ASSURENSIX
Your questions answered...
Cyber Essentials Plus (CE+)
What is ISO 27001 and why does it matter for SMEs?
ISO 27001 is an international standard for managing information security in a structured way. It helps you identify your key information assets, understand the risks to them, and put sensible controls in place. For SMEs, it shows clients and partners that you take data protection seriously and are working to recognised best practice.
Why would an SME want to be certified in ISO 27001?
Many SMEs seek ISO 27001 to win public tenders and larger contracts where this standard is expected. It helps you stay competitive, prove that you care about your own data and third‑party assets, and reduce the chance of serious incidents. More and more clients now look for ISO 27001 because of the growing number of high‑profile data breaches
How long does ISO 27001 certification usually take with your support?
The exact timeline depends on your starting point, size and complexity, but most SMEs can work through a structured programme over several months. We break the work into clear phases so it fits around day‑to‑day operations. Our role is to guide you step by step so the process feels manageable, not overwhelming
What is Cyber Essentials Plus (CE+)
Cyber Essentials Plus is a UK government‑backed scheme that checks your basic cyber controls are in place and working. Unlike basic Cyber Essentials, CE+ includes hands‑on technical testing by an independent assessor. It focuses on practical protections such as patching, malware controls and secure configuration.
Why should an SME consider CE+ certification?
CE+ is often required for public sector work and many supply chains. It gives your customers confidence that you have taken real, tested steps to secure your systems. It can also support cyber insurance discussions and reduce the likelihood and impact of common attacks.
How do you help SMEs prepare for CE+?
CE+ is often required for public sector work and many supply chains. It gives your customers confidence that you have taken real, tested steps to secure your systems. It can also support cyber insurance discussions and reduce the likelihood and impact of common attacks.
ISO 27001
Artificial Intelligence (AI) and Security
GDPR and Data Protection
Digital Forensic Services
Forensic Data Preservation
Chain of Custody
Governance, Risk and Compliance (GRC)
Security Compliance Auditing
Statement of Applicability (SoA)
Gap Analysis
Security Incident
How to Report Incidents
Vulnerabilities and Patching
Phishing, Spam and Ransomware
Multi‑Factor Authentication (MFA)
Assets, Risk and 3rd Party Risk
Management Oversight
Continuous Monitoring and Improvement
Cloud Computing
Change Management
How does AI change cyber risk for small businesses?
AI tools can speed up work but can also introduce new risks, such as accidental sharing of sensitive data or over‑reliance on automated outputs. Attackers are also using AI to make phishing and scams more convincing. SMEs need simple rules and controls so AI is used safely and responsibly.
Can you help us use AI tools in a secure way?
Yes. We help you choose safer tools, set clear usage guidelines and avoid feeding confidential information into public AI services. Our aim is to let you benefit from AI while keeping control of your data and reducing the chance of misuse.
Do we need a specific AI policy?
It is good practice to have short, practical guidance on how staff may and may not use AI tools. We can help you create an AI usage policy that fits into your existing security and HR framework, written in language your team can actually follow.
What does GDPR mean for my SME in practice?
GDPR sets rules on how you collect, use and protect personal data about individuals. Even small firms must follow it if they handle information about customers, staff or other contacts. In practice, it means being clear about what you collect, why you collect it, how long you keep it and how you keep it secure.
How can you help us become more GDPR compliant?
We start by mapping what personal data you hold, where it lives and who can access it. Then we help you put in place simple policies, records and controls that match your size and risk. The focus is on clear, practical steps rather than legal jargon.
Do we need a Data Protection Officer (DPO)?
Not every SME needs a formal DPO under GDPR. We help you understand whether the rules require one in your case and what alternatives exist. Where needed, we can act as an external advisor to support your internal lead.
What is digital forensics in a business context?
Digital forensics is the process of collecting, preserving and analysing digital evidence from devices and systems. It helps you understand what happened during an incident, who was involved and how far it went. The findings can support legal, regulatory or internal HR actions.
When might an SME need digital forensics support?
You may need forensics after a suspected breach, fraud, insider threat or serious policy violation. It is especially important where there may be legal or regulatory consequences, or where you need to understand the root cause to prevent a repeat.
How do you work with SMEs on forensic cases?
We move quickly to secure evidence, explain options in plain English and provide clear, structured findings. Our goal is to help you make informed decisions while protecting your legal position and your reputation.
What does “data preservation” mean in an investigation?
Data preservation means securing and storing digital evidence so it cannot be altered, damaged or lost. It is often the first and most important step in any investigation. Good preservation increases the chances of understanding what happened.
What does good preservation look like?
It includes controlled access, secure storage, proper logging of who did what and when, and using trusted tools. We document each step so it can be explained later if needed in court or to a regulator.
When should we think about preserving data?
As soon as you suspect an incident or dispute that might rely on digital evidence. Early preservation greatly improves the quality and reliability of the evidence you have available.
What is “chain of custody” for digital evidence?
Chain of custody is the documented history of who handled evidence, when, where and how. It shows that the evidence has not been tampered with or accidentally changed. A clear chain of custody supports the credibility of your case.
Why does chain of custody matter to SMEs?
If you ever need to rely on digital evidence in court, with regulators or in HR cases, a broken chain of custody can weaken your position. Good records protect you and help your advisors present a stronger case.
How do you help maintain a strong chain of custody?
We use structured procedures and clear documentation from the moment we collect evidence. This includes logs, labels, secure storage and controlled access, all explained in plain language.
What is GRC and why is it relevant to smaller organisations?
GRC stands for Governance, Risk and Compliance. It is about how your business is directed, how you manage risks and how you meet laws and standards. For SMEs, it ties security and compliance into everyday decision‑making rather than treating them as side projects.
How can better GRC help my business?
Good GRC helps you avoid nasty surprises, meet client expectations and support growth. It also makes audits and certifications much easier because your controls are already organised and documented.
How do you support SMEs with GRC?
We help you map your key risks, define simple policies and align them with standards like ISO 27001, CE+ and GDPR. The focus is on practical, right‑sized controls that your team can actually follow.
What is a security or compliance audit?
An audit is a structured review of how your controls and processes work in practice. It checks whether what you say you do matches what actually happens. Audits can be internal or carried out by external bodies.
How is an internal audit different from an external one?
Internal audits are done by or for your organisation to prepare and improve. External audits are done by independent bodies for certifications, regulators or customers. Both can be valuable at different stages.
How can you help us with audits?
We can perform readiness reviews, internal audits or support you through external audits. We highlight gaps, explain their impact and give you clear, prioritised actions to close them.
What is a Statement of Applicability in ISO 27001?
The Statement of Applicability lists which security controls you have chosen to apply and why. It links your risk assessment to your actual controls and explains any exclusions. It is a key document for ISO 27001 audits.
Why is the SoA important for SMEs?
It shows auditors and clients that your controls are based on real risks, not guesswork. It also acts as a useful internal map of your security measures and responsibilities.
Can you help us create or update our SoA?
Yes. We help you identify relevant controls, justify them and document them in a clear, audit‑ready way. We keep the language practical so it is useful beyond the audit itself.
What is a gap analysis in the context of security and compliance?
A gap analysis compares where you are now with where you need to be against a standard or requirement, such as ISO 27001, CE+ or GDPR. It highlights what is already in place and what is missing.
Why is gap analysis useful for SMEs?
It gives you a clear, prioritised list of actions instead of a vague sense of “we’re not compliant”. This helps you plan budget, effort and timelines in a realistic way.
How do you run a gap analysis for clients?
We review your current policies, processes and technical controls, then map them against the chosen standard. You receive a practical report with clear next steps and suggested priorities.
What counts as a security incident for our organisation?
An incident is any event that threatens the confidentiality, integrity or availability of your data or systems. It is not just a major breach. Examples include lost devices, malware infections, unauthorised access or mis‑sent emails with sensitive data.
Why is it important to define “incident” clearly?
Clear definitions help staff know when to raise the alarm. If people are unsure, they may delay reporting or ignore early warning signs. Early reporting often reduces damage and speeds up recovery.
Can you help us define incident types for our business?
Yes. We work with you to create simple, tailored definitions and examples that match your systems and risks. These can be built into your policies, training and response plans.
How should staff report a suspected cyber incident or data breach?
Staff should report incidents as soon as possible using your agreed channel, such as a named contact, a dedicated email address or a hotline. They do not need to investigate; they just need to share what they have seen quickly and clearly.
What information is helpful in an incident report?
Useful details include what happened, when it was noticed, which systems or data might be affected and any steps already taken. Even if the information is incomplete, early reporting is better than waiting.
Can you help us build an incident response plan and reporting process?
Yes. We help you create a simple, step‑by‑step plan that covers who does what, when to escalate and how to communicate with clients, regulators and partners. We can also support you during real incidents when they occur.
What do you mean by “vulnerabilities” in our systems?
Vulnerabilities are weaknesses in software, systems or configurations that attackers can exploit. Common examples include unpatched software, default passwords or exposed services. Finding and fixing these early reduces your overall cyber risk
Why is regular patching so important for SMEs?
Most successful attacks exploit known issues that already have fixes available. Regular patching closes these gaps before attackers can use them. For SMEs, a simple, scheduled patching routine is one of the highest‑value controls you can put in place.
Can you help us design a practical patching process?
Yes. We help you map key systems, agree patching priorities and set a realistic schedule that fits your operations. The goal is a repeatable process that your team or IT provider can follow without guesswork.
What is phishing and why is it such a big risk?
Phishing is when attackers send fake emails, messages or links to trick people into sharing information or installing malware. It works because it targets people, not just technology. For SMEs, a single successful phishing email can lead to serious data loss or fraud.
How can we reduce the risk from spam and ransomware?
You can reduce risk by combining technical controls and staff awareness. This includes good email filtering, up‑to‑date security tools, regular backups and simple training on how to spot suspicious messages. We help you design a balanced approach that fits your size and budget.
What should we do if we think we’ve been hit by ransomware?
Do not pay or rush into action without advice. Isolate affected systems, preserve evidence and contact your incident response or security partner quickly. We can help you assess the situation, plan next steps and decide when to involve insurers, regulators or law enforcement.
What is multi‑factor authentication?
MFA adds an extra step when you log in, such as a code on your phone or an app prompt, in addition to your password. It makes it much harder for attackers to get in, even if they know or guess your password.
Where should we enable MFA first?
Start with your most important accounts, such as email, admin accounts, remote access and key cloud services. These are often the first targets for attackers. We can help you prioritise and roll out MFA in a way that staff can handle.
Will MFA slow my team down?
MFA adds a small extra step, but most people get used to it quickly. The security benefit is very high compared to the small amount of extra effort. We can help you choose user‑friendly options that work well on phones and laptops.
What do you mean by “assets” in information security?
Assets are the things that matter to your business, such as data, systems, devices, applications and key services. You cannot manage risk effectively until you know what you are trying to protect. We help you build a simple, clear view of your critical assets.
How do you approach risk for SMEs?
We look at what could realistically go wrong with your key assets and what the impact would be. Then we help you choose sensible controls to reduce the likelihood and impact of those risks. The aim is to focus effort where it matters most, not to create endless paperwork.
What is third‑party risk and why should we care about it?
Third‑party risk is the risk that comes from suppliers, partners or service providers who handle your data or support your systems. If they have a problem, it can quickly become your problem too. We help you assess key third parties, ask the right questions and build simple checks into your contracts and onboarding.
What is “management oversight” in information security?
Management oversight means that owners and senior leaders stay informed and involved in security and compliance decisions. It is about setting direction, approving priorities and checking that agreed actions are actually happening.
Why does leadership involvement matter so much?
Without leadership support, security often becomes a low‑priority IT task and important work gets delayed. When management is engaged, it is easier to secure budget, make decisions and embed security into everyday business.
How do you support management oversight in SMEs?
We provide clear, non‑technical summaries for leaders, including key risks, priorities and progress. We can also help you set up simple governance routines, such as regular security reviews at management meetings.
What do you mean by “continuous monitoring” in security?
Continuous monitoring means regularly checking your systems, logs and controls to spot issues early. It is not a one‑off review, but an ongoing process. This helps you catch problems before they turn into serious incidents.
Why is ongoing improvement important for SMEs?
Threats, systems and business needs all change over time. A control that was good enough last year may not be enough today. Continuous improvement keeps your security and compliance aligned with real‑world risks and client expectations.
How can you help us build continuous monitoring into our work?
We help you define a simple set of checks, reviews and metrics that fit your size and resources. This might include regular log reviews, patch checks, access reviews and short management updates. The aim is a repeatable rhythm, not a one‑off project.
How does moving to the cloud change our security responsibilities?
Cloud providers take care of many technical controls, such as physical security and platform resilience. However, you still remain responsible for how accounts are managed, how data is shared and how settings are configured. Security in the cloud is a shared responsibility.
What are common cloud risks for SMEs?
Common issues include overly broad access rights, misconfigured sharing, weak authentication and unclear data locations. These can lead to accidental exposure or easier attacks. We help you identify and reduce these risks in a practical way.
Can you help us secure our cloud services?
Yes. We review your key cloud platforms, such as email, file storage and line‑of‑business apps, against sensible baseline controls. Then we give you clear, prioritised actions to improve security without making the tools unusable for your team.
What is “change management” in information security?
Change management is the process of planning, reviewing and approving changes to your systems, applications and policies before they go live. It helps you avoid unexpected side‑effects, outages or new security gaps caused by rushed changes.
Why is change management important for SMEs?
Even small changes, such as a new tool, a configuration tweak or a policy update, can introduce risk if they are not thought through. A simple change process reduces mistakes, improves stability and makes it easier to show auditors and clients that changes are controlled.
How can you help us improve our change management?
We help you design a light‑touch change process that fits your size and culture, not a heavy enterprise framework. This can include basic risk checks, approvals, testing steps and records so you know what changed, when and why.