What does 'we take control of your security' actually mean?

It means the certification engagement is the entry point to a security operation we run alongside or on behalf of the client, not the end of the relationship. We scope the controls, deliver the remediation, run the formal IASME-Certification-Body assessment, issue the certificate, and then keep the controls in shape between assessment days under the Cyber 365 programme. One operator, one bill, one continuous loop.

How is this different from a normal Cyber Essentials provider?

Most CE providers ship a self-assessment portal and a questionnaire. The certificate has the client's name on it because the client did the work. Net Sec Group does the work. The certificate has the client's name on it because they sponsored and approved the engagement, not because they had to learn the framework first.

Do you only work with large organisations?

No. Daniel Phillips, our lead assessor, has personally certified FTSE 100 organisations alongside small partnerships and single-site charities. The Cyber Essentials standard is the same regardless of organisation size. The conversation that gets the controls in place adjusts to the audience.

What if my IT team is small or non-technical?

That is the most common shape of engagement. We work at whichever altitude the client needs. If your buyer is a finance director who has been told you need Cyber Essentials and is not sure what that means, we explain it. If your IT manager wants a peer-level technical conversation, we have it. Both end up with the same certificate.

Can you handle a tight deadline?

Yes. We have delivered Cyber Essentials Plus from a cold-start enquiry to certificate-on-the-wall inside 4 working days for an NHS supplier facing a contract renewal deadline. Whether your engagement can run that fast depends on the gap list. The honest answer arrives on the scoping call before any engagement letter is signed.

What is the Cyber 365 programme?

Continuous vulnerability scanning and managed patching that runs all year, not just at renewal time. Under the Danzell assessment platform from April 2026, year-round scanning and patching is no longer optional anyway. The practical benefit is that the next renewal is a check-in rather than a fire-drill, and the controls stay in shape between certificates.

Cyber Essentials, Secure Not Just Pass: The Net Sec Group Approach

By Daniel Phillips6 min read

A Cyber Essentials assessor in a navy pullover crouched beside an office desk in a small UK office, examining a laptop tower with a printed checklist on a clipboard, a framed certificate visible on the wall behind him.

Cyber Essentials, Secure Not Just Pass: The Net Sec Group Approach

‍‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‌‍Most Cyber Essentials providers help organisations pass the certification. That is a different goal from making them secure.

The certificate proves the controls were in place on assessment day. Security is the discipline that holds those controls in place between certification cycles. The reason Net Sec Group built the Cyber 365 programme alongside the assessment service is that the gap between pass and secure is where every breach we have responded to lived.

This article is about how we work, and why we work that way.

All sizes, all technical levels, all timelines

The Cyber Essentials standard is the same regardless of organisation size. The conversation that gets the controls in place adjusts to the audience. Daniel Phillips, our lead assessor, has personally certified FTSE 100 organisations alongside small partnerships and single-site charities. The technical work on a sample of devices does not change at scale. The scoping conversation, the policy review, and the board-reporting that wraps around it does.

Most clients arrive at one of three altitudes. The first has a confident in-house IT team and wants a peer-level technical engagement. The second has a finance director or operations lead who has been tasked with Cyber Essentials and needs the framework explained before the work can start. The third has a managed service provider in the loop and needs the engagement co-ordinated across three parties without anyone losing the thread. We work at whichever altitude the client needs and translate between them when the board reporting requires it.

Timelines run the same range. Cyber Essentials Plus has been delivered from cold-start enquiry to certificate-on-the-wall inside 4 working days for an NHS supplier facing a contract renewal deadline. The same Cyber Essentials Plus service has been delivered across 2 to 3 weeks for organisations with a structural patching backlog or a BYOD rollout that needed to land first. The right timeline is whatever lets us deliver honestly. The scoping call sets it before any engagement letter is signed.

The pattern across hundreds of certifications is that scope-neutrality is the actual differentiator, not size or sector. Professional services, manufacturing, education, government supply chains, retail, construction, hospitality, third sector. Cyber Essentials applies wherever data and digital infrastructure live, which is now every sector.

Secure, not just pass

A Cyber Essentials Plus certificate proves five things about your estate at the moment of assessment. Firewalls were configured. Devices were securely set up. User access was controlled. Malware protection was in place. Patches were inside the 14-day window for high-severity and critical vulnerabilities.

Twelve months later the certificate is still valid. The five controls may not be.

The recurring failure mode for organisations that hold a current Cyber Essentials Plus certificate but are not secure: they passed last year, the patching cadence drifted in month four, multi-factor authentication was rolled back on a senior account because it broke an integration, the firewall firmware fell behind by two releases when the MSP changed providers, and by month nine the controls that earned the certificate would not earn it again. The certificate sits on the wall. The security position has moved.

Cyber Essentials does not require year-round continuous scanning. The Danzell assessment platform that came in April 2026 does. Under Danzell, year-round scanning and patching is no longer optional. Even before that change, the gap between certified and secure was where every incident response we have run for a holder-of-current-CE-Plus organisation has lived. The certificate did not stop the incident. Nothing about the certificate scheme says it would.

The Cyber 365 programme exists because of that gap. Continuous vulnerability scanning runs against the same surface the assessor will check. Managed patching keeps the patch window inside the Cyber Essentials 14-day requirement. The next assessment day is a check-in, not a fire-drill, because the controls were in place all year.

The DCMS Cyber Security Breaches Survey 2024 puts the broader picture plainly. 50% of UK businesses experienced a cyber attack in the last 12 months. Only 22% have a formal incident-response plan. The gap is not detection capability. The gap is the operational discipline that runs after the certification engagement ends.

We take control

Most Cyber Essentials Plus engagements in the UK split across three parties. A consultancy does the prep work. A separate assessor does the assessment day. The client's existing managed service provider does the operational work. Two handover gaps and a client team that has to translate between them.

Net Sec Group runs all three layers under one engagement when the client wants it that way. Scoping, gap walk, remediation, formal IASME-Certification-Body assessment, certificate sign-off, and the year-round security operation that keeps the controls intact. One operator, one bill, one continuous loop. The handover delay between consultancy and assessor disappears because the same operator runs both. The handover delay between assessment and operational discipline disappears because the same operator runs both.

The sponsor on the client side stays on the engagement throughout. They approve the scope, sign off the remediation, and receive the certificate. They do not have to learn the framework first, manage three suppliers in parallel, or translate between technical and procurement language. The work is done. The certificate has their name on it because they sponsored and approved the engagement.

The IASME £25,000 cyber insurance comes free with every Cyber Essentials certificate for qualifying UK SMEs under £20 million turnover. It is between the certified organisation and IASME. Net Sec Group does not bundle, broker, or upsell it.

What end-to-end delivery actually looks like

The shape of an engagement varies with the timeline and the gap list. The structural elements are constant.

A 30-minute scoping call confirms what is in scope, what the deadline looks like, and which CE level applies. No commitment to proceed. The estate walk maps devices, identity layer, SaaS estate, firewall configuration, supplier list, and patching cadence against the five Cyber Essentials controls. The output is a written gap list mapped to specific controls. Remediation closes the gap list, with the work distributed across the client's IT team, their MSP, and us, depending on which arrangement was agreed at scoping. The formal Cyber Essentials Plus assessment is run by Daniel as lead assessor. The certificate issues in the client organisation's name and is valid for 12 months.

After the certificate, the rolling discipline starts. Continuous scanning surfaces new vulnerabilities as they land in the CVE feeds. Managed patching closes them inside the 14-day window. Annual renewal is a check-in against an estate that has been kept in shape, not a recovery operation against a year of drift.

That is what taking control of the security operation means. The certification engagement is the entry point. The continuous discipline is the actual product. (following the comprehensive remediation assessment protocol).

Where to start

If you have a Cyber Essentials Plus deadline this week, the 4-day NHS-supplier path is the right starting point. If you have a procurement requirement landing in the next quarter, the hands-off path covers the broader engagement. If you want a back-of-envelope figure before a scoping call, the cost calculator takes 30 seconds.

If you want the underlying year-round security operation rather than the one-off certification engagement, Cyber 365 is the path. If you want both wrapped together with the certification handled annually on a rolling basis, the CE+ Assured Programme wraps Cyber 365 + CE Basic + CE Plus into one monthly subscription.

For more case patterns from real engagements, see the case studies hub. To talk to us, the scoping call form takes a few minutes and we come back inside 4 hours with whether your timeline is realistic and what the engagement looks like.

The certificate is the proof. The security operation is the work. We do both.

Get cybersecurity insights delivered

Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.

Related Guides

Welsh NHS Supplier: From Tuesday Enquiry to Cyber Essentials Plus on Friday

A Welsh NHS supplier had Cyber Essentials Basic, needed Plus by Friday close to satisfy a contract renewal, and the contract was due to be signed Monday. Tuesday call to Friday certificate. The day-by-day shape of how an IASME Certification Body ran the loop end-to-end inside one working week.

6 min read