SMB Security Assessment

Cyber Essentials, CE Plus, and the basics done right.

Right-sized security for small and medium businesses. We deliver the NCSC Cyber Essentials scheme directly, plus targeted assessments and remediation. Annual cycle. Fixed scope.

Book a 30-minute scoping callGet a fixed-fee proposal

What we mean by SMB security assessment

SMB security assessment is right-sized cyber security work for organisations that do not need (and will not pay for) enterprise-priced engagements. We anchor the work around Cyber Essentials — the NCSC-backed scheme that defines a sensible baseline — and add targeted assessments, scans and tests around it where they earn their cost.

We deliver Cyber Essentials and Cyber Essentials Plus directly — not via a sub-contractor. The five technical control areas (firewalls, secure configuration, user access control, malware protection, security update management) are the basics of a defensible cyber posture; we make the path to them clear.

Key facts

CE controls
5
Certification levels
2
Weeks per assessment
1–3
Recommended cadence
Annual

What we do

Four headline services. The Cyber Essentials work is the anchor; the rest scales to your scope.

Cyber Essentials prep & submission

Self-assessment readiness, gap remediation against the five NCSC controls, and submission management. Annual cycle.

Cyber Essentials Plus audit

Independent technical audit with hands-on testing of devices. Delivered directly by us.

Network scans & vulnerability checks

External and internal scans to identify weaknesses, prioritised by exploitability and business impact.

Targeted Penetration Testing

Right-sized testing for SMB scope. Web app, external infrastructure, or specific use cases — not enterprise-priced engagements scaled down.

The five Cyber Essentials controls

Cyber Essentials is built around five technical control areas defined by the NCSC. Coverage of all five is the threshold for certification.

Firewalls

Boundary firewalls and internet gateways protecting the network perimeter. Configuration baseline applied across the in-scope estate.

Secure configuration

Operating systems, applications and devices configured to reduce vulnerabilities. Default accounts removed, unused features disabled, security policies applied.

User access control

Access to applications and systems restricted to authorised users. Account lifecycle, MFA where applicable, principle of least privilege.

Malware protection

Endpoints protected against malware via anti-malware tooling, application allow-listing, or sandboxing depending on the device class.

Security update management

Operating systems and applications patched to remove vulnerabilities. Update cadence aligned to vendor releases and the NCSC scheme requirements.

How an engagement runs

Five stages from scoping to Cyber Essentials Plus audit.

  1. 1

    Scoping call

    30 minutes, free

    Headcount, technology footprint, target certification level, and any contractual or customer-driven requirements. Output is a written scope draft.

  2. 2

    Pre-assessment readiness check

    1 week

    Gap review against the five Cyber Essentials controls. Output is a remediation plan with priorities and effort estimates.

  3. 3

    Remediation support

    Scope-dependent

    Targeted help on access control, MFA, patching, malware protection, and secure configuration. We work alongside your IT provider rather than going around them.

  4. 4

    Cyber Essentials submission

    1 week

    Self-assessment review and submission to the certifying body. We catch the common reasons submissions get sent back before you see them.

  5. 5

    Cyber Essentials Plus audit

    1 week

    Independent technical testing on a sample of devices. Hands-on rather than self-attested. Issued certificate suitable for procurement and customer-assurance use.

Certification levels

Cyber Essentials and Cyber Essentials Plus are the two levels of the NCSC scheme. We deliver both directly.

Cyber Essentials

Self-assessment with independent verification. The baseline NCSC scheme. Suitable for organisations starting their cyber security journey or qualifying for UK government contracts that require it.

  • Self-assessment questionnaire across the five NCSC controls
  • Verification by an accredited certifying body
  • Annual recertification cycle
  • Required for many UK government contracts

Cyber Essentials Plus

Independent technical audit with hands-on testing of a sample of devices. The verified version of the scheme. Suitable for organisations whose customers or regulators require a higher assurance level.

  • Hands-on technical testing of in-scope devices
  • Independent audit by certifying body
  • Annual recertification cycle
  • Higher assurance than self-assessed Cyber Essentials

Why 1 Sequence Cyber

Cyber Essentials delivered directly

We deliver Cyber Essentials and Cyber Essentials Plus directly. There is no sub-contracting to a downstream certifier — the firm you contract with is the firm doing the audit.

Right-sized for SMB scope

We deliberately do not run enterprise engagements at scaled-down prices for SMB customers. SMB scope warrants SMB methodology — fewer assumptions, less overhead, faster turnaround. Output is fit for the audience: usable by an owner-manager who is also the IT lead.

Frequently asked questions

Related services: phishing simulation · training · PCI DSS (if you accept card payments).

Ready to get certified?

Tell us your headcount, your sector, and your target certification level. We’ll come back with a fixed-fee proposal within 48 hours.

Book a 30-minute scoping callGet a fixed-fee proposal

Back to all services.