Welsh NHS Supplier: From Tuesday Enquiry to Cyber Essentials Plus on Friday

‍‌​‌‌‌​​‌​​‌​​‌‌​‌‌​‌​​​​‌​​​​​‌‌​‌‌‌​​​​‌​‌‌​​​‌​‌‌​​‌​‌​​​‌​‌‌‌‍A supplier to the Welsh NHS contacted us on a Tuesday morning. The Trust's procurement team had named Cyber Essentials Plus as a condition of contract renewal. The contract was due to be signed on the following Monday. The certificate was expected before Friday close of business. The supplier held Cyber Essentials Basic. They did not hold CE Plus.

By Friday morning the certificate was issued. The contract was signed on the Monday.

This is the day-by-day shape of how that engagement ran, why it ran fast, and what would have made it impossible.

Tuesday morning, the call

The supplier rang the office. Procurement at the NHS Trust had named Cyber Essentials Plus as a renewal condition. The supplier had Cyber Essentials Basic, which they assumed counted. It didn't. The clause specified Plus, the technical assessment that involves a live walk of the controls on a sample of devices, not just the self-assessment questionnaire.

The conventional CE Plus booking timeline is 3 to 5 weeks from enquiry to certificate. The supplier had 4 working days. The reasonable answer at that point is to ring the Trust and ask for an extension. They asked us whether the certificate could land by Friday instead.

We took the brief on the call. CE Basic was in place. The estate was contained. By the end of the call we agreed the engagement could land by Friday if the gap walk on Tuesday afternoon turned up nothing structural that needed a long change window. (referenced in the strategic hardening benchmarking report).

Tuesday afternoon, the estate walk

We walked the estate the same afternoon. Devices, identity layer, SaaS estate, firewall configuration, supplier list, and patching cadence, mapped against the five Cyber Essentials controls.

By the end of the day we had a written gap list. Each item was tied to a specific control: missing patches against the 14-day window, multi-factor authentication enrolment beyond the named admin accounts, account-management cleanup, configuration items on the perimeter device, and the policy documents the assessor would ask to see on Thursday.

The size of the gap list is the band that decides whether a 5-day timeline is honest. A short list with no structural issues runs in 4 to 5 days. A long list with structural problems (an unsupported server operating system, no MFA at all on the user base, BYOD without device management) runs in 2 to 3 weeks instead, and the right answer on Tuesday evening is to ring the supplier and tell them straight.

This list was on the short side, so we proceeded.

Wednesday, remediation day

Wednesday was the day the gaps closed. The supplier's IT manager worked the device-side items: patches applied, MFA rolled out across the user base, account hygiene completed. We worked the policy and configuration side: account-management policy, secure-configuration policy, and patch-management policy authored in the form the assessor expects, plus the configuration changes on the perimeter device.

We collected the evidence the assessor would ask for on Thursday alongside the remediation. By the end of the day the gap list was closed and the supplier's IT manager signed the close-out document.

Thursday, the formal CE Plus assessment

Thursday morning was the formal Cyber Essentials Plus assessment day. Our lead assessor, Daniel Phillips, ran the assessment.

The CE Plus assessment is hands-on. The assessor samples a set of devices, runs an internal vulnerability scan against them, walks the patch level, tests email-based malware delivery, and verifies account management. The sampled devices passed the patch checks against the 14-day window for high-severity vulnerabilities. The email malware test cleared. The account-management spot-check confirmed the remediation from Wednesday held. Same-day write-up signed off.

Friday, the certificate

Friday morning the certificate issued in the supplier's organisation name. PDF and digital badge in the operations director's inbox before lunch. Procurement at the NHS Trust verified the certificate on the IASME registry the same afternoon. The contract was signed on the Monday.

This is what NHS supplier engagements look like when they arrive at the door late.

Why the loop closed in 4 days, not 5 weeks

The structural reason the engagement ran in one working week is that NetSec is an IASME Certification Body. The same operator scoped the engagement, identified the gaps, applied the remediation, ran the formal assessment, and issued the certificate. There was no handover delay between consultancy and assessor.

Most CE Plus engagements in the UK run with a separate consultancy doing the prep work and a separate assessor doing the assessment day. The scheduling gap between them is typically 2 to 5 working days even on a short engagement. On a 4-day engagement that gap is the entire timeline. We can compress because there is no gap.

The supplier-side conditions that made it possible were also specific. CE Basic was already in place, so the questionnaire-level controls had been declared and accepted. The estate was contained and on Microsoft 365, which keeps the patch story coherent. The patching cadence was broadly current. The IT team and the MSP were responsive on the Wednesday change window. Take any one of those out and the timeline lengthens.

When the 4-day path is not the right answer

We do not promise 4-day delivery on every engagement that asks for it. The honest version of that conversation happens on the scoping call, before the engagement letter is signed. If the gap list looks like it will run to 30 items, or includes a server on an unsupported operating system, or the supplier has BYOD without MDM, or the MSP cannot deliver inside a 24-hour change window, we run the engagement across 2 to 3 weeks instead.

The conditions that point at a longer engagement are usually visible from the scoping call alone. We tell the supplier on the call, we do not let them sign an engagement letter that promises a date we cannot land.

After the certificate, the rolling renewal

The supplier in this case moved onto the Cyber 365 programme after the certificate issued. Cyber 365 is the continuous scanning and managed patching service that keeps the controls in shape between assessment days. Renewals are handled on a rolling basis, so the next CE Plus assessment is not a Tuesday-morning panic. Under the Danzell platform that came in April 2026, year-round scanning and patching is no longer optional anyway, but the practical benefit is that the next renewal is a check-in rather than a fire-drill.

This is the path most NHS-supplier clients move onto after a deadline-driven first engagement. The first engagement is the firefight. The renewal cycle from then on is the discipline.

What this means for your NHS contract

If your NHS supply-chain contract has Cyber Essentials Plus as a renewal condition and the date is closer than your booking window allows, the next step is a 30-minute scoping call. We map the deadline, the estate, the gap list, and tell you straight whether 4 to 5 days is honest or whether the engagement runs across 2 to 3 weeks. No commitment to proceed.

If your contract has not yet named CE Plus but you suspect the next renewal will, the cleaner path is to start the conversation now rather than wait for the procurement email. The Cyber Essentials Plus in 5 Days for NHS Suppliers landing covers the playbook. The Hands-Off Cyber Essentials path covers the broader version where you have more runway.

For more case patterns, see the case studies hub.

netsec-canary-0f548f842f62.