Independent Security Audit
A vendor-neutral assessment of your security posture. Whether your security is managed in-house, by an IT provider, or somewhere in between, we tell you what's actually in place.
You're paying for security. But you can't verify what you're getting.
Most UK businesses don't run their own security. They pay someone (a managed service provider, an IT support firm, an internal team) to handle it. The problem is the same in almost every case: you have no easy way to verify that what's been promised is actually being done.
You don't know if the multi-factor authentication they "enabled" covers every account. You don't know if the backups they "test monthly" can actually be restored. You don't know if the "managed firewall" has been reviewed since 2021.
An Independent Security Audit answers those questions directly. No agenda to sell you anything. No stake in the answer. Just an honest assessment of what's in place and what isn't.
What we actually look at.
Provider claims versus reality
Your IT provider's service agreement promises a long list of controls. We verify whether those controls are actually in place: that multi-factor authentication is genuinely enforced and not bypassable, that backups have been successfully restored within the last month, that patches are being applied within the committed timeframe, that monitoring is alerting someone who acts on it.
The gaps that are easy to miss
Global administrator accounts being used for daily email. Multi-factor authentication "enforced" with Conditional Access exclusions that bypass it. Backups configured but never successfully tested for restoration. Endpoint protection alerts firing into a shared mailbox nobody monitors. SharePoint sharing set to anyone with a link. These are the findings we encounter most consistently, and none of them show up on a provider's monthly report.
Controls that were never set up
Sometimes the issue isn't poor execution. It's that something important was never put in place at all. Logging without retention. Endpoint detection and response with no defined response process. An incident response plan that exists as a Word document nobody can find. We surface the gaps, not just the failures.
Compliance alignment
We map your current state against whichever standards you need to demonstrate: Cyber Essentials, ISO 27001, the General Data Protection Regulation, sector-specific obligations including Financial Conduct Authority requirements, NHS Data Security and Protection Toolkit, and Ministry of Defence supply chain requirements. We tell you where you're short and what it would take to close the gap.
Why your managed service provider can't tell you this.
When you ask your provider "are we secure?", the answer is tied to their own contract. Even with the best intentions, they have a structural conflict of interest.
Admitting to a security gap usually means admitting they should have caught it. Or fixed it. Or flagged it. That conflict shapes the answer, even unconsciously.
We have no such conflict. We didn't set up your environment, we don't manage it, and we are not in competition with your provider. If they are genuinely doing excellent work, we will tell you that clearly, in a document you can take to your board and your insurers as independent validation.
If there are gaps, we'll tell you what they are, what they mean in practice, and what to do about them in order of priority. Many of our clients use the audit report to have a more informed conversation with their provider about what needs to change.
From scoping call to signed report.
Scoping call
30 minutes. Your setup, your concern, your obligations.
Proposal
Fixed-price. Typically 5 to 10 working days of audit work.
Review
Documents, configurations, and technical validation of key controls.
Report
Findings, plan, risk register, compliance mapping.
Walkthrough
With your leadership team, and your provider if that's useful.
Related capabilities
Penetration Testing
A penetration test answers one question: could a determined attacker do real harm to this business? Everything else (checklists, …
Read moreVulnerability Management
Penetration testing tells you what an attacker could do today. Vulnerability management tells you what’s changing, every …
Read moreFractional CISO & Information Security Manager
In most growing businesses, the person who answers for security is whoever is nearest. The managing director signs the Cyber …
Read more