GDPR’s 72 Hour Rule Explained: Why...
The GDPR requirement to report certain personal data breaches within 72 hours is one of the most widely cited obligations...
Read More
If you are running a small or medium-sized organisation, cyber security can quickly feel like a moving target. You know you need to improve it. You may even be hearing about standards like ISO 27001. The problem is knowing where to begin without overcomplicating things or wasting time and budget.
The reality is that most organisations do not need to start with a full certification programme. What they do need is a clear, structured starting point that builds real security maturity and stands up to scrutiny later.
In our experience, there are a handful of areas that consistently separate organisations that are “doing something about cyber security” from those that are genuinely on the path to a formal standard.
If you are looking for a credible first step, Cyber Essentials Plus is hard to ignore. It gives you an externally validated baseline and shows that your core technical controls are actually working.
What often surprises organisations is how much effort is involved in getting there. It is not just a case of ticking boxes. You will need to get a grip on patching, lock down access properly, and make sure your configurations are consistent across the business.
Done properly, this step tends to surface underlying issues that have been sitting unnoticed for some time. This is exactly what makes it valuable as a first step.
At some point, cyber security stops being informal and starts being something you have to define clearly. That is where policies come in.
Most organisations end up needing somewhere around around 15, give or take 5 policies to cover the key areas. Things like access control, incident response and data handling all need to be documented in a way that reflects how your business actually operates.
This is where many organisations come unstuck. It is easy to download templates, but it is much harder to make those policies meaningful, usable and aligned with reality. If they do not match what is happening day to day, they will not hold up when it matters.
One of the most common weaknesses we see is a lack of control around change. Systems evolve, people make updates, suppliers get involved, and before long it becomes difficult to answer a simple question like, “What changed and why?”
A formal change control process brings structure without needing to slow the business down. It ensures that changes are reviewed, risks are considered, and there is a record of what has been done. This becomes increasingly important as your environment grows or as you move closer to any form of certification.
Defining the scope is also key. There will be actions, such as a password change, that do not need change control. You will need a catalogue of similar small actions that do not need the same rigour, so that it is understood that everything else is covered by the change control policy. That removes the “it’s too small to worry about” mentality that can lead engineers to bypass formal process and introduce stealth change.
Penetration testing is often treated as a compliance exercise. Once a year, an external test is carried out and a report is filed away. The issue is that this only tells part of the story.
Real attacks rarely stay on the outside. They involve compromised accounts, internal movement and exploiting what is already trusted. If you are only testing your external perimeter, you are missing a large part of the risk.
A more meaningful approach looks at what an attacker could do once inside. This helps to answer the questions that matter: how far could they get? What would they access? Would you even know?
If you can get these areas right, you are already much closer to a formal cyber security standard than most organisations at your stage.
You have a recognised baseline, you have defined how security should work, you have control over change, and you are testing your environment in a realistic way.
What tends to be less clear is how to pull all of this together in a way that is proportionate, joined up and sustainable over time.
This is typically the point where organisations start to feel the complexity.
On paper, the steps are straightforward. In practice, each one raises questions. How far do you go with Cyber Essentials Plus? What should your policies actually say? How formal does change control need to be? What should your penetration test really cover?
At AJC, we work with organisations to turn these broad requirements into something that works in the real world. That might mean guiding you through Cyber Essentials Plus, helping you shape a set of policies that reflects how you operate, or helping to perform testing that provides genuine assurance rather than a box-ticking exercise.
The aim is not just to get you aligned with the standard, but to make sure the controls behind it are practical, effective and ready to scale as your organisation grows.
Contact us on 020 7101 4861 or email us at info@ajollyconsulting.co.uk if you think we can help.
The GDPR requirement to report certain personal data breaches within 72 hours is one of the most widely cited obligations...
Read More
The Data (Use and Access) Act 2025 is being introduced in stages, with ICO guidance continuing to evolve alongside it....
Read More
As fraud tactics continue to evolve, organisations are being forced to rethink security measures that were once seen as standard....
Read More