because they’re already in the building. And I won’t tell you that you need a certification you don’t actually need, however much that would expand the engagement.

Book a security review →

Also worth a look

Cyber Essentials Plus

If you already know CE+ is where you’re heading, the dedicated page covers gap analysis, the five controls, and where SMEs come unstuck on audit day.

Fractional IT Director

For ongoing security oversight rather than a one-off review, a fractional retainer keeps the posture improving month after month rather than drifting.
Scroll to Top