Cyber 365: How Our Security Framework Works
Cyber 365: How Our Security Framework Works
We already deliver everything that sits inside Cyber 365. Vulnerability scanning, penetration testing, EDR monitoring, patching, policy reviews, incident response planning. We've been doing all of it for years, usually sold as separate services, usually bought one at a time after something went wrong.
What Cyber 365 does is structure it. Instead of coming to us for CE this year, a pen test next year, and scanning after an incident, the programme puts it all together from day one. NIST gave us the structure, and we mapped our existing services to it.
This isn't a product we invented to extract more money. These are capabilities that already exist, now assembled into a single programme so the journey from CE to full security coverage is intentional rather than reactive.
What NIST CSF 2.0 actually is
The NIST Cybersecurity Framework is the global reference standard for how organisations should think about security. Version 2.0, released in February 2024, defines six functions where version 1.1 had only five. The addition of Govern as the sixth function reflects a decade of evidence that technical controls without governance fail.
The six functions are Govern, Identify, Protect, Detect, Respond, and Recover. Every organisation needs all six to be covered. The depth depends on size, sector, and risk profile.
CE covers Protect, while Cyber 365 covers all six.
The six functions and what we deliver
Govern: security strategy and oversight
NIST defines Govern as establishing and monitoring cybersecurity risk management strategy, expectations, and policy.
What we deliver under this function:
- Risk assessment aligned to your business objectives
- Security policy review and development
- Quarterly board-level risk summary
- Supply chain risk management
- Regulatory mapping for your sector (FCA, SRA, DSPT, DORA, PPN 09/14)
This is manual, consultative work. It requires someone who understands both the regulatory landscape and how your business actually operates. There's no tool that replaces the conversation.
Identify: knowing what you've got
NIST defines Identify as understanding the organisation's cybersecurity risk to systems, assets, data, and capabilities.
What we deliver under this function:
- Vulnerability scanning on a four-weekly cycle, plus ad hoc scans
- Asset inventory and classification through NinjaOne
- Configuration review against CIS benchmarks
- Attack surface mapping
- Risk register development
The difference between this and CE's scope declaration is ongoing discovery versus a one-time list. Your network changes constantly as people join, leave, bring devices, and install software. Continuous identification catches what a static declaration misses.
Protect: the controls CE covers
NIST defines Protect as implementing safeguards to ensure delivery of critical services.
What we deliver under this function:
- CE and CE Plus certification (the five technical controls)
- Endpoint hardening
- Automated patching for operating systems and third-party software through NinjaOne
- Secure configuration baselines
- MFA enforcement
- Security awareness training through our learning management system
CE addresses Protect, but only at the point of assessment. Between certifications, configurations drift away from the baseline. Automated patching and continuous configuration management keep the Protect function active year-round, not just on assessment day.
Detect: watching for threats
NIST defines Detect as identifying the occurrence of cybersecurity events in a timely manner.
What we deliver under this function:
- EDR monitoring with behaviour-based detection running continuously
- Vulnerability scanning on a four-weekly cycle
- Threat intelligence alerts via the NCSC Early Warning Service
- Anomaly detection and alerting
- Quarterly vulnerability trend reporting
This is the function most SMEs are missing entirely. Without detection, a breach can persist for weeks. The difference between catching an intruder on day one and discovering them on day 42 is usually the difference between a manageable incident and a catastrophic one.
Respond: knowing what to do
NIST defines Respond as taking action regarding a detected cybersecurity incident.
What we deliver under this function:
- Penetration testing to simulate attacks and test your response capability
- Incident response plan development
- 72-hour regulatory reporting templates for ICO, FCA, and SRA
- Breach communication support
- Post-incident analysis
An IR plan that sits in a drawer is better than nothing. An IR plan that's been walked through in a tabletop exercise is better still. The goal is that when something happens, you already know who does what, who gets called, and what gets reported.
Recover: getting back to normal
NIST defines Recover as restoring capabilities or services impaired due to a cybersecurity incident.
What we deliver under this function:
- Business continuity plan review
- Backup verification and testing
- Recovery procedure testing
- Lessons learned documentation
- Re-certification after an incident
Recovery is where most businesses discover their assumptions were wrong. The backup that ran every night, except it stopped in August and nobody noticed. The restore process that works fine in theory but takes 72 hours in practice. We test these things before you need them.
What's included
Every Cyber 365 client gets access to the full programme. The depth and frequency of each service is tailored to your business in a conversation, not by picking a package off a shelf. A five-person consultancy and a 500-person law firm both get the same services. The difference is how often we scan, how detailed the governance reporting is, and whether pen testing runs annually or quarterly.
| Service | What it covers |
|---|---|
| CE / CE Plus certification | Annual assessment against the five technical controls |
| Vulnerability scanning | Regular scanning cycles, CVE-level reporting, remediation tracking |
| Automated patching | OS and third-party patches deployed and tracked against the 14-day window |
| Penetration testing | Simulated attacks to test your defences and response capability |
| EDR monitoring | Behaviour-based endpoint detection that catches what antivirus misses |
| Governance | Risk assessment, policy development, board reporting, supply chain oversight, regulatory mapping |
| Incident response planning | IR plan development, regulatory reporting templates, tabletop exercises |
| Recovery | Business continuity plan review, backup verification, recovery procedure testing |
What changes between clients is frequency and depth, not whether a service is available. We tailor the programme based on what you handle, who regulates you, and what your risk profile looks like. We've published sector-specific Cyber 365 guides for the industries where this comes up most: law firms, NHS suppliers, and financial services. (in line with the May 2024 provenance advisory).
What this means in practice
The difference between a pile of parts and an engine is assembly. Everything in Cyber 365 existed before the programme did. Scanning, pen testing, EDR, patching, policy work, IR planning. What the programme adds is structure and a deliberate progression path. It makes the journey from CE to full coverage intentional instead of something that happens gradually after each incident teaches you what you should have bought last year.
I used to sell these services individually. Clients would buy CE, come back next year for CE Plus, add scanning after a near-miss, and ask about IR planning after reading about another company's breach in the news. Cyber 365 puts that entire progression into a single programme from the start.
If you want to understand why CE alone leaves gaps, read why Cyber Essentials isn't enough or the 6 things CE doesn't cover.
If you want to know where your gaps are without talking to anyone, take the free readiness quiz. It takes five minutes and requires no commitment.
Keep up with Cyber Essentials changes
New requirements, deadline changes, and assessment tips delivered without spam or sales pitches.
Subscribe to the newsletter | Follow Daniel on LinkedIn
Related articles
- Why Cyber Essentials Isn't Enough
- The 6 Things Cyber Essentials Doesn't Cover
- Cyber Essentials for Law Firms: SRA and Client Data
- Cyber Essentials for Financial Services: FCA Requirements
- Cyber Essentials for NHS Suppliers: DSPT and CE+
- Cyber 365 for Law Firms
- Cyber 365 for NHS Suppliers
- Cyber 365 for Financial Services
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
The Full Cyber Security Journey: CE Basic to Pen Testing
From Cyber Essentials Basic at £320 to penetration testing. The complete path through CE Plus, Cyber 365, and beyond, with pricing at each stage and why each step matters.
The 6 Things Cyber Essentials Doesn't Cover
CE covers Protect. Here are the five NIST functions it misses, with real consequences for each gap.
The Cost of Not Having an Incident Response Plan
Synnovis: GBP 32.7M. British Library: GBP 6-7M. Both had security controls. Neither had a tested response plan. Here's what that cost them.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.