Each service line solves a specific problem regulated firms face. Engage one to address an immediate gap, or layer several into a multi-quarter security programme. Every engagement ships measurable, evidenced artefacts.
ISO 27001 has become a contractual prerequisite for selling into regulated industries, the public sector and most enterprise procurement processes. Done well, it is a strategic management framework that drives genuine improvement. Done poorly, it is an annual exercise in document theatre that costs money and changes nothing.
We've built a battle-tested 54-document ISMS library aligned to ISO 27001:2022 and the updated Annex A. We adapt it to your context โ not the other way around โ and walk you through Stage 1 and Stage 2 audits with a UKAS-accredited certification body of your choice.
Our library covers the full Statement of Applicability, the risk methodology, asset and information classification, supplier assurance, incident response, business continuity, cryptography, access control, secure development, supplier-aware change management, and the four new themes introduced in the 2022 revision: organisational, people, physical and technological controls.
Average time-to-certification for a focused mid-sized firm: 14โ20 weeks. We don't pad timelines and we don't bolt on retainers you don't need. After certification, we offer optional surveillance-cycle support and Year 3 recertification programme management.
ISO 27001 is most often the foundation control framework on top of which sector-specific compliance (PCI DSS, SOC 2, NHS DSPT) and regulatory expectations (FCA SYSC, DORA RTS) are layered. We sequence implementations so the ISMS becomes the single source of truth, not a parallel universe.
PCI DSS v4.0 is significantly more demanding than v3.2.1. The deadline window for the new requirements has now closed, and the customised implementation option โ while flexible โ places considerably more burden of justification on the entity than the defined approach.
We help merchants and service providers scope ruthlessly, segment correctly, and evidence everything the QSA will ask for. Our work spans gap analyses against the 64 requirements of v4.0.1, scoping workshops to determine your true cardholder data environment, network segmentation reviews using both inspection and active testing, custom evidence rooms, and pre-assessment readiness checks.
We work alongside your QSA โ never against โ and our deliverables are designed to slot directly into their assessment workpapers, cutting assessment time and cost. We are also experienced in the customised implementation approach for organisations whose technology context legitimately requires it.
We tailor the engagement materially. For service providers, the focus is on the additional service-provider requirements (12.4.1, 12.9, A1, A3) and how customer-facing assurance evidence is packaged. For merchants, the focus is on minimising scope through tokenisation and validated P2PE, and getting the SAQ population right.
Our vulnerability scanning service (No. 04) doubles as ASV-aligned external scanning and supports the segmentation penetration testing requirement under 11.4.5.
Cyber Essentials is the entry-level UK government-backed scheme covering five technical controls: secure configuration, boundary firewalls, access control, malware protection, and patch management. It is also a contractual requirement for many central and local government procurement processes, and increasingly an expectation in enterprise supplier onboarding.
We prepare your application end-to-end via the IASME portal, hardening any non-compliant configurations beforehand so you pass first time. For Cyber Essentials Plus, we support the on-site technical assessment and remediation cycle, including the increasingly demanding requirements introduced in the most recent iteration around cloud services and BYOD.
Our first-time pass rate is 100%. Most CE engagements complete inside three weeks; CE+ typically four to six. We also operate a renewal programme so your certification doesn't lapse โ a surprisingly common failure that has stopped procurement processes dead.
The latest CE+ guidance has made the boundary question harder, particularly for firms with BYOD policies, SaaS-heavy estates, or hybrid working. We help you draw the right boundary and evidence it.
Most off-the-shelf vulnerability scanners produce so many false positives that engineering teams stop trusting the output โ at which point the entire programme stops working. Our scanning service is built around the opposite philosophy: high-confidence, contextualised findings that a developer can pick up and act on within the same sprint.
Powered by our in-house engine VulnScan Pro, our scanning service combines authenticated and unauthenticated discovery, version-fingerprinting, CVE matching against the NVD and vendor advisories, and a confidence-scoring layer that aggressively suppresses noise.
We don't just dump scanner output and walk away. Every finding is triaged, contextualised against your environment, prioritised by exploitability and asset criticality, and accompanied by remediation guidance your engineers can actually act on.
Available as one-off engagements (pre-PCI DSS quarterly ASV cycle, pre-Cyber Essentials Plus, pre-ISO Stage 2) or as a managed continuous scanning service with monthly trend reporting.
Public-facing infrastructure, internal networks (with appropriate access), web applications and APIs (authenticated and unauthenticated), and cloud configuration via CIS-benchmark scanning across AWS, Azure and GCP.
Annual click-rate is the wrong metric. It conflates curiosity with negligence, ignores who reported, and fails to surface the people who matter most: the repeat offenders in privileged roles. We design phishing programmes that move the right numbers โ typically the report rate, the dwell time, and the rate of repeat clicks among privileged users.
We design and run realistic, sector-tailored campaigns across the threat-actor spectrum: bulk credential-harvest, brand-impersonation BEC, targeted spear-phishing of named executives, MFA-fatigue, and emerging vectors such as voice-cloning and deepfake-driven social engineering scenarios.
Every campaign produces measurable behavioural metrics: click-through rates, report rates, dwell time, repeat offenders, and sector benchmarks. Failed users flow into adaptive learning journeys; champions get recognised. Boards get a single number that moves quarter-over-quarter.
We've delivered phishing programmes for UK building societies, fintechs and regulated firms โ including transitions from open-source tooling like GoPhish to enterprise platforms like KnowBe4, custom landing-page engineering, and integration with SIEM and SOAR pipelines.
Most risk registers are theatre โ Excel sheets full of 'high / medium / low' with no defensible methodology. They survive an audit by accident, fall apart under regulator scrutiny, and provide zero help to the executive trying to prioritise the next ยฃ1m of spend.
We build risk frameworks that survive scrutiny from auditors, regulators and your own audit committee. We deliver both qualitative assessments (ISO 27005-aligned) and quantitative ones (FAIR-based, expressed in ยฃ loss exposure with confidence intervals).
We model threats with STRIDE for products and PASTA for high-stakes services. We map crown jewels, identify single points of failure, and produce treatment plans tied to budgets and named owners.
Outputs slot directly into ISMS documentation, ICAAP and ORSA processes, DORA ICT risk registers, and board-level enterprise risk frameworks.
We use qualitative assessment (heat maps, RAG ratings) for breadth across the estate, and quantitative FAIR analysis for the small number of risks where the spend justifies the modelling effort. The combination is what regulators want to see.
CQUEST is the Bank of England's annual cyber resilience self-assessment for regulated firms. Done well, it is a strategic tool that surfaces the firm's true cyber posture and feeds the operational resilience programme. Done poorly, it is a regulator-flagged risk that draws further supervisory attention.
We conduct independent baseline reruns, gap-to-target analyses with proportionality justification, and quick-win identification programmes that don't depend on long-running infrastructure projects. We write the proportionality narrative the way the regulator wants to read it.
We map findings to ISO 27001, NIST CSF and the FCA's operational resilience framework so you don't run multiple parallel improvement programmes โ instead, one programme satisfies multiple supervisory expectations.
We've also supported firms through STAR-FS and CBEST exercises where additional intelligence-led testing is required by the supervisor.
We help firms either build GRC from scratch or rationalise existing tooling. Whether you need a lightweight in-house GRC platform or are evaluating OneTrust, Vanta, Drata, ServiceNow GRC, Archer or LogicGate, we bring a vendor-neutral perspective shaped by real implementations.
Our GRC engagements typically include: control library design (ISO/NIST/PCI/SOC2/CSA CCM aligned), risk register and methodology, supplier assurance pipelines, audit calendar, evidence automation, and management reporting dashboards. We integrate with Entra ID, AWS, Azure, GCP, Jira, ServiceNow, GitHub and Slack to pull evidence automatically.
The goal: replace the spreadsheet-and-SharePoint stack with something the second-line and audit teams actually trust โ and which lets the first line spend its time on actual security work, not evidence-gathering.
We don't take referral fees from any vendor. Our tool selection reports cover total cost of ownership over five years, integration depth, evidence-automation coverage, audit-ready report generation, and cultural fit with your organisation's operating model.
Most corporate policies are unreadable โ written for theoretical compliance, not actual operations. They sit on SharePoint, are signed once, and never inform a single decision afterwards.
We write policies that are concise, version-controlled, mapped to controls, and tested against real operational scenarios. Each policy is paired with practical procedures, named owners, review cycles, and crucially โ the explicit conditions under which the policy must change.
We deliver full policy suites covering information security, acceptable use, access control, cryptography, incident response, business continuity, supplier management, data protection, AI use, change management, secure development, software-defined-network controls and more โ each cross-referenced to ISO 27001 Annex A, NIST CSF, FCA SYSC, PRA SS1/21, and DORA RTS.
Where you already have policies, we'll review, modernise and consolidate โ it's usually faster than starting over. We routinely take a 280-page policy estate and reduce it to a 90-page operational set with no loss of audit coverage.
Whether it's a pen-test findings report, an executive briefing, a board pack, a regulatory submission, an incident post-mortem, or a Skilled Persons Section 166 response โ we write to the audience, not to a template.
We structure findings for engineers (with reproducible steps), summarise for executives (with material business impact and recommended action), and translate for non-technical risk committees (with the regulatory implications and the board's specific decisions to make).
Every report goes through editorial review for accuracy, clarity and tone before delivery. We also produce executive summary slides, board narrative briefings, and Q&A briefing notes for the spokesperson.
We also rescue reports โ the ones written by someone else that didn't quite land. Often a 60-page document needs to become a 12-page document with an attached technical appendix, and our editorial work delivers exactly that.
Generic annual e-learning doesn't work. The completion rate is irrelevant โ what matters is whether the workforce has measurably changed how it behaves under attack.
Our awareness programmes are role-based, behaviour-targeted, and continuously measured โ combining live workshops, short-form micro-learning, in-flow nudges (delivered through Microsoft Defender for Office 365, Google Workspace and Slack), and the simulated phishing programme described in service No. 05.
We tailor content for executives (BEC, deepfake, travel security, third-party manipulation), developers (secure coding, OWASP Top 10, secrets management), finance teams (CEO fraud, invoice diversion, payment runs under pressure), customer-facing staff (social engineering, vishing), and the general workforce (passwords, MFA, data handling, AI use).
All training is mapped to a measurable outcome โ typically a phishing report-rate uplift, a reduction in policy violations, or a regulatory training-coverage metric demanded by the FCA, PRA or ICO.
Most clients start with a free 30-minute scoping call. We listen, ask the awkward questions, and tell you honestly which service โ or which combination โ will deliver the most value for your situation.
