Example engagement — illustrative
Cyber Essentials for a GP practice strengthening its DSPT
GP practice (~7,500 patients) · Cyber Essentials
The challenge
A GP practice wanted to firm up the technical side of its DSPT and reassure patients and commissioners, and chose Cyber Essentials as a recognised, proportionate way to prove its basic controls were in place.
What we did
- Inventoried devices, servers and cloud services in scope for certification
- Assessed the five controls: firewalls, secure configuration, security update management, malware protection and user access control
- Removed unsupported software and confirmed automatic patching across clinical and admin machines
- Reviewed user accounts, separated admin rights and enforced multi-factor authentication where available
- Completed the self-assessment through an IASME-accredited certification body
The outcome
The practice achieved Cyber Essentials and used the verified controls to reinforce several DSPT technical assertions.
Background
Cyber Essentials is a UK government-backed scheme, delivered through IASME, that certifies an organisation has five fundamental technical controls in place. For a GP practice it does two useful jobs at once: it demonstrates good basic security to patients and commissioners, and it strengthens the technical assertions in the DSPT. In this illustrative example, a practice serving around 7,500 patients wanted that reassurance without taking on a heavyweight framework.
What we did
Certification starts with knowing what you are certifying, so we built an inventory of the practice’s devices, servers and cloud services — clinical machines, reception PCs, laptops and the systems staff logged into. That scope in hand, we worked methodically through the five controls, which our guide to the five Cyber Essentials controls sets out in full.
Two areas needed the most attention. First, a couple of machines were still running software that was no longer supported, so we removed or replaced it and confirmed that automatic security updates were switched on across both clinical and administrative computers. Second, user access had grown loose over time: we reviewed every account, separated everyday logins from administrator rights so admin access was used only when needed, and enforced multi-factor authentication on the services that offered it. With the controls in place and evidenced, we completed the self-assessment and submitted it through an IASME-accredited certification body.
Result
The practice achieved Cyber Essentials, giving it an independent, recognised statement that its basic technical controls were sound. That certification then did double duty, reinforcing several of the DSPT’s technical assertions and making the practice’s next toolkit submission more straightforward.
This is an illustrative example of the kind of work we do. Details are representative, not a specific named client.