Contact us on Whatsapp

Got a question for us?

Let's talk
hello@oxfordinfosec.com
Find out more

Not sure what you need?

Our discovery process can help you uncover the right way forward for your business. Simply fill in our 3-minute form and we’ll give you free, no-obligation advice unique to you.

Find out more
Our Approach

Pragmatic security and compliance for small businesses.

Most security advice is built for larger companies and then imposed on smaller companies without understanding their constraints. The result is generic documentation, controls nobody follows, and programmes that look tidy on paper but don’t fit the business.

We started Oxford Infosec to do it differently. Senior practitioners doing the work. Advice shaped around the pressure a business is actually under. Security that holds up when a customer, auditor, or investor takes a proper look.

What we believe about cyber security work.

Security should match the level of risk involved

A 20-person SaaS company doesn’t need the same cyber security programme as a bank. We recommend controls because they address a real operational risk, not because they appear on a generic “best practice” checklist.

The objective is proportionate security that supports the business properly and can still be maintained six months later.

Risk comes before frameworks:

Standards like ISO 27001 are useful because they create structure and consistency. Problems usually appear when consultancies apply enterprise templates to smaller companies without adjusting for pace, size, or operational reality.

We work the other way round. First, we understand how the business actually operates. Then, we build controls and processes around that environment. Once the foundations are sensible, mapping them to frameworks becomes much more straightforward.

Fear is not a useful security strategy

We don’t lead conversations about cyber security with breach statistics or worst-case scenarios. Most businesses already understand that security matters.

The more useful discussion is usually practical: what customers are asking for, where the actual risks sit, and what level of governance is genuinely appropriate for the stage the business is at.

Sometimes the right answer is “not yet”

Not every company needs ISO 27001, SOC 2, or a dedicated security person immediately. In some situations, a smaller set of controls and a clear security position are enough to satisfy the people asking questions.

We’ll say that directly when it is true. It helps businesses avoid unnecessary work and keeps security efforts focused on the right places.

How we start our cyber security services.

A short initial conversation

The first step is usually a conversation about what triggered the need for security support.

That may be a customer questionnaire, an upcoming audit, investor due diligence, or internal concern that the basics need tightening up. The goal is to understand the situation clearly before discussing possible approaches.

Scoping with the people responsible internally

Once there is enough context, we run a short scoping session with the people who hold operational ownership internally.

That often includes founders, CTOs, operations leads, or whoever is responsible for sign-off. We agree on what needs attention, what sits outside scope, and which timelines matter commercially.

A clearly defined proposal

Implementation work is scoped with a fixed fee, defined deliverables, and a realistic timeline.

Ongoing support sits under a monthly retainer once the initial implementation phase is complete. The proposal explains what’s included, what’s not included, and what level of input we need from your team to keep progress moving.

A named senior consultant throughout

You work with the same senior practitioner from the beginning of the engagement onwards.

The person involved in the scoping discussions remains involved in the implementation work, workshops, reviews, and audit preparation. That continuity matters because it avoids repeated handovers and keeps decisions grounded in the context of the business.

How we work day to day.

Senior practitioners doing the work

There is no handover to a junior delivery team after onboarding.

The people involved in the initial discussions remain responsible for the work itself, including workshops, technical delivery, policy development, risk reviews, audit preparation, and ongoing guidance.

Structured around your working week

Security work needs to fit around the cadence of the business.

Workshops, evidence collection, and review sessions are scheduled around internal priorities wherever possible. The goal is steady progress without creating unnecessary drag on the team.

Evidence collection where automation helps

For ISO 27001 and SOC 2 engagements, we often use compliance automation platforms to simplify evidence collection and reduce manual administration.

Where a customer already has a preferred platform in place, we work with that environment rather than forcing unnecessary tooling changes.

Documentation people can actually use

Policies should be understandable internally. Risk registers should be concise enough that leadership teams can review them properly.

The objective is documentation that reflects operational reality and stands up to external scrutiny without becoming an administrative burden internally.

A predictable review rhythm

Most engagements follow a straightforward review structure with regular check-ins, risk reviews, and management discussions scheduled at sensible intervals.

For smaller businesses, several of these activities are often combined into shorter working sessions to keep the process manageable.

Available when things come up

Security questions rarely arrive neatly between scheduled meetings.

If a customer questionnaire appears unexpectedly or a supplier change raises concerns, customers can ask for guidance as those situations arise. All our engagements include best-efforts support during working hours for operational questions and significant changes.

What we’ll tell you honestly:

“You probably don’t need ISO 27001 yet. A smaller set of controls is enough for the level of scrutiny you are under.”

“A fractional security arrangement makes more sense than hiring internally at this stage.”

“Cyber Essentials is likely sufficient for what your customers are currently asking for.”

“This sits outside our scope. We’ll point you towards the right specialist.”

What we don’t do:

We focus on governance, compliance, and the management-system side of security.

We don’t operate a 24/7 SOC, provide managed detection and response, run penetration testing engagements, or deliver deep technical incident response services. We also don’t redesign application architecture, rewrite source code, or provide legal advice on contracts and regulations.

Where specialist support is required, we’ll recommend people we trust and help define the scope clearly before work begins.

How we know your cyber security is working.

Success depends on the reason the engagement started in the first place.

For ISO 27001, SOC 2, and Cyber Essentials engagements, success usually means certifications achieved on the expected timeline and future reviews completed without unnecessary disruption.

For ongoing vCISO support, success is often more operational. Leadership teams understand their major risks. Customer security questions become easier to answer. Internal responsibilities become clearer. Decisions stop relying on guesswork.

For smaller security foundations projects, success is usually simpler: the business has a clearer view of its current position and a sensible baseline that can realistically be maintained over time.

At each review stage, we ask the same practical question: is the business in a stronger and more manageable position than it was at the start