Security & compliance FAQs

If security questions are slowing sales, you’ve had a near miss, you’re preparing for certification, or you’re unsure whether you’re “secure enough”, external support usually pays for itself.

Start with visibility: what devices, systems, and data you have. Then focus on the basics. Don’t try to do everything at once – prioritise by risk.

Be transparent. Explain what you can provide instead and ask what they’re actually trying to assess. If multiple customers are asking, it may be worth investing. If it’s a one-off, negotiation is often possible.

The basics: MFA, endpoint protection, patching, tested backups, and staff training. If you can’t demonstrate these, expect higher premiums or limited cover.

Create a standard set of approved responses covering your controls, policies, and processes. Most questionnaires ask similar questions, just worded differently.

Some businesses can, but many choose external support due to time and expertise constraints.

Typically 3–9 months for a small business, depending on your starting point and available resources. Rushing often creates problems later.

It depends. If customers, regulators, or investors are asking for it, certification can remove friction. If no one is asking, formal certification may not be necessary yet, but the framework is still useful.

ISO 27001 is an international standard for managing information security risks through a structured management system. Certification means an independent auditor has verified that the system meets the standard.

Only for as long as you need it for the original purpose. Clear retention periods reduce risk and simplify compliance.

You must assess the risk to individuals. If there’s a risk, the ICO must be notified within 72 hours. High-risk breaches also require notifying affected individuals. Everything should be documented, even if you decide not to report.

Only in specific circumstances. Most small businesses don’t legally need one, but having clear ownership of data protection responsibilities is good practice.

If you process personal data of people in the UK or EU (customers, employees, or website visitors), then yes. Size doesn’t remove the obligation, but expectations are proportionate to your scale and risk.

Act calmly but quickly. Contain the issue if possible, preserve evidence, notify your cyber insurer early, and assess any legal reporting obligations. If you’re unsure, get expert help.

At least annually, with some areas reviewed more often. Patching should be continuous, access reviewed quarterly, and security tools checked regularly. Any major business change should also trigger a review.

For most small businesses: device management, endpoint protection, email security, MFA, and reliable backups. More tools aren’t better; properly configured tools, with someone paying attention, are what matter.

Not usually. Many businesses with 20–200 employees manage security with IT handling day-to-day tasks and external support for strategy, assessments, or incidents. A fractional or virtual CISO often makes more sense than a full-time hire.

Most incidents aren’t sophisticated attacks. They’re caused by basics being missed: phishing emails, missing MFA, unpatched systems, or poor backups. Getting the fundamentals right removes the majority of risk.

There’s no such thing as perfect security. “Secure enough” means having controls that are proportionate to your size, industry, and risk. At a minimum, that usually includes MFA everywhere, managed and encrypted devices, prompt patching, tested backups, and someone actively paying attention to alerts.

If you’re being asked questions you can’t confidently answer, it’s usually time for an independent sense-check.

Absolutely. We’re vendor-agnostic and experienced in integrating with diverse technology stacks. We’ll assess your current tools, optimize their configuration, and identify gaps where additional solutions may be beneficial. Our focus is maximizing the value of your existing investments while strategically enhancing your security posture.

We recommend quarterly vulnerability assessments and annual penetration tests as a baseline. However, you should conduct assessments whenever you make significant infrastructure changes, deploy new applications, or experience a security incident. Organizations in regulated industries may require more frequent assessments.