Discovery
Actionable recommendations
Risk-based & prioritised
Business-aligned & strategic
Answer a few quick questions.
This takes about 3 minutes. Your answers stay in your browser.
Stage & growth
Data sensitivity & volume
Customer profile
Regulatory pressure
Markets & jurisdictions
Engineering footprint
Security requests in sales
Incident history
Workforce pattern
Critical third-parties
Risk appetite
Recommended maturity
Based on your context and NCSC-aligned security priorities.
0 / 0 complete
Level 0
Score: 0
Why this level?
Early-stage profile with low risk suggests a hygiene baseline is appropriate. Growth and moderate complexity/obligations warrant formalised controls. Overall risk profile and complexity justify an advanced programme.
What to do next Level 0
Level 1 – Basic Cyber Hygiene
Absolute minimum based on NCSC small business guidance: strong passwords + MFA, backups, updates/patching, anti-malware & firewall, and staff phishing awareness.
- Mandate unique passwords & MFA for all accounts (email, cloud, admin).
- Automated, tested backups with at least one offline/immutable copy.
- Auto-update OS, apps, devices; change default passwords; secure configs.
- Enable endpoint protection and host firewalls across all devices.
- Deliver short, recurring phishing & security hygiene training.
- Keep a lightweight asset list (devices, accounts, SaaS).
Level 2 – Formalised Security Practices
Move from ad-hoc to managed: simple written policies, least-privilege access, joiner/mover/leaver, basic logging/monitoring, vulnerability scanning, DevSec basics, data mapping & GDPR, incident response basics, vendor risk, 5% eng time to security.
- Publish short policies (acceptable use, access control, data handling).
- Least-privilege by default; quarterly access reviews; automate off-boarding.
- Enable logs on key systems; alerts for suspicious auth; centralise where possible.
- Monthly web/app/cloud vulnerability scans; fix tracked issues.
- Bake security into delivery: code reviews, secrets hygiene, threat-thinking.
- Map personal data; update privacy notices; handle DSARs & consent.
- Create an incident runbook and on-call contacts; test with a tabletop.
- Assess critical vendors and DPAs; add security clauses to new contracts.
- Reserve ~5% of engineering capacity for risk & remediation.
Level 3 – Advanced / Scale & Assure
Professionalise: security owner (vCISO/lead), SIEM/MDR, tested incident response, external pen-tests, SOC 2 or ISO 27001 roadmap, SSO/IdP, EDR, DLP for sensitive data, infra-as-code guardrails, consider cyber insurance.
- Appoint a security lead (fractional is fine) and publish a roadmap.
- Adopt SIEM/MDR; 24×7 monitoring for critical auth, data, and cloud.
- Run annual external pen-tests; track findings to closure.
- Pursue SOC 2 or ISO 27001 as demanded by customers/markets.
- SSO/IdP across estate; enforce MFA & device posture; deploy EDR.
- Protect data: DLP for IP/sensitive fields; encrypt & key-manage properly.
- IaC policies/guardrails; pre-prod security tests; secrets management.
- Run incident exercises twice yearly incl. comms & legal.
- Explore cyber insurance and robust DR (RTO/RPO) where risk justifies.
Your recommended maturity level is:
Level 0
Oxford Infosec reccomended adoptiong the following:
Why this level?
Early-stage profile with low risk suggests a hygiene baseline is appropriate. Growth and moderate complexity/obligations warrant formalised controls. Overall risk profile and complexity justify an advanced programme.
What you’ll get in the free 1-hour consultation:
Proposal from Oxford Infosec with scope, timeline, and pricing options.
Advice on quick wins vs. strategic investments.
Answers to investor / customer security questions.
No commitment. We’ll tailor the plan to your sector, data, and growth plans.
Level 1
Level 2
Level 3
Level 1
Level 1 Recommendations
Level 1 – Basic Cyber Hygiene
Absolute minimum based on NCSC small business guidance: strong passwords + MFA, backups, updates/patching, anti-malware & firewall, and staff phishing awareness.
- Mandate unique passwords & MFA for all accounts (email, cloud, admin).
- Automated, tested backups with at least one offline/immutable copy.
- Auto-update OS, apps, devices; change default passwords; secure configs.
- Enable endpoint protection and host firewalls across all devices.
- Deliver short, recurring phishing & security hygiene training.
- Keep a lightweight asset list (devices, accounts, SaaS).
Level 2
Level 2 Recommendations
Includes previous level recommendations
Level 2 – Formalised Security Practices
Move from ad-hoc to managed: simple written policies, least-privilege access, joiner/mover/leaver, basic logging/monitoring, vulnerability scanning, DevSec basics, data mapping & GDPR, incident response basics, vendor risk, 5% eng time to security.
- Publish short policies (acceptable use, access control, data handling).
- Least-privilege by default; quarterly access reviews; automate off-boarding.
- Enable logs on key systems; alerts for suspicious auth; centralise where possible.
- Monthly web/app/cloud vulnerability scans; fix tracked issues.
- Bake security into delivery: code reviews, secrets hygiene, threat-thinking.
- Map personal data; update privacy notices; handle DSARs & consent.
- Create an incident runbook and on-call contacts; test with a tabletop.
- Assess critical vendors and DPAs; add security clauses to new contracts.
- Reserve ~5% of engineering capacity for risk & remediation.
Level 3
Level 3 Recommendations
Includes previous levels recommendations
Level 3 – Advanced / Scale & Assure
Professionalise: security owner (vCISO/lead), SIEM/MDR, tested incident response, external pen-tests, SOC 2 or ISO 27001 roadmap, SSO/IdP, EDR, DLP for sensitive data, infra-as-code guardrails, consider cyber insurance.
- Appoint a security lead (fractional is fine) and publish a roadmap.
- Adopt SIEM/MDR; 24×7 monitoring for critical auth, data, and cloud.
- Run annual external pen-tests; track findings to closure.
- Pursue SOC 2 or ISO 27001 as demanded by customers/markets.
- SSO/IdP across estate; enforce MFA & device posture; deploy EDR.
- Protect data: DLP for IP/sensitive fields; encrypt & key-manage properly.
- IaC policies/guardrails; pre-prod security tests; secrets management.
- Run incident exercises twice yearly incl. comms & legal.
- Explore cyber insurance and robust DR (RTO/RPO) where risk justifies.