SME vulnerability posture — scanning and patch governance.
A fast-growing professional services SME needed a pragmatic vulnerability and patching process to satisfy Cyber Essentials Plus and a major customer's supplier assurance questionnaire.
- Sector
- Professional services SME
- Headcount
- 40–75 staff, single UK office with remote workers
- Regulatory context
- Cyber Essentials Plus; contractual obligations to enterprise customers
- Services engaged
- Vulnerability scanning; patch management governance
- Engagement type
- Ongoing managed service
- Duration
- Placeholder — insert engagement length
Published with the client's written permission. Identifying details have been generalised.
Growth had outpaced the hygiene.
The business had grown quickly and inherited a mixed estate of laptops, a small server footprint and several SaaS platforms. Patching was happening, but inconsistently. There was no central record of which assets were current, which were exposed or who was accountable for closing gaps.
A larger customer's supplier assurance questionnaire required documented vulnerability management and patching processes, and an upcoming Cyber Essentials Plus reassessment created a hard deadline. Leadership wanted a pragmatic solution suited to an SME — not enterprise tooling they could neither operate nor afford.
Lightweight, written, owned.
A short scoping workshop established the in-scope assets, the SaaS platforms requiring configuration review and the practical realities of a small IT team. We agreed a lightweight governance model: a fortnightly operational call with the IT lead, a monthly review with the Managing Director, and a clear written patching policy the business could actually follow.
Onboarding was completed in phases to avoid disrupting day-to-day operations.
Right-sized for the team that runs it.
- Regular authenticated scans across endpoints and the server estate.
- Configuration review of in-scope SaaS platforms against documented baselines.
- A patching policy defining timelines for critical, high and standard vulnerabilities, agreed with the business.
- A single remediation register the IT lead works from, with clear ownership for each item.
- Exception handling and risk acceptance recorded in writing, with a defined review date.
Visibility, accountability, defensibility.
- A clear, current picture of vulnerability and patch status across the estate, replacing informal tracking.
- A written patching policy and remediation register that map directly to Cyber Essentials Plus controls and the customer's supplier assurance requirements.
- Reduced ambiguity for the IT lead on what to prioritise and why.
- A defensible answer to supplier assurance questionnaires, supported by evidence rather than assertion.
Reporting a non-specialist board can use.
- Fortnightly operational summary: new findings, items closed, items ageing, blockers.
- Monthly management report: posture trend, patching SLA adherence, exception register, recommended actions for leadership.
- Annual evidence pack: scan history, policy documents and remediation records assembled for Cyber Essentials Plus reassessment and customer audits.
- Reporting deliberately concise and written for a non-specialist leadership audience.
From hygiene to resilience.
With baseline hygiene in place, the next phase introduces phishing awareness training and an incident response retainer to address residual risk areas identified during the engagement. The patching policy will be reviewed annually, or sooner if the customer base or regulatory exposure changes materially.
"Placeholder pull-quote from the Managing Director or IT lead — to be approved by the client before publication."
Security services materially reduce risk and improve detection and response, but no provider can guarantee prevention of incidents. Responsibility for compliance certification remains with the customer.
Book a fixed-fee scoping workshop.
We'll outline an engagement shaped around your sector, scale and regulatory context.