Are We Secure Enough?
Introducing Oxford Infosec
Our foundational security controls service establishes a pragmatic, risk-proportionate baseline aligned with CIS Critical Security Controls, NCSC Cyber Essentials Plus, and ISO 27002. Designed for growing, fast-moving organisations, each safeguard we recommend addresses real-world threats without adding unnecessary overhead.
What Problems Do We Solve?
Most data breaches and cyber security incidents happen because basic security controls are not implemented and maintained properly.
No authoritative baseline of what’s protected (and what isn’t). Asset lists, tool dashboards and spreadsheets all contradict each other.
Misconfigurations and exposed services slip through the net; there is no single source of truth for cyber risk.
Default or ad-hoc configurations across cloud, SaaS and endpoints. Settings were “left as-is” during rapid growth or migration.
Commodity attackers exploit weak defaults (open ports, broad IAM roles, permissive sharing) that should have been closed on day 1.
Patching is still “best endeavours”. Updates happen eventually, but there’s no timetable or reporting.
Critical vulnerabilities are not visible, and exist for months, widening the ransomware window and breaching Cyber-Essentials / insurer requirements.
Security tools generate noise, not insight. AV, EDR and email filters exist, but alerts aren’t tuned or routinely reviewed.
Real attacks hide in alert fatigue; incidents are detected late, driving recovery cost and regulatory exposure.
Passwords and MFA are inconsistent. Staff reuse weak credentials and MFA coverage stops at “high-risk” systems only.
Account takeover leads to Business-Email-Compromise and payment fraud, still the most common loss for UK SMEs.
Evidence of control is assembled ad-hoc for tenders, insurers and regulators.
Sales cycles stall and premiums rise because you can’t prove basic hygiene against the five NCSC Small-Business controls (backup, malware protection, updates, passwords, phishing).
This service provides an experienced technical security resource and ongoing maintenance of deployed security tools, so you can be assured that security risk is treated appropriately.
Fit for Small and Medium‑Sized Businesses
This service is built for fast-moving teams with tight head counts and aggressive ship dates. Every control, artefact and meeting is calibrated to your size, architecture and risk, so you end up with the minimum viable level of security for the stage you’re at.
Right-sized controls, never enterprise overkill – every safeguard is chosen for impact-to-effort in organisations with lean IT teams.
Proven tools – the service is anchored in tools we’ve deployed and tuned across dozens of SME environments, so you inherit deep expertise from day one.
Proof for insurers, prospects and regulators – control set maps directly to the NCSC Small Business Guide essentials, ISO27001, Cyber Essentials Plus and typical security questionnaires.
Pragmatic, growth-aware advice – recommendations balance risk reduction with the realities of a scaling business, so controls flex as headcount and tech stack grow without slowing delivery.
Named Practitioner
Lead Security Consultant
CISSP
CISM
Acts as single point of accountability, reporting to the customer’s executive sponsor.
Scope of Activities
This service is split into the initial assessment phase, which discovers where the gaps are, an implementation phase to close the gaps, and then the maintenance phase which ensures you stay secure.
Phase 1 - Baseline Assessment & Quick Wins
Baseline Assessment
Assess 20 controls against NCSC & Cyber Essentials; score maturity & risk; create prioritised recommendations
Quick‑Win Remediation
Enable MFA, critical patching, secure backup scheduling, basic audit logging
Roadmap & Tracker
Prioritised remediation plan with effort / impact rating
Phase 2 – Control Implementation & Hardening
Device Management
Intune (or agreed alternative) enrolment, compliance policies, BitLocker/FileVault rollout
Endpoint Protection
Defender for Endpoint (or agreed alternative) deployment, alert tuning
Secure Configuration
CIS/macOS/Windows baseline hardening (OS, Entra ID, M365, Google Workspace, AWS/Azure/GCP)
Code and Product Security
Where applicable – code vulnerability scanning and threat modelling
Attack Surface Scanning
Assessment and scan of the “attacker’s eye view” of your business, website, and infrastructure
Logging & Monitoring
Defender, Entra ID, Google Workspace sign‑in logs
Staff Awareness
Role-specific awareness training designed and delivered
Data Backup and Recovery
Business critical data backed up to a secure service. Includes regular restore testing.
Phase 3 – Continuous Monitoring & Advisory (12‑month minimum)
Tool & alert health‑check
Weekly
Status report (findings, KPIs, next actions)
Monthly
Incident & change advisory
Ad‑hoc (within UK business hours)
Security Q&A
Ad‑hoc (within UK business hours)
Out‑of‑Scope
Deep technical remediation
For example: Network (re-)architecture & segmentation, source-code refactoring / secure-coding fixes, building or operating a SIEM/SOC
Compliance frameworks
ISO27001, PCI-DSS, SOC 2, NIST CSF, ISO 27701, GDPR RoPA, etc.
Pen-testing & red-team
External / internal penetration tests, social-engineering simulations
Physical-security build-outs
Door-access systems, CCTV, server-room fit-outs
Security Incident Response (beyond best-endeavours support)
24 × 7 crisis hotline, on-site forensics, e-discovery, incident containment
Business Continuity & DR engineering
Designing alternate data centres, hot/hot fail-over, full DR run-books
Tooling costs
MDM, Endpoint Protection, Infrastructure security tooling etc.
Travel & on-site expenses
Consultant travel, accommodation, per diem
DPO services
Acting as Data-Protection Officer under GDPR
Custom software / tool development
Building bespoke dashboards, scripts or automations beyond standard native capability
Assumptions
Executive sponsorship is active and visible
A named senior leader approves scope, risk appetite and resource allocations; without this, key decisions stall.
Customer provides timely access to people, systems and sites
Interviews, evidence collection and control validation depend on access to SMEs, cloud consoles, logs and (if applicable) premises.
Engagement is delivered remotely unless on-site days are mutually scheduled and pre-approved
Travel costs and lead-times are excluded unless explicitly agreed
All project communications are in English and within the customer’s standard working hours (Europe/London time zone)
Ensures availability for workshops, steering meetings and incident advisory calls.
Term and Review
The Assessment (Phase 1) is a fixed fee, while the Implementation and Maintenance (Phases 2 and 3) have a minimum engagement term of twelve months, renewable annually, which begins once the initial assessment report is delivered.
Scope and fees are reviewed at each renewal to ensure the service continues to meet organisational requirements.
Last updated