The readiness method

The whole method, done together.

We come from the Centre For Cybersecurity Institute, which trains people into cybersecurity careers; this consultancy grew out of that work. So this page is the whole method, drawn out rather than described: the standard itself, the six days that close it, the independence rule, and what happens when something goes wrong.

The whole standard, drawn.

We draw what is actually inside the standard, plate by plate, because a diagram you can check beats a promise you cannot. Five controls make up Cyber Essentials, and here they are exploded apart the way an engineer would draw a machine before it is assembled: nothing hidden inside a black box, nothing summarised into a slogan.

Look at plate 05. The dashed coral layer is not a design flourish; it is a fact, drawn honestly. Backup and respond is the part most SMEs have not built yet, and that is exactly the part our six days are built to close.

The six days, drawn.

You see this schedule in the proposal, with names and dates on it. Days are working days of our time, usually spread over two to four weeks around your operations. This is the same plan every client gets, expanded here so you can see the reasoning behind each day.

  1. Day 1

    We walk your business, not a template.

    We sit with whoever actually runs the systems, not just the person who signs the invoice.

  2. Day 2

    Gap assessment against the standard, graded like a mock exam.

    You get the grade in writing the same day, including the parts that already pass.

  3. Day 3

    Policies and fixes, written in sentences your staff will read.

    No policy leaves our hands as a template with your logo dropped on top.

  4. Day 4

    Technical remediation with your IT person or vendor.

    We work alongside whoever already manages your systems, not around them. This is the layer most SMEs have not built.

  5. Day 5

    Evidence pack assembled: every control, every proof, one folder.

    The folder is yours to keep, tender after tender, audit after audit. Backup and respond finish here.

  6. Day 6

    Dry run of the assessment, then submission prepared together.

    You see exactly what the assessor will see, before the assessor sees it.

The independence rule, stated proudly.

A firm cannot both consult for and certify the same client. That separation is a requirement of ISO/IEC 17021, the international standard that governs how certification bodies operate, and it is mirrored in the CSA scheme rules that govern Cyber Essentials and Cyber Trust. It exists so the person marking your exam has no financial reason to pass you.

We prepare you. An independent certification body does the certifying. When you are ready, we refer you to certification bodies and take no referral fees for the introduction. That is the whole arrangement, stated before you ask.

The gap promise.

Audit-ready means three things, and we mean all three: every control evidenced, every document in place, and a dry run of the assessment completed before submission. If the certification body still finds a gap inside the scope we prepared, we fix it with you at no extra fee. That promise is written into the engagement letter, not just onto this page.

House rules.

The rules we work by, whether or not anyone is checking.

Who does the work.

Our consultants come through the Centre For Cybersecurity Institute's own training pipeline, led by an experienced practice lead. Named profiles with photographs will be added to this page as the team formally launches: we would rather say that plainly than publish placeholder biographies now. What you can rely on today is this: every report we produce carries its consultant's name and signature, so you always know exactly who stood behind the work.

What the portal feels like.

Most weeks, there is nothing for you to do. We track the schedule so you do not have to keep checking.

Your client portal, most weeks

Nothing due from you this week. We'll nudge you when that changes.

Most weeks, that is the whole update.

Plain answers

Why does Cyber Essentials readiness take six days and not one?

Evidence takes calendar time even when the work itself is fast. Policies need to be read, technical fixes need to be applied by whoever manages your systems, and a proper dry run needs a finished evidence pack to run against. Six days of our time, usually spread over two to four weeks around your operations, is what an honest job actually takes.

Do you guarantee certification?

No, and nobody honestly can. Certification is decided by an independent certification body, not by us. What we guarantee instead is the gap promise: audit-ready means every control evidenced, every document in place, and a dry run completed, and if the assessor still finds a gap in scope we prepared, we fix it with you at no extra fee.

Who actually shows up to do the work?

The named consultant on your plan, the same person from the first chat through to submission. Not a rotating cast and not whoever happens to be free that week.

We'll take it from here.

Bring us the tender. We'll bring the plan.

A 30-minute chat with a consultant, not a salesperson. You leave with a plan on one page, whether or not you hire us.