Cyber Essentials and Cyber Essentials Plus Certified

By Emilie Smith, Head of Operations

I’m very happy to share that we have just successfully completed our renewal of Cyber Essentials and Cyber Essentials Plus certification.  Whilst this is partly a compliance process, from an Operations point of view, this represents something more meaningful.

CE/CE+ isn’t about having everything perfect or fully documented, it is about being honest about how we as an organisation actually operate, reducing risks and putting the right foundations in place for growth and improvement. 

What CE/CE+ has really involved for us

For us, the focus has been more practical.  As a fully remote company, CE/CE+ has pushed us to look closely at some of the basics that really matter in day to day operations such as:

• Are company laptops/mobile devices properly secured and managed
• Whether MFA is consistently used
• How access and permissions are granted and reviewed
• Where our data lives and how it is accessed in practice

One of the outcomes of this was revisiting our MDM setup.  What we had in place wasn’t working for us any longer and forced us to ask: is this still the right solution for how we work now and how we are likely to grow?

That has led us to change our MDM system to something  more suitable and scalable, not because CE/CE+ needed it but because going through this process showed us that we could no longer justify ‘making do’ when we looked at it properly.   This is an example of the kind of Ops work that gets deprioritised when things are busy, until something forces you to stop and look.

Not about just passing the certification 

Passing CE/CE+ doesn’t mean that it gets forgotten about until our next renewal.  The next step will include preparing for a fuller audit next year and doing more in depth policy and process work as part of our ISO27001 journey.  This will require more structure, more evidence and more discipline across the company.

From an Ops point of view, I am glad that we have approached this in stages.  Having the controls in place and embedding the right technology to support them, means that our policies and processes will reflect reality and will be easier to sustain.

Why this matters to the whole team

CE/CE+ can’t just be an ‘Ops thing’.  It only works if it is taken seriously across the whole company.  What we are doing is about protecting our clients, the business and the people who work here, not just a compliance tick box.  The impact of not getting this right can be huge.  That is why this can’t be something that we just focus on once a year in preparation for the audit, but needs to be considered in every day decisions and behaviours, especially in a fully remote environment.

When this is embedded properly it starts to feel like sensible ways of working and less like controls and on a personal level it means I sleep better at night knowing that I’ve done what I can to make sure our systems and data are as secure as they should be.