> For the complete documentation index, see [llms.txt](https://docs.oxfordinfosec.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.oxfordinfosec.com/security-foundations.md). # Security Foundations ## Introducing the Service "Are we secure enough?" is the question every business leader eventually asks, usually after a near-miss, a customer questionnaire, or a conversation with an insurance broker. The answer for most small businesses is: "We don't know, and we're not sure how to find out." This service answers that question. We assess your current security against what actually matters for a business your size, identify the gaps that present real risk, fix the quick wins, and help you build a proportionate security baseline you can maintain. The goal is security that's proportionate to your situation: enough to protect the business, satisfy customers, meet insurance requirements, and sleep at night. Perfect security doesn't exist, so we focus on what does. ## What Problem Does This Solve? Most security incidents happen because basic controls aren't in place or aren't working properly. The basics, done badly, account for more incidents than sophisticated attacks. If any of these sound familiar, this service can help: | Situation | What typically goes wrong | | --------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- | | **"We don't really know what we've got"** | Asset lists, tool dashboards, and spreadsheets all contradict each other. Things get missed. Nobody has a complete picture. | | **"Things were set up in a hurry and never reviewed"** | Default settings, over-permissive access, open ports: configurations that made sense during rapid growth but were never tightened up. | | **"Patching happens... eventually"** | Updates get done when someone remembers, but there's no schedule, no tracking, and no visibility of what's actually vulnerable. | | **"We have security tools but they're noisy"** | Antivirus, email filtering, maybe some monitoring, but nobody's tuning the alerts or checking them regularly. Real problems hide in the noise. | | **"Passwords and MFA are a bit inconsistent"** | Some systems have strong authentication, some don't. Staff reuse passwords. MFA is only on the "important" systems (but which ones are important?). | | **"We can't prove any of this to customers or insurers"** | When someone asks for evidence of your security controls, it's a scramble. Sales cycles stall. Insurance premiums go up. | This service gives you clarity on where you stand, fixes the obvious gaps, and establishes a baseline you can point to when customers, insurers, or your own board ask: "Are we secure enough?" ## Fit for Small Businesses This service is designed for businesses that need solid security foundations without enterprise complexity. Typically that means: * **20 to 200 employees**: large enough to have real security risks, small enough that a dedicated security team isn't realistic * **Growing and moving fast**: configurations set up during rapid growth that haven't been reviewed * **Using cloud services**: email, file storage, and cloud infrastructure * **Facing security questions**: from customers, insurers, investors, or regulators * **No dedicated security person**: IT handles security along with everything else We calibrate everything to your size and risk profile. A 50-person SaaS company doesn't need the same controls as a bank. We focus on what's proportionate and practical for your stage, not enterprise overkill. If you're already certified to ISO 27001 or SOC 2 and need ongoing security leadership, a vCISO is probably a better fit. If what you really need is a certificate for a specific customer or investor, look at ISO 27001 or SOC 2 directly. ## Outcomes: What You Get ### Clarity on where you stand | Outcome | What this means | | ------------------------------------------------------- | -------------------------------------------------------------------------------------------------- | | **You know your security posture** | A clear assessment of your current state against the controls that matter for a business your size | | **You know where the gaps are** | Prioritised list of what's missing or misconfigured, ranked by risk and effort to fix | | **You can answer the "are we secure enough?" question** | For yourself, your board, your customers, and your insurers | ### The basics done properly | Outcome | What this means | | ---------------------------------------- | -------------------------------------------------------------------------------------------------------------------- | | **Devices are managed and protected** | Company laptops and phones are enrolled, encrypted, and have endpoint protection that actually works | | **Access is controlled** | Multi-factor authentication everywhere it matters. Accounts are provisioned properly and removed when people leave. | | **Systems are configured securely** | Default settings tightened up. Unnecessary access removed. Cloud services hardened. | | **Patching is happening** | Visibility of what's vulnerable. Critical updates applied promptly. A process that works without constant attention. | | **You'd know if something bad happened** | Logging in place for key systems. Alerts configured and tuned so they're useful, not noise. | | **Data is backed up and recoverable** | Critical data backed up to a secure location. Tested regularly so you know it works. | ### Evidence you can point to | Outcome | What this means | | ------------------------------------------- | ---------------------------------------------------------------------------------------------- | | **You can satisfy customer questionnaires** | Evidence of your controls ready to share, mapped to what customers typically ask | | **You can meet insurance requirements** | Controls aligned with what cyber insurers expect (MFA, patching, backups, endpoint protection) | | **You can demonstrate due diligence** | If something does go wrong, you can show you had reasonable controls in place | ### Ongoing confidence | Outcome | What this means | | ------------------------------- | ----------------------------------------------------------------------------------- | | **Someone's watching** | Regular health checks on your security tools and configurations | | **You have someone to ask** | Access to security expertise when questions come up or things change | | **You stay secure as you grow** | Controls that flex with your business, not a point-in-time snapshot that goes stale | ## How It Works The service has three phases. ### Phase 1: Assessment and Quick Wins We assess your current security against the controls that matter for a business your size, identify the gaps, and fix the obvious ones immediately. Activities and what they mean in practice: * **Baseline assessment**: review of \~20 key controls covering devices, access, configuration, patching, monitoring, and data protection. Scored by maturity and risk. * **Quick-win remediation**: immediate fixes for critical gaps, typically turning on MFA where it's missing, addressing critical patches, and securing backup configurations. * **Prioritised roadmap**: a clear plan for what else needs fixing, ranked by risk and effort, so you know what to tackle first. Typical duration: 2 to 4 weeks. ### Phase 2: Implementation and Hardening We implement the controls needed to close your gaps and harden your environment. Activities and what they mean in practice: * **Device management**: enrolling company devices in management, turning on encryption, applying compliance policies, and getting visibility of unmanaged devices. * **Endpoint protection**: deploying and tuning protection software on all devices so it catches real threats without drowning you in false alarms. * **Secure configuration**: tightening settings across cloud services, operating systems, and applications. Removing defaults, closing unnecessary access, applying security baselines. * **Access controls**: ensuring MFA is in place where it matters, granting access based on need, and removing accounts when people leave. * **Logging and monitoring**: setting up logging for key systems (sign-ins, admin actions, security events) and configuring alerts that are actually useful. * **Backup and recovery**: ensuring critical data is backed up securely, protected from ransomware, and regularly tested to confirm it can be restored. * **Attack surface review**: looking at your business from an attacker's perspective. What's visible, what's exposed, what could be targeted. * **Staff awareness**: practical, role-appropriate training so your team knows what to watch for and what to do. Typical duration: 2 to 3 months, depending on scope and starting point. ### Phase 3: Ongoing Monitoring and Support Once the baseline is established, we keep it working and help you maintain it. Ongoing activities and cadence: * **Tool and alert health check**: weekly. Make sure your security tools are working and alerts are being handled. * **Status report**: monthly. What's happened, what's changed, what needs attention. * **Incident and change advisory**: as needed. Guidance when something happens or you're making changes. * **Security questions**: as needed. Access to expertise when you need advice. Minimum term: 12 months. ## What's Not Included This service establishes and maintains your security foundations. Some things are out of scope. Where relevant, we indicate what to do instead. | Out of scope | Why / Who does this | | ----------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | | **Major architectural changes** | If you need to redesign your network or rebuild your infrastructure, that's a separate project. We'll identify if it's needed and recommend a way forward. | | **Fixing application code** | If your product has security vulnerabilities in the code, your developers need to fix them. We can advise on what's needed and help you prioritise. | | **24/7 incident response** | We provide guidance during incidents within business hours. If you need round-the-clock response capability, you'll need a dedicated service. | | **Penetration testing** | Formal penetration testing by specialist testers is separate. We can help you procure and manage it. | | **Compliance certifications** | ISO 27001, SOC 2, and similar certifications are separate services. This service builds the foundations that make certification easier. | | **Data protection and DPO** | GDPR compliance and Data Protection Officer responsibilities are covered by our DPO service, not this one. | | **Building a security operations centre** | If you need full-time security monitoring, that's a bigger investment. We can advise on options and next steps. | | **Tool and software costs** | You pay for security tools directly. We configure and operate them. | ## What We Assess The baseline assessment covers the controls that matter most for small businesses: | Area | What we look at | | -------------------------- | -------------------------------------------------------------------------------------------- | | **Asset visibility** | Do you know what devices, systems, and services you have? Is there a single source of truth? | | **Device security** | Are devices managed? Encrypted? Running endpoint protection? Kept up to date? | | **Access control** | Is MFA in place? Is access granted appropriately? Are leavers removed promptly? | | **Cloud configuration** | Are your cloud services (email, file storage, infrastructure) configured securely? | | **Patching** | Do you know what's vulnerable? Are critical patches applied promptly? | | **Logging and monitoring** | Are key events logged? Would you know if something bad happened? | | **Backup and recovery** | Is critical data backed up? Is it protected from ransomware? Can you actually restore it? | | **Email security** | Are you protected against phishing and business email compromise? | | **Network security** | Is your network appropriately segmented? Are unnecessary services exposed? | | **Staff awareness** | Do people know what to watch for? Would they report something suspicious? | We score each area by maturity and risk, giving you a clear picture of where you stand and where to focus. ## Assumptions | Assumption | What this means for you | | -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------ | | **You have an executive sponsor** | Someone senior needs to own this, approve scope, make decisions, and allocate resources. Without this, things stall. | | **You give us access to what we need** | We need to see your systems, talk to your people, and review configurations. If we can't access something, we can't assess it. | | **We work remotely unless agreed otherwise** | The service is delivered remotely. If on-site work is needed, we'll agree it in advance. | | **Implementation is collaborative** | We configure and deploy, but some tasks need your team's involvement (approvals, access, testing). | ## Who Delivers the Service Your security lead will be an experienced practitioner with recognised qualifications (typically CISSP or CISM) and hands-on experience implementing these controls across dozens of small business environments. You'll work with the same named consultant throughout. They learn your business once, so you don't have to explain it each time. ## Term and Pricing | Phase | Term | Pricing | | ---------------------------- | ---------------- | ----------------------------------------------- | | **Phase 1: Assessment** | 2–4 weeks | Fixed fee | | **Phase 2: Implementation** | 2–3 months | Fixed fee (scoped based on assessment findings) | | **Phase 3: Ongoing support** | 12-month minimum | Monthly retainer | Phases 2 and 3 are priced based on the assessment findings. We need to understand your environment before we can scope the implementation work. ## Combining with Other Services This service establishes your security foundations. Other services build on top: * **vCISO**: if you need ongoing security leadership and governance, not just foundational controls. * **ISO 27001 Implementation**: if you need certification. This service gets your controls in place; ISO 27001 adds the management system and formal certification. * **DPO as a Service**: if you have data protection obligations. Security foundations and privacy compliance are related but distinct, and you may need both. For many small businesses, Security Foundations is the right starting point. It answers "are we secure enough?" and builds the baseline that other services depend on. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://docs.oxfordinfosec.com/security-foundations.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.