Skip to content
360 Cyber Compliance

Example engagement — illustrative

Cyber Essentials for a GP practice strengthening its DSPT

GP practice (~7,500 patients) · Cyber Essentials

The challenge

A GP practice wanted to firm up the technical side of its DSPT and reassure patients and commissioners, and chose Cyber Essentials as a recognised, proportionate way to prove its basic controls were in place.

What we did

  • Inventoried devices, servers and cloud services in scope for certification
  • Assessed the five controls: firewalls, secure configuration, security update management, malware protection and user access control
  • Removed unsupported software and confirmed automatic patching across clinical and admin machines
  • Reviewed user accounts, separated admin rights and enforced multi-factor authentication where available
  • Completed the self-assessment through an IASME-accredited certification body

The outcome

The practice achieved Cyber Essentials and used the verified controls to reinforce several DSPT technical assertions.

Background

Cyber Essentials is a UK government-backed scheme, delivered through IASME, that certifies an organisation has five fundamental technical controls in place. For a GP practice it does two useful jobs at once: it demonstrates good basic security to patients and commissioners, and it strengthens the technical assertions in the DSPT. In this illustrative example, a practice serving around 7,500 patients wanted that reassurance without taking on a heavyweight framework.

What we did

Certification starts with knowing what you are certifying, so we built an inventory of the practice’s devices, servers and cloud services — clinical machines, reception PCs, laptops and the systems staff logged into. That scope in hand, we worked methodically through the five controls, which our guide to the five Cyber Essentials controls sets out in full.

Two areas needed the most attention. First, a couple of machines were still running software that was no longer supported, so we removed or replaced it and confirmed that automatic security updates were switched on across both clinical and administrative computers. Second, user access had grown loose over time: we reviewed every account, separated everyday logins from administrator rights so admin access was used only when needed, and enforced multi-factor authentication on the services that offered it. With the controls in place and evidenced, we completed the self-assessment and submitted it through an IASME-accredited certification body.

Result

The practice achieved Cyber Essentials, giving it an independent, recognised statement that its basic technical controls were sound. That certification then did double duty, reinforcing several of the DSPT’s technical assertions and making the practice’s next toolkit submission more straightforward.

This is an illustrative example of the kind of work we do. Details are representative, not a specific named client.

Facing something similar?

Book a free, no-obligation readiness check and we’ll map out your options.