Cyber Essentials Plus is one of the most credible things a small business can do for its security posture. Independently verified controls. A certificate that holds up under scrutiny. Access to government contracts, NHS supply chain work, and supply chain requirements from larger clients.

But there's a problem most small businesses hit almost immediately: CE+ requires controls to be in place and technically verified — and someone has to implement and maintain those controls. For businesses without an IT team, that someone is usually the MD, the office manager, or whoever drew the short straw.

That's not a sustainable position. And it's exactly the situation Aursec was built to address.

The CE+ Problem for Businesses Without IT

Cyber Essentials Plus doesn't just ask whether your security controls exist on paper. An independent assessor tests them technically — checking that your patch management is actually working, your device configurations are correctly applied, your access controls are properly enforced, and your malware protection is active and current.

For a business with a dedicated IT team or an IT provider, maintaining those controls is part of the day job. For a business without either, it falls through the gap between "security thing we need to sort out" and "someone's actual responsibility."

The result is predictable. Controls slip. Patches don't get applied within the required 14-day window. Devices drift from their secure configuration. Old accounts don't get removed. The business has a CE+ certificate from last year — but wouldn't pass the assessment today.

"CE+ doesn't just ask whether your controls exist on paper. An assessor tests them — and someone has to make sure they hold up."

What We Actually Do

Aursec is not an IT provider. We don't set up software, manage your telecommunications, or run your helpdesk. What we do is manage the security layer — the specific controls that keep your business protected and your CE+ certification current.

For clients without an in-house IT team, that means taking ownership of the security controls CE+ requires and maintaining them on an ongoing basis.

Patch management. Critical and routine patches applied across your devices and software within the required 14-day window — without your team having to think about it. Your systems stay current. Your CE+ position stays clean.

Secure configuration. Your devices configured to a defined security baseline — unnecessary services disabled, default credentials changed, software installation restricted where appropriate. Documented and maintained so configuration drift doesn't creep in between assessments.

Access control. User accounts reviewed and maintained. Admin accounts managed correctly. MFA enforced across cloud services and remote access. Leavers removed promptly. The joiners, movers, and leavers process that CE+ assessors look for — handled.

Vulnerability scanning. Your internal systems and external-facing infrastructure scanned regularly. Every vulnerability logged, risk-rated, and tracked to resolution. You always know your exposure — and so do we.

Malware protection. Anti-malware deployed, active, and current across all devices. Monitored so that alerts don't sit unread in a dashboard nobody checks.

"We're not your IT provider — we're the security layer your business needs to operate safely and stay certified."

What This Isn't

It's worth being clear about what this service is not — because the distinction matters.

This is not IT support. If your laptop won't connect to the printer or you need a new email account setting up, that's not us. We focus on the security controls that protect your business and underpin your certification.

This is not IT project work. Migrations, new system implementations, software procurement — those require a different kind of provider. What we do is maintain and monitor the security layer of your existing infrastructure.

The distinction is deliberate. Security and IT are related — but they're not the same thing. A business that has its IT needs met but no one actively managing its security controls is still exposed. That's the gap we fill.

How It Works in Practice

For most clients in this situation, the engagement follows a consistent pattern.

We start with a security assessment — reviewing your current device estate, configuration, patch status, access controls, and vulnerability exposure. This gives us a clear picture of where you are against the CE+ standard before we start any remediation work.

We then close the gaps — working through the issues identified in the assessment to get your controls to the standard CE+ requires. For most small businesses, this takes a few weeks depending on the number and complexity of gaps.

Once you're ready, we support you through the CE+ assessment itself — preparing your infrastructure, working with the assessor, and making sure nothing surprises you on assessment day.

After certification, we stay in place on a managed security retainer — maintaining the controls month to month, monitoring for issues, and making sure your annual renewal is a smooth process rather than a last-minute scramble.

Who This Is For

This service is specifically designed for businesses that:

It works particularly well for professional services firms, healthcare-adjacent businesses, and companies in the defence or public sector supply chain — where CE+ is either required or strongly expected, and where the MD or senior team are too busy to manage security controls alongside everything else.

The Alternative

The alternative — managing these controls yourself without dedicated resource — tends to go one of two ways.

Either security gets deprioritised and the controls slip, which means you won't pass your next CE+ assessment and you're exposed in the meantime. Or it consumes significant time from your senior team — time that costs more than the retainer would have.

Neither outcome is a good one for a business that needs CE+ to win and retain contracts.

Next Steps

If you're pursuing CE+ without an in-house IT team — or you have the certification but aren't confident the controls are being maintained properly — book a free scoping call.

We'll review your current position, tell you honestly where your gaps are, and explain what it would take to get you certified and keep you there.

No obligation. No pressure. Just a clear answer.

BW

Ben Wright

CISM-certified security professional and founder of Aursec. Over a decade of experience in information security and compliance across multinational environments.

Connect on LinkedIn

Related Articles

Cyber Essentials

What is Cyber Essentials and Do You Need It?

The UK government-backed certification explained — what it covers, who needs it, and what happens if you don't have it.
Coming Soon Cyber Essentials

Cyber Essentials vs Cyber Essentials Plus — Which Do You Need?

The difference between self-assessed and independently verified certification — and how to decide which is right for your business.

Coming Soon Incident Response

What to Do in the First Hour After a Cyber Incident

A practical step-by-step guide to the immediate actions that limit damage when something goes wrong.

No IT Team? Let's Talk.

Book a free scoping call and we'll tell you exactly where your CE+ position stands and what it would take to get you certified and keep you there.

Book a Free Scoping Call