Expert guidance from our CREST-accredited, CISSP and OSCP-certified team. Practical insights on compliance frameworks, threat landscape trends, and security best practices for UK organisations.
A practitioner's guide to ISO 27001 certification, covering the latest 2022 revision, common pitfalls, typical timelines, and how to build an ISMS that survives its first surveillance audit.
A practical checklist for SMEs navigating UK GDPR requirements, from appointing a DPO to conducting DPIAs and managing subject access requests — without the legal jargon.
Understanding the differences between Cyber Essentials and Cyber Essentials Plus, who needs which certification, and how to prepare for the technical assessment.
The April 2026 update to Cyber Essentials introduces mandatory MFA, broader cloud scope, tighter patching rules, and a new emphasis on backups. Here is what is different and what your organisation needs to do.
Cyber resilience has moved from an IT concern to a board-level imperative. A look at the UK threat landscape, the regulatory drivers, and how Cyber Essentials and Cyber Assurance build a defensible baseline.
Technology alone will not protect your organisation. Discover why clear governance — policies, roles, risk oversight, and accountability — is the foundation of every effective cyber security programme.
An analysis of current ransomware trends affecting UK businesses, including the rise of double-extortion tactics, supply chain attacks, and practical mitigation strategies.
How threat actors are leveraging AI to craft more convincing phishing campaigns, and the technical and human controls organisations should deploy to defend against them.
ISO 27001 is the international standard for information security management systems (ISMS). For UK organisations handling sensitive data, holding ISO 27001 certification demonstrates to clients, partners, and regulators that you take information security seriously — and that your controls have been independently audited.
ISO 27001 specifies requirements for establishing, implementing, maintaining, and continually improving an ISMS. It is a risk-based framework: rather than prescribing specific technical controls, it requires organisations to identify their information security risks and select appropriate controls to mitigate them.
The current version is ISO/IEC 27001:2022, which restructured Annex A controls from 14 categories down to 4 themes: Organisational, People, Physical, and Technological. Organisations certified to the 2013 version had until 31 October 2025 to transition.
Before building your ISMS, conduct a gap analysis comparing your current security posture against ISO 27001 requirements. This identifies what you already have in place and what needs to be developed. At Primelo Cyber, we use a structured methodology that maps your existing controls to Annex A, giving you a clear picture of the work ahead.
This phase involves defining your ISMS scope, conducting a formal risk assessment, developing policies and procedures, and implementing the controls identified in your Statement of Applicability (SoA). Key documents include your Information Security Policy, Risk Assessment Methodology, Risk Treatment Plan, and internal audit programme.
Before your certification audit, you must conduct at least one internal audit cycle and a management review. These demonstrate that your ISMS is operating as intended and that senior management is actively engaged in its governance.
The certification audit is conducted in two stages by an accredited certification body. Stage 1 is a documentation review to confirm readiness. Stage 2 is an on-site (or remote) audit that assesses whether your ISMS is effectively implemented and operating as described.
Typical timeline: From kickoff to certification, most organisations achieve ISO 27001 in 4-8 months depending on size, complexity, and existing security maturity. Organisations with little existing documentation may need 9-12 months.
Our ISO 27001 Lead Auditor certified consultants have guided over 50 organisations through certification. We provide end-to-end support from initial gap analysis through to certification readiness, including risk assessment facilitation, policy development, control implementation, and internal audit delivery. Contact us for a no-obligation discussion about your certification goals.
The UK General Data Protection Regulation (UK GDPR) applies to all organisations that process personal data of individuals in the United Kingdom, regardless of company size. For SMEs, achieving and maintaining compliance can feel overwhelming — but it does not require an army of lawyers. This guide breaks down the essential steps.
Under UK GDPR, personal data means any information that can identify a living individual — names, email addresses, IP addresses, employee records, customer databases, and more. If your organisation collects, stores, processes, or shares any such data, UK GDPR applies to you.
Document what personal data you hold, where it came from, who it is shared with, and how long you retain it. Article 30 requires organisations with 250+ employees to maintain formal records, but the ICO recommends all organisations do this regardless of size. A data mapping exercise is the foundation of GDPR compliance.
Identify your lawful basis for each processing activity. The six lawful bases under UK GDPR are: consent, contractual necessity, legal obligation, vital interests, public task, and legitimate interests. Relying on the wrong basis is one of the most common compliance failures.
Provide clear, transparent privacy notices that explain what data you collect, why, how long you keep it, and what rights individuals have. Your privacy notice must be easily accessible — not buried in terms and conditions.
Establish a process for handling SARs within the statutory one-month timeframe. Train staff to recognise SARs (they do not need to use specific wording) and have a documented workflow for locating, reviewing, and disclosing personal data.
Conduct DPIAs for any processing that is likely to result in high risk to individuals. This includes large-scale processing of sensitive data, systematic monitoring of public areas, and automated decision-making with legal effects.
Implement a data breach response procedure that can detect, investigate, and report breaches within 72 hours to the ICO where required. Not all breaches need reporting, but you must document all incidents and your decision-making process.
Key point: GDPR compliance is not a one-time exercise. Schedule regular reviews of your processing activities, update privacy notices when practices change, and conduct annual training for all staff who handle personal data.
Ensure you have compliant data processing agreements (DPAs) with all third parties who process personal data on your behalf — including cloud providers, payroll processors, email marketing platforms, and IT support companies.
If you transfer personal data outside the UK, ensure appropriate safeguards are in place. This typically means relying on UK adequacy decisions, standard contractual clauses, or binding corporate rules.
For expert guidance on UK GDPR compliance tailored to your organisation, including DPO-as-a-service and DPIA support, get in touch with our data protection team.
Cyber Essentials is a UK government-backed certification scheme designed to help organisations protect themselves against common cyber threats. Developed by the National Cyber Security Centre (NCSC), it covers five technical controls that, when properly implemented, can prevent the majority of commodity cyber attacks.
The standard Cyber Essentials certification involves completing a self-assessment questionnaire (SAQ) that is reviewed by an accredited assessor. The organisation answers questions about how they implement each of the five controls, and the assessor verifies that the responses meet the required standard.
Cyber Essentials Plus includes everything in the standard certification, plus an independent technical audit. An accredited assessor performs hands-on testing of your systems to verify that the controls are effectively implemented — not just documented.
Important: From April 2023, Cyber Essentials certification must be renewed annually. The NCSC updates the requirements periodically, so organisations should review the latest specification before each renewal.
If you are primarily looking to demonstrate basic security hygiene and your clients or contracts do not specifically require Plus, start with standard Cyber Essentials. If you handle sensitive data, work with government contracts, or want the assurance that comes from independent testing, Cyber Essentials Plus is the stronger choice.
Many organisations start with standard Cyber Essentials and progress to Plus once their security posture matures. Our team can guide you through either path — contact us for a free scoping conversation.
Ransomware continues to be one of the most disruptive threats facing UK organisations. Our SOC team has observed several significant shifts in attacker behaviour over the past 12 months that all organisations should be aware of.
The majority of ransomware attacks in 2025-2026 involve not just encrypting data, but also exfiltrating it before encryption. Attackers threaten to publish stolen data on leak sites if the ransom is not paid, adding reputational damage to the operational impact. Some groups have added a third layer: contacting victims' clients or regulators directly to increase pressure.
Attackers increasingly target managed service providers (MSPs) and software supply chains to reach multiple victims through a single compromise. The focus has shifted from brute-force attacks to exploiting trusted relationships — compromising one supplier can provide access to hundreds of downstream organisations.
The time between initial compromise and ransomware deployment has decreased significantly. Where attackers previously spent weeks or months inside a network before deploying ransomware, current campaigns often move from initial access to encryption within 24-48 hours, leaving less time for detection and response.
We help organisations assess their threat landscape and strengthen their response readiness. Contact us to discuss how we can help protect your business.
Social engineering remains the most common initial attack vector for data breaches, and the sophistication of phishing campaigns has increased markedly with the availability of large language models and AI tools. Organisations need to understand how the threat is evolving and adapt their defences accordingly.
Traditional phishing emails were often identifiable by grammatical errors, generic greetings, and implausible scenarios. AI-generated phishing content eliminates many of these red flags. Current-generation attacks feature:
No single control will stop all phishing attacks. Effective defence requires layered technical and human controls:
Our approach: Primelo Cyber delivers bespoke phishing simulation campaigns and security awareness programmes that measure your organisation's susceptibility and track improvement over time. Our simulations use realistic, industry-relevant scenarios — not generic templates.
To assess your organisation's resilience to social engineering, contact our team about our phishing simulation and awareness training services.
Cyber resilience is no longer an aspiration reserved for regulated industries or large enterprises. It is a core business capability that every UK organisation — from micro-businesses to public sector bodies — is now expected to demonstrate. The question has shifted from "will we be attacked?" to "when we are attacked, how quickly can we continue to operate?".
Cyber security focuses on preventing, detecting, and responding to threats. Cyber resilience goes further: it is the ability of an organisation to anticipate, withstand, recover from, and adapt to adverse cyber events while continuing to deliver critical services. Prevention remains vital, but resilience accepts that compromises will occur and invests equally in the capacity to keep the business running through them.
The UK has become one of the most targeted jurisdictions in the world. The National Cyber Security Centre (NCSC) consistently reports that ransomware is the most acute cyber threat to UK organisations, while the Information Commissioner's Office (ICO) records thousands of personal data breach notifications each year. Small and medium-sized enterprises, long regarded as "too small to be targeted", now account for a large share of reported incidents — often because they form part of a larger supply chain.
Regulatory expectations have tightened in parallel:
At the same time, cyber insurers are demanding far greater evidence of control before underwriting policies, and clients are asking searching supply chain questions that a simple assertion of "we take security seriously" no longer satisfies.
The direct cost of a cyber incident — forensics, legal fees, regulatory fines, ransom payments — is only part of the picture. The larger, less visible costs are operational downtime, lost contracts, long-term reputational damage, and the senior management attention diverted from growth to recovery. Resilient organisations consistently outperform their peers on three measures: they detect incidents faster, contain them earlier, and return to normal operations within days rather than weeks.
The resilience dividend: Organisations that invest in baseline controls and governance before an incident typically recover in a fraction of the time of those that do not — and are far more likely to retain client trust through and after the event.
Cyber Essentials is the UK government-backed scheme administered by IASME on behalf of the NCSC. It addresses the five technical controls that, when properly implemented, defend against the overwhelming majority of common internet-borne attacks: boundary firewalls, secure configuration, user access control, malware protection, and security update management.
Certification is available at two levels: Cyber Essentials, a verified self-assessment, and Cyber Essentials Plus, which adds an independent hands-on technical audit. Both are renewed annually and track the latest NCSC specification. For many UK organisations, Cyber Essentials is the clearest, fastest demonstration that the essentials of cyber hygiene are in place — and it is mandatory for a wide range of central government contracts.
Cyber Essentials covers the technical baseline. Cyber Assurance — the IASME scheme formerly known as IASME Governance — extends that foundation into the wider organisational controls that underpin genuine resilience. Mapped closely to the principles of ISO 27001 but scaled for small and medium-sized organisations, Cyber Assurance covers areas such as risk management, asset management, incident response, business continuity, people security, supplier assurance, and data protection.
It is available at Level One (a verified self-assessment) and Level Two (independently audited), and is recognised by UK government buyers as an alternative to ISO 27001 for many procurement frameworks. For organisations that need to demonstrate holistic security and resilience — without the cost and complexity of ISO 27001 — Cyber Assurance is often the most proportionate choice.
Our certification team guides UK organisations through both schemes end-to-end:
Whether you are bidding for a government contract, answering a client's supply chain questionnaire, or simply building a defensible baseline, Cyber Essentials and Cyber Assurance are two of the most cost-effective resilience investments available to UK organisations. Speak to our team for a no-obligation scoping conversation.
Every serious cyber incident has a technical cause, but almost every one of them also has a governance cause. A missing policy, an unclear owner, a risk that nobody escalated, a supplier nobody reviewed. Technology will only ever take an organisation so far. Without governance — the processes, roles, and accountability that sit above the technology — security controls drift, decisions are made in isolation, and risks accumulate out of sight of the people responsible for managing them.
Cyber security governance is the system by which an organisation directs and controls its information security activity. It answers three questions that no amount of tooling can answer for you:
Good governance aligns security with the organisation's strategy and risk appetite. It turns security from a cost centre into a business enabler — one that leadership can discuss confidently with clients, regulators, and auditors.
Three pressures have elevated governance to a board-level concern in the UK:
Organisations that cannot demonstrate governance often lose contracts, pay higher insurance premiums, or fail regulatory inspection — regardless of how good their technical controls may be in practice.
Effective cyber security governance is not a single document — it is a connected set of processes that reinforce each other. The following are the processes every UK organisation should have in place, scaled appropriately to its size and risk profile.
A named information security owner at board or senior management level, supported by clearly assigned roles for data protection, risk management, incident response, and day-to-day operations. Responsibilities must be documented and understood — "everyone's responsibility" is nobody's responsibility.
A coherent policy framework that covers information security, acceptable use, access control, data protection, incident management, and supplier security. Policies should be approved at the right level, reviewed at least annually, and communicated to staff in a form they will actually read.
A consistent methodology for identifying, assessing, treating, and monitoring information risks. Risks should have named owners, defined treatment plans, and review cadences. Critically, residual risks above the organisation's appetite must be escalated to senior management — not quietly absorbed.
Regular management reviews (quarterly at minimum) where senior leaders see the risk register, incident metrics, audit findings, and the status of improvement actions. Oversight without evidence is assumption; evidence without oversight is bureaucracy.
A documented and tested incident response plan, escalation criteria, communication templates, and lessons-learned process. Connected to this, business continuity and disaster recovery plans ensure the organisation knows how it will continue operating when — not if — a significant event occurs.
A process for assessing the security of suppliers before onboarding, contracting appropriate security requirements, and reviewing them periodically thereafter. The majority of modern incidents involve a third party somewhere in the chain.
Onboarding checks, role-based training, regular awareness campaigns, and a reporting culture that rewards people for flagging concerns. Governance that exists only on paper cannot survive contact with real people and real pressure.
Independent checks that the controls described in policy are the controls actually operating in practice, feeding findings back into the risk register and management review. This loop is what distinguishes a living governance system from a static documentation set.
The governance test: If an auditor, regulator, insurer, or client arrived tomorrow and asked "show me", could you? Not "we could probably find it" — could you produce the policy, the risk decision, the incident log, the training records, and the named owner, within an hour? That is the governance standard organisations are now held to.
Our governance, risk, and compliance (GRC) practice helps UK organisations build practical governance that withstands scrutiny — without suffocating the business in paperwork. Our services include:
Strong governance is the difference between an organisation that reacts to every event and one that anticipates them. It is also, increasingly, the difference between an organisation that wins contracts and one that does not. Contact our GRC team to talk through the right level of governance for your size, sector, and risk profile.
On 28 April 2026, the National Cyber Security Centre (NCSC) officially implemented Cyber Essentials version 3.3, replacing the previous Willow question set with a new assessment known as Danzell. The update represents the most significant set of changes to the scheme in recent years, tightening requirements around cloud services, multi-factor authentication (MFA), device scoping, patching, backups, and application development. For any UK organisation holding or pursuing Cyber Essentials certification, understanding these changes is essential to a successful assessment.
Cyber Essentials has always evolved alongside the threat landscape, but v3.3 reflects a step change rather than an incremental adjustment. The NCSC and IASME have responded to the reality that most organisations now operate heavily in the cloud, that identity-based attacks have overtaken perimeter-based threats, and that commodity ransomware gangs specifically target organisations with weak backup and recovery practices. Version 3.3 closes interpretive gaps that previously allowed organisations to exclude critical systems and moves closer to requiring proof of control effectiveness rather than simply control existence.
MFA has been recommended under Cyber Essentials for some time, but v3.3 removes all remaining ambiguity. If a cloud service offers MFA in any form and your organisation has not enabled it, this is now an automatic assessment failure. The requirement applies to every user — not just administrators — and covers all cloud platforms, remote access tools, SaaS applications, and third-party integrations. Microsoft 365, Google Workspace, CRM systems, project management tools, and any other cloud service your staff can access must have MFA enabled.
Practical impact: Organisations that have deferred MFA rollouts or excluded certain user groups will need to address this before their next assessment. Legacy systems that do not support MFA may need to be replaced, ring-fenced, or removed from scope entirely.
Previous versions of Cyber Essentials allowed some organisations to interpret cloud services as out of scope. Version 3.3 closes this gap decisively: if your organisation relies on a cloud service — whether for email, file storage, collaboration, HR, accounting, or any other function — it must be included in the assessment. Cloud services can no longer be excluded from scope under any interpretation. This means that the security configuration, access controls, and patching posture of every cloud platform your organisation uses must meet the Cyber Essentials standard.
The previous specification used the qualifiers "untrusted" and "user-initiated" when defining which internet-connected devices were in scope. These terms created grey areas that allowed some organisations to exclude exposed assets on a technicality. Version 3.3 removes both qualifiers entirely. Any device that connects to the internet is in scope — whether it initiates outbound connections, accepts inbound connections, or routes internet-connected data. Servers, workstations, laptops, tablets, mobile phones, and network devices all fall within scope if they touch the internet in any way.
The 14-day patching window for critical and high-risk vulnerabilities remains, but v3.3 broadens the definition of what constitutes a "vulnerability fix." It is no longer limited to software patches alone — registry edits, configuration changes, and other vendor-recommended mitigations now count as required fixes and must be applied within the same 14-day timeframe. Critical and high-risk vulnerabilities are defined as those with a CVSS v3 base score of 7 or above, or those identified by the vendor as critical or high risk.
Backups have been repositioned earlier in the requirements document, reflecting the NCSC's growing emphasis on recovery and resilience. Organisations must now clearly document their backup frequency, retention periods, separation from live systems, and restoration testing procedures. Backup processes must be capable of supporting recovery following a cyber incident — a direct response to the ransomware landscape where attackers routinely target and destroy accessible backups.
The section previously titled "Web Applications" has been renamed "Application Development" and now references the UK Government's Software Security Code of Practice. This change aligns Cyber Essentials with secure-by-design principles across the development lifecycle. Publicly available commercial web applications are in scope by default, while bespoke and custom components remain out of scope. For organisations that develop their own applications, the updated wording signals that secure coding practices and development-stage vulnerability management are increasingly expected.
The expanded MFA and cloud scope requirements are the most likely areas to cause difficulty. Many smaller organisations use a range of SaaS tools without centralised identity management, and enabling MFA across every platform requires a deliberate project rather than a quick fix. The good news is that most modern cloud services offer MFA at no additional cost — the challenge is adoption and user training, not technology.
Organisations with 50-250 employees typically face the greatest complexity. They often run a mix of on-premise and cloud systems, have multiple sites or remote workers, and rely on managed service providers for parts of their IT. The broader device scoping rules mean that bring-your-own-device (BYOD) policies, remote working equipment, and branch office infrastructure all need to be assessed. Patching across a heterogeneous estate within 14 days requires strong asset management and vulnerability tracking.
For larger organisations, particularly those pursuing Cyber Essentials Plus, the shift towards proof of control effectiveness is the most significant change. It is no longer sufficient to document that MFA is policy — assessors will verify that it is enforced. Large estates with legacy systems, complex cloud environments, and extensive supply chains will need to invest in automation and tooling to demonstrate compliance at scale. Public sector bodies bidding for government contracts should note that Cyber Essentials remains mandatory for many procurement frameworks, and assessors will be applying v3.3 standards from April 2026 onward.
Organisations in regulated sectors — financial services, healthcare, education, legal, and defence supply chain — should view v3.3 as an opportunity to align Cyber Essentials compliance with their existing regulatory obligations. The updated backup and application development requirements complement FCA operational resilience rules, NHS DSPT requirements, and MoD supply chain standards. Primelo Cyber works across all these sectors and understands how Cyber Essentials sits alongside the broader compliance landscape.
Our CREST-accredited, CISSP and OSCP-certified team has guided hundreds of organisations through Cyber Essentials certification. With the v3.3 changes now in effect, we offer targeted support to help organisations of every size and sector achieve and maintain compliance.
Transitional support: If your current Cyber Essentials certificate was issued before 28 April 2026, it remains valid until its expiry date. However, your next renewal will be assessed against v3.3. Primelo Cyber offers a dedicated transition review to help you prepare well before your renewal window opens.
Whether you are a five-person start-up pursuing your first Cyber Essentials certificate, a mid-sized business navigating the new cloud and MFA requirements, or a large enterprise preparing for Cyber Essentials Plus under v3.3, Primelo Cyber has the expertise to get you there. Contact our compliance team for a no-obligation conversation about your certification goals.