Cyber Trust
Cyber Trust abstract background

Frequently asked questions

This page brings together the most common questions we’re asked about Cyber Essentials, Cyber Baseline, penetration testing, vulnerability scanning, Cyber Security Audits, vCISO and our other services. It’s written for busy people who want clear answers without the jargon.

You can browse by category below. A search box sits at the top so you can quickly filter questions by keyword (for example, "Cyber Essentials Plus" or "vulnerability scanning"). If you can’t find what you’re looking for, ask one of our experts in the live chat and we’ll get back to you as soon as possible.

Start typing a keyword (for example, “Cyber Essentials Plus”). We’ll instantly filter matching questions and answers across all categories.

Two members of the Cyber Trust team talking on a sofa

Ask our experts in live chat

Can’t see your exact question here? Send us a quick message in the live chat and one of the team will pick it up as soon as they’re free.

General

High-level questions about who we are, who we work with and how our services fit together.

Who are you and what do you actually do?

We are a UK-based cyber security provider focused on helping organisations build and prove good security hygiene without drowning in jargon or paperwork.

Our core services include Cyber Essentials (CE/CE+), IASME Cyber Baseline for non-UK organisations, penetration testing, vulnerability scanning, Cyber Security Talks, our flagship Cyber Security Audit, and an ongoing vCISO (virtual CISO) service for total security management.

In simple terms: we show you where you stand, help you get certified where needed, and give you a practical plan to manage risk over time.

What types and sizes of organisations do you work with?

We typically work with organisations from around 20 people up to several thousand, across sectors such as professional services, healthcare, charities, manufacturing, education and technology.

The common thread is that cyber security now matters to your board, regulators, major customers or insurers – and you want clarity, not another tool.

If you’re smaller than this, we can still help with Cyber Essentials and practical guidance, especially if you’re part of a larger supply chain.

Do you replace our existing IT team or MSP?

No. In most cases we complement your existing IT team, MSP or internal security function.

Your IT team keeps the lights on and delivers day-to-day services. We help set the security direction, define and review controls, carry out independent testing and provide the evidence your stakeholders expect.

For vCISO and ongoing programmes, we work alongside your IT and suppliers so everyone is pulling in the same direction.

Do you only work with UK organisations?

Our company is UK-based, and Cyber Essentials is a UK scheme. However, we also support international organisations in two ways:

  • IASME Cyber Baseline for organisations outside the UK that need an internationally recognised hygiene certification.
  • Testing, talks and advisory work for non-UK entities that sell into the UK or global supply chains.

If you have a mix of UK and non-UK entities, we can combine Cyber Essentials for the UK side with Cyber Baseline for the rest of the group.

How do you keep our data and systems safe while you're working with us?

We apply the same principles to our own access as we recommend to clients: least privilege, strong authentication and tight logging.

Wherever possible we use read-only accounts, management portals and secure file-sharing. If we do need privileged access (for example, for penetration testing or parts of the Cyber Security Audit), it is agreed up front, tightly scoped and time-bound.

We enter into appropriate confidentiality, data protection and non-disclosure agreements as part of onboarding.

I'm not sure which service we need. Where should we start?

If you know you specifically need Cyber Essentials, Cyber Baseline or penetration testing, we can start there.

If you want a joined-up picture of risk – or are considering ongoing vCISO support – the best starting point is usually a Cyber Security Audit. It gives you an honest, plain-English view of where you stand and a Fix-First Plan that can feed directly into an ongoing programme.

A short scoping call is normally enough to confirm the right next step.

Cyber Security Audit

Questions about our flagship diagnostic – a simple, fast way to understand your real risk and what to fix first.

What is a Cyber Security Audit in plain English?

A Cyber Security Audit is a focused, time-boxed assessment of how exposed you really are today. We look at your current controls, tooling and ways of working, then show you:

  • What's working well.
  • Where the real risks and gaps are.
  • What to fix first, and who should own it.

You get plain-English findings, a Tailored Action Plan, a stakeholder-ready summary and an evidence index of what we checked – all designed to be read and used, not filed away.

How is this different from a traditional audit or a pen test?

A penetration test tries to exploit specific weaknesses in a defined scope. A traditional audit often checks you against a long list of controls or a standard.

The Cyber Security Audit sits above those. We look across identity, infrastructure, cloud, people and process to answer a bigger question: "How exposed are we, and what should we do about it first?"

Pen tests and audits are still useful – and often a follow-on output – but the Review is designed to give you one joined-up, business-friendly picture of risk.

Who is the Cyber Security Audit for?

It tends to be a good fit if:

  • You have multiple tools and policies, but no single picture of risk.
  • Cyber is on the board agenda and you need a clear story, not tool reports.
  • You're considering vCISO or a wider programme and want to start from facts, not guesses.
  • You're fielding questions from insurers, regulators or big customers about how you manage cyber risk.

Organisations typically range from 50–5,000 staff, but the driver is usually complexity and scrutiny rather than size alone.

What do we get at the end of the Review?

You receive four main deliverables:

  • Plain-English findings – a concise summary of the issues that matter, without unnecessary jargon.
  • Tailored Action Plan – prioritised actions mapped to owners, suggested timescales and effort (90-day hits plus a simple 12-month roadmap).
  • Stakeholder-ready summary – a short report suitable for leadership, auditors, insurers and key partners.
  • Evidence index – a list of the sources, systems and artefacts we reviewed so approvals are easier.

We walk through all of this in a readout session and leave time for questions and next-step planning.

How long does a Cyber Security Audit take?

From kickoff to readout, most Reviews are delivered in around ten business days, depending on how quickly we can get access and answers from your side.

We don't advertise fixed SLAs for every client, but we will agree a realistic schedule with you at the start based on scope and availability. If timelines are critical (for example, linked to an insurer or tender deadline), tell us early and we’ll discuss what's possible.

What level of access do you need, and will there be disruption?

We aim to keep disruption very low. Most of the work is carried out remotely using:

  • Interviews and workshops with key staff.
  • Read-only access to selected systems and tooling.
  • Secure review of existing policies, diagrams and logs.

Where elevated access is needed (for example, to review security tooling or cloud configurations), this is agreed in advance and kept as narrow as practical.

What happens after the Review – do you help implement the plan?

Yes. The Review is designed to make the next step obvious.

Many clients choose to move into our vCISO – flexible total security management so we can help drive the 90-day priorities and 12-month roadmap. If you start vCISO within 30 days, the full Review fee is credited towards your programme.

If you prefer to implement internally or with existing suppliers, that's fine too – the plan is yours to use.

How does the "9/10 clarity or we refund" guarantee work?

We're confident that the Fix-First Plan will give you a clear, actionable view of what to do. If at the end of the Review you don't rate the plan at least 9/10 for clarity and actionability, we'll refund the fee.

There are a few practical conditions:

  • We receive the read-only access and information we need within 48 hours of kickoff.
  • The agreed kickoff workshop takes place.
  • A decision-maker from your side attends the readout session.

This isn't a clever loophole – it's simply to ensure we're able to do a proper job.

vCISO (Virtual CISO)

vCISO is our flexible total security management service, designed around your organisation rather than fixed bronze/silver/gold tiers.

What is a vCISO and how is your service different?

A virtual CISO (vCISO) is an experienced security leader who takes ownership of your cyber programme without being a full-time employee.

Our approach is flexible total security management. Instead of rigid levels, we use a framework and assemble a programme around what you actually need – things like Cyber Essentials, policy management, monitoring, training, vulnerability management, reporting, testing and more.

You get one accountable owner, regular governance and a realistic plan that fits your size, risk and budget.

How do you decide what goes into our vCISO programme?

We follow a simple sequence:

  1. Understand your business, risk drivers and existing controls – usually via a Cyber Security Audit.
  2. Agree what "good enough" looks like for you over the next 12–24 months.
  3. Assemble a tailored programme from components such as vCISO support days, Cyber Essentials/CE+, monitoring, patch and vulnerability reviews, internal reviews, awareness & training, risk management, reporting, pen testing, SIEM, backup testing and more.
  4. Set a governance rhythm (for example, monthly or quarterly) and a simple set of KPIs.

We revisit scope regularly as your organisation and risk profile change.

Do you still offer bronze/silver/gold or fixed vCISO levels?

No. We've deliberately moved away from that model.

In practice, real organisations rarely fit neatly into three boxes. Some need lighter governance but more testing; others need intensive policy work and board engagement but don't yet require 24/7 monitoring.

Instead, we quote a custom four-weekly fee based on the agreed scope and how much ownership you want us to take.

Do we have to do a Cyber Security Audit before starting vCISO?

We strongly recommend it, because a vCISO programme only works if it's based on a clear picture of where you are today.

The Security Audit provides that baseline and a Fix-First Plan. We can then build your vCISO scope directly from those priorities. If you already have a recent, high-quality assessment from another provider, we'll review that and discuss whether a new Review is still needed.

How often will we meet our vCISO and what communication can we expect?

We agree a governance rhythm that fits your organisation – for example:

  • Monthly or bi-monthly operational check-ins with your IT leads.
  • Quarterly reviews and reporting for executives or the board.
  • Ad-hoc calls and email support for decisions and incidents, within the agreed scope.

You'll have a named vCISO plus access to our wider team where specialist input is needed.

Does vCISO include security tools, licences or a 24/7 SOC?

vCISO is primarily about leadership and management, not reselling tools. We'll work with the tooling you already have where it makes sense and recommend changes where needed.

Where specialist capabilities are required – such as SIEM, managed detection and response or specific backup products – we can:

  • Help you select and implement appropriate tools.
  • Coordinate with third-party providers, including 24/7 SOC services where required.

Tooling and third-party services are usually billed separately from our vCISO fee.

How is vCISO priced and billed?

vCISO is billed as a fixed fee every four weeks. The fee reflects:

  • Your size, complexity and regulatory environment.
  • How much responsibility we take vs your internal team or MSP.
  • The components included (for example, testing, training, monitoring, reporting).

We'll always walk through the scope line-by-line before you commit, so you know exactly what's included.

Cyber Essentials & Cyber Essentials Plus

We're an IASME Certification Body focused on "Cyber Essentials without the stress" – with remote 1-to-1 expert support, unlimited free retests and a zero-jargon approach.

What is the difference between Cyber Essentials and Cyber Essentials Plus?

Cyber Essentials (CE) is a self-assessment questionnaire covering five key technical controls. It's designed to show you have basic cyber hygiene in place and is widely used in UK supply chains.

Cyber Essentials Plus (CE+) covers the same controls but adds hands-on technical testing by an accredited assessor – checks on devices, samples of configuration, and simulated attacks such as malware and phishing.

Many organisations start with CE and then progress to CE+ when they want stronger assurance for customers, regulators or insurers.

Who needs Cyber Essentials and why is it important?

Cyber Essentials is the UK government-backed minimum cyber hygiene standard. It's commonly required when bidding for public sector work and is increasingly expected by private-sector customers and insurers.

It's particularly important if you:

  • Handle personal or sensitive data.
  • Provide services into regulated sectors.
  • Want to demonstrate that basic cyber risks are being managed.

Even where it isn't mandatory, it provides a clear, recognised baseline to build from.

What does "Certification without the stress" mean in practice?

In short: we don't leave you to struggle alone.

  • You get remote 1-to-1 expert support throughout the process.
  • We carry out a pre-assessment review of your answers and evidence, highlighting gaps before anything is formally submitted.
  • We explain requirements in plain English and provide practical examples rather than quoting standards at you.
  • If you hit issues, we help you work through options – not just send rejection notes.

The aim is a smooth, predictable journey where you feel supported, not judged.

How do "unlimited free retests" work?

If your first Cyber Essentials submission doesn't pass, we don't charge extra for retests on the same application. You can fix the issues we've highlighted and resubmit within the allowed scheme timeframes without additional assessment fees from us.

There may still be costs on your side for any remediation work or new tooling you decide to implement – but we don't charge again for re-checking your updated answers for that application cycle.

Do you offer a "pass or your money back" guarantee?

We design our process so that, with reasonable cooperation, clients can "pass with a breeze" for Cyber Essentials. Our focus is on getting you ready before anything is formally submitted.

In some cases we may offer a "pass or your money back" commitment for Cyber Essentials where we're confident the environment and engagement model are suitable. Any such guarantee will be clearly documented in your proposal, including any pre-conditions.

We can't promise a pass in every situation – for example, where significant control gaps remain unfixed by choice – but we will always give clear, practical guidance on what's required.

Is the £25,000 cyber insurance really free?

Cyber Essentials certification through IASME currently includes an offer of free cyber insurance up to £25,000 of cover for eligible organisations, subject to IASME's own terms and conditions.

Eligibility is not automatic for every organisation (for example, there are size and turnover limits), and the insurance is provided by IASME's insurance partner, not by us directly.

We'll point you to the latest IASME documentation so you can check whether your organisation qualifies.

Can you still help us after we get the certificate?

Yes – in fact, that's often where the real work is.

Cyber Essentials and Cyber Essentials Plus represent a baseline. We can help you:

  • Embed the controls into policies, procedures and training.
  • Maintain compliance year-on-year as staff, systems and threats change.
  • Step up to a Cyber Security Audit and vCISO for a more comprehensive security programme.

IASME Cyber Baseline

Cyber Baseline is an IASME hygiene certification for organisations outside the UK, aligned with international expectations.

What is IASME Cyber Baseline and how is it different from Cyber Essentials?

IASME Cyber Baseline is a certification that demonstrates basic but critical cyber security controls for organisations outside the UK. It maps to several international hygiene standards and is designed to be recognised by global and UK supply chains.

Cyber Essentials, by contrast, is a UK government scheme for organisations operating in the UK. Cyber Baseline fills a similar role for non-UK entities.

Who should consider Cyber Baseline?

Cyber Baseline is aimed at organisations that are based outside the UK but:

  • Supply products or services into UK or international markets.
  • Need to prove basic cyber hygiene to customers, investors or partners.
  • Want a recognised step towards IASME Cyber Assurance.

If you are UK-based, Cyber Essentials is usually the minimum recommended standard instead.

Can a UK organisation choose Cyber Baseline instead of Cyber Essentials?

In almost all cases, no – if you are UK-based, Cyber Essentials is the recommended minimum standard and is more widely recognised in UK supply chains.

Cyber Baseline is intended for organisations outside the UK. For groups with mixed entities, we can help you combine Cyber Essentials for UK operations with Cyber Baseline for non-UK entities so you have a consistent story across the group.

How does Cyber Baseline fit with IASME Cyber Assurance or other frameworks?

Cyber Baseline is primarily about basic hygiene. It aligns with controls that appear in other standards and frameworks, making it a useful stepping stone.

For organisations that later want to move to IASME Cyber Assurance or align more closely with frameworks such as ISO 27001 or NIST CSF, Cyber Baseline helps establish the fundamentals and creates useful documentation and evidence.

What does the Cyber Baseline process look like with you?

The experience is similar in spirit to our Cyber Essentials work:

  • We explain the requirements in clear, non-technical language.
  • You get remote support from an assessor to interpret questions and understand what evidence is needed.
  • We carry out a review before anything is formally submitted, so issues can be addressed proactively.

The exact evidence and controls required will depend on your environment and the latest IASME scheme documents.

Penetration Testing

Manual, in-depth security testing by an in-house CREST-certified penetration tester – focused on what an attacker could actually do.

What is penetration testing and when do we need it?

Penetration testing ("pen testing") is a manual security test where a specialist attempts to find and exploit weaknesses in your systems, applications or networks, in a controlled and authorised way.

You typically need it when you are:

  • Launching or significantly changing an internet-facing system.
  • Handling sensitive data such as financial, health or personal information.
  • Required to do so by customers, regulators or internal policy.

It's also valuable periodically (for example, annually) to validate that controls are effective and that new issues haven't crept in.

What types of penetration tests do you offer?

Our in-house CREST-certified tester delivers a range of engagements, including:

  • External infrastructure tests – focused on internet-facing systems like firewalls, VPNs and public-facing servers.
  • Internal tests – simulating an attacker who already has some level of internal access (for example, a compromised workstation).
  • Web application tests – focused on specific web apps, APIs or customer portals.
  • Component tests – targeted testing of particular services like VPNs, remote access gateways or critical line-of-business systems.

We'll help you choose the right mix based on your objectives and risk profile.

How is penetration testing different from vulnerability scanning?

Vulnerability scans are automated checks that look for known weaknesses (for example, missing patches or misconfigurations) and list them for remediation.

Penetration testing goes further. A tester thinks and acts like an attacker – chaining weaknesses together, exploring edge cases and demonstrating potential impact (for example, "we were able to access sample customer records").

In practice, organisations often use both: regular scanning for continuous hygiene, and periodic pen tests for deeper assurance and real-world scenarios.

Will penetration testing disrupt our systems or users?

Pen tests are designed to be safe, but they are intentionally probing and sometimes aggressive. We manage this risk by:

  • Agreeing a clear scope, rules of engagement and timing.
  • Coordinating with your IT team to avoid sensitive periods.
  • Discussing any particularly fragile systems up front so they can be tested cautiously or excluded if necessary.

It's rare for a well-planned test to cause noticeable disruption, but we always have an escalation route if something unexpected occurs.

What do we receive after a pen test and do you help fix the issues?

You'll receive:

  • A technical report with detailed findings, evidence and remediation guidance.
  • A management summary in plain English, focused on risk and priorities.
  • A debrief session where we talk through results and answer questions.

We can also work with your IT team or MSP to help interpret and prioritise fixes, and – if you wish – provide follow-up testing to confirm that critical issues have been addressed.

Vulnerability Scanning

Regular, automated scans that spot known weaknesses early – with clear, prioritised reports so you know what to fix first.

What is vulnerability scanning and why is it important?

Vulnerability scanning uses automated tools to look for known weaknesses in your systems – missing patches, outdated software versions, misconfigurations and similar issues.

It's important because new vulnerabilities are discovered constantly. Regular scanning helps you spot and prioritise issues before attackers do, and demonstrates ongoing diligence to auditors and insurers.

How is this different from our patch management tool?

Patch management tools focus mainly on deploying updates to operating systems and certain applications.

Vulnerability scanners use large databases of known issues and test for them directly – including configuration weaknesses, missing hardening steps and third-party components your patch tooling may not cover.

Together, they provide a stronger picture: one helps apply fixes; the other helps prioritise and verify them.

How often should we run vulnerability scans?

Frequency depends on your risk profile and regulatory environment, but common patterns include:

  • Monthly internal and external scans for core systems.
  • Additional scans after major changes or new deployments.
  • More frequent scanning (for example, weekly) for high-risk or internet-facing environments.

We'll help you agree a schedule that balances risk, effort and noise.

Do you just send us a tool report or help interpret the results?

Raw scanner output can be overwhelming. We provide prioritised, human-readable reports that highlight:

  • Which issues are most urgent and why.
  • What can probably wait for a future cycle.
  • Where there are recurring themes that may need a process change, not just one-off fixes.

We can also walk through results with your IT team or MSP so they're clear on what to tackle first.

How does vulnerability scanning relate to penetration testing?

Think of vulnerability scanning as regular health checks and penetration testing as a detailed medical examination.

Scanning gives you frequent, broad coverage of known weaknesses. Pen testing goes deeper and looks at how issues could be chained together in real attack paths.

We often combine both: regular scanning for hygiene, and scheduled pen tests for higher-risk systems or before major launches.

Cyber Security Talks

Live, plain-English sessions that help real people make better day-to-day security decisions – without scare tactics or shaming.

What are Cyber Security Talks and who are they for?

Cyber Security Talks are live sessions – in-person or remote – aimed at staff who don't live and breathe cyber security. They're story-driven, practical and interactive.

They're ideal for mixed audiences: administrators, managers, frontline staff, technical teams and leadership all in the same room (or call).

What topics can you cover in a session?

We tailor each talk to your context, but common themes include:

  • Real-world phishing and social engineering stories.
  • Everyday security habits – passwords, MFA, devices and remote working.
  • What to do (and not do) if something looks suspicious.
  • Why cyber matters to your specific organisation and the people you serve.
  • Lessons learned from real incidents (anonymised where appropriate).

We can also align content with campaigns such as Cyber Essentials, Cyber Baseline or vCISO programmes.

Are the talks very technical?

No. The emphasis is on plain English, relatable examples and clear take-aways rather than deep technical detail.

We're happy to take more technical questions during Q&A, but the core content is designed so that someone who doesn't work in IT can understand and act on it.

How long are the sessions and can they be recorded?

Most talks run for 45–60 minutes plus Q&A, but we can adapt to shorter "lunchtime" or extended workshop formats.

Recording is usually possible for remote sessions if agreed in advance, so staff who can't attend live can catch up later. For in-person sessions we can work with your AV team if you want to record internally.

How do talks fit into a wider awareness and training programme?

Talks are a great way to kick-start or refresh awareness – especially when linked to real changes, such as new policies, MFA roll-outs or phishing simulations.

As part of vCISO or broader programmes we can help you plan an ongoing awareness calendar, combining talks with shorter refreshers, targeted sessions for higher-risk teams and practical exercises.

Pricing & Process

How quoting, scoping and billing work across our services – and what to expect when you engage us.

How do we get a quote and what information do you need?

The quickest way is to contact us with a short description of:

  • Your organisation type and approximate size.
  • Which service(s) you're interested in (for example, Cyber Essentials, pen testing, Cyber Security Audit, vCISO).
  • Any deadlines or drivers (for example, a tender, insurance renewal or audit).

We'll usually suggest a brief call to clarify scope and then send a written proposal with clear inclusions.

Do you publish fixed prices for everything?

Some services, such as Cyber Essentials certification and the Cyber Security Audit, are offered on a fixed-fee basis once we understand your scope.

Others, like vCISO programmes and certain testing engagements, are more variable. In those cases we provide a custom quote based on your size, complexity and the level of ownership you want from us.

We'll always be upfront about what is and isn't included so there are no surprises.

How do payment terms work for the Cyber Security Audit and vCISO?

The Cyber Security Audit is typically billed as a fixed fee, with options such as:

  • 50% on engagement and 50% on delivery, or
  • three staged payments over the Review period.

vCISO programmes are billed every four weeks at the agreed fixed rate. For longer-term relationships we can discuss notice periods and review points that suit both sides.

Are tools, licences and third-party services included in your prices?

Generally, no – our fees cover our expertise, time and management. Tooling and third-party services (for example, SIEM platforms, backup products or 24/7 SOC providers) are usually billed separately.

We're happy to work with tools you already own, help you select new ones where needed, and coordinate with other providers as part of your programme.

Will there be extra charges if the scope changes?

Scope changes do sometimes happen – for example, adding extra systems to a pen test or increasing the number of sites in a vCISO programme.

Where changes are material, we'll discuss them with you in advance and agree how they affect timelines and fees before proceeding. Minor adjustments are usually absorbed into the existing engagement.

Support & Account Management

How we work with you day-to-day, who you'll deal with and how to get help when you need it.

Who will be our main point of contact?

For most engagements you'll have a named lead – for example, your assessor for Cyber Essentials or your vCISO for ongoing programmes.

Behind them sits a small, consistent team rather than a constantly rotating cast. This helps us build a proper understanding of your organisation over time.

What support hours do you offer?

Standard engagement and account queries are handled during normal UK business hours. For planned work we'll always agree times that suit both sides.

If you require out-of-hours or 24/7 response for certain services, we can discuss this as part of scoping – either by extending our involvement or working alongside specialist providers.

How do we raise an urgent security concern or incident?

If you're an existing client and something urgent happens, you can contact your usual lead and follow the incident contact process agreed in your statement of work.

For vCISO clients we'll agree escalation paths and response expectations, and can help you design your own internal incident process as part of the programme.

How do you work with our internal IT team or MSP in practice?

We aim to make life easier for your existing teams, not harder. Typically that means:

  • Agreeing who owns what – for example, we may own the risk register and roadmap, while IT owns day-to-day implementation.
  • Joining regular IT or supplier meetings to keep everyone aligned.
  • Translating board priorities into clear, realistic tasks for technical teams.

We're used to working collaboratively with MSPs and internal teams of all sizes.

Can we adjust scope or pause services if our situation changes?

Yes. We recognise that budgets, priorities and leadership focus can shift.

For ongoing services like vCISO we build in review points where we can adjust scope – up or down – and we'll agree notice periods that give both sides reasonable certainty without locking you into something that no longer fits.