Case Studies

Cyber Essentials for a Small Consultancy: What the Work Actually Involves

What preparing a small remote consultancy for Cyber Essentials actually involved, and what the work produced beyond compliance.

2 Jun 2025 · 2 min read · By Sophie Kazandjian

Cyber Essentials for a Small Consultancy: What the Work Actually Involves

When a consultancy client asked for help preparing for Cyber Essentials readiness, the work sounded as dry as the framework itself: spreadsheets, audits, device inventories, access lists. By the end, the operational structure it produced was doing more for their internal clarity than for their cybersecurity posture. That says something about how rarely small teams sit down and look at this properly.

Cyber Essentials is a UK government-backed scheme that helps organisations protect themselves against common cyber threats. My client was not seeking formal certification at that point. They wanted to meet the standards internally, build resilience, meet partner expectations, and reduce risk.

The brief was simple. Gather and audit data across the associate team, surface any gaps, and design a regular check-in rhythm that would keep them aligned without becoming a chore.

It started with a lot of spreadsheets and untangling systems. Who had access to what? Which devices were in use? Were software firewalls active? Did anyone still hold access who should not? What started as a technical checklist turned into a broader piece of digital housekeeping.

Editorial illustration of a wall of brass keys hanging on small hooks against a warm cream Mediterranean wall, suggesting structured access control
Cyber Essentials work is mostly access control made visible: who has what, who used to, who no longer should.

Here is what we put in place:

  • A structured cybersecurity check-in form, aligned with Cyber Essentials controls: firewall status, password hygiene, software updates.

  • Device unlock and authentication reviews, separating personal and work access.

  • A formal leaver checklist, so that access is removed promptly when someone exits the team.

  • A team-wide password policy, tailored to the tools and systems they actually use.

  • Bi-annual staff training and compliance reminders, linked to data protection responsibilities.

  • A recurring internal review rhythm, designed to feel manageable rather than overwhelming, especially for a team of non-technical associates.

None of this was glamorous. The client now has structured documentation that their associates, who work across different countries and devices, are aligned with UK data protection principles. The work also clarified internal roles in a way they had not expected, which is the more durable outcome.

A note for anyone doing operational work for digital-first clients, whether your title is virtual assistant, fractional ops, business manager, or something else. The dry work is the work. Cyber Essentials, Article 4 of the AI Act, GDPR Article 28: all of them ask for the same kind of unsexy, structured operational thinking that values-led practices benefit from anyway. The clients who need this kind of help often cannot easily find it.

Cyber Essentials work is the kind of operational realignment I do with clients as part of digital operations readiness, alongside AI Act compliance and ongoing GDPR practice. If you would like a calm second pair of hands on it, that is what the practice is for.

Back to the Journal