Baseline Cyber Hygiene

Start strong with foundational controls. We help you meet essential security baselines like Cyber Essentials, ISO27001, and GDPR — with practical guidance, audits, and remediation support.

Baseline Cyber Hygiene forms the essential foundation of any resilient cybersecurity posture. It involves a set of critical controls and best practices that all organisations—regardless of size, sector, or maturity—must have in place to defend against common threats. At IGCCD, we help you establish strong, practical cyber hygiene practices that protect your assets, ensure compliance, and reduce the attack surface without overwhelming your internal teams.

  • Gap Reviews & Baseline Assessments

    We conduct comprehensive reviews of your existing cybersecurity posture to identify gaps against industry benchmarks such as the CIS Controls, NCSC’s 10 Steps, and ISO 27001. These assessments provide a practical roadmap to closing high-risk vulnerabilities and building maturity from the ground up.

    GDPR Compliance Assessment

    We assess your organisation’s data protection practices against the UK GDPR and Data Protection Act. Our service includes gap identification, documentation reviews (e.g., privacy notices, consent forms), and readiness checklists that prepare you for regulatory scrutiny.

    ISO 27001 Gap Review

    For organisations looking to align with or certify against ISO 27001, we perform readiness assessments to identify compliance shortfalls across your ISMS scope. This includes policy reviews, control testing, and improvement plans tailored to your risk environment.

    PCI DSS SAQ Help

    Payment environments require strict control. We help merchants and service providers interpret and complete the right PCI Self-Assessment Questionnaire (SAQ), providing both technical and policy support to ensure accurate, validated compliance.

    Microsoft 365 / Google Workspace Audits

    We audit configurations of M365 and Google Workspace platforms to enforce best practices around identity, access control, multi-factor authentication, data loss prevention, and logging—areas often misconfigured in SME environments.

    Firewall / Endpoint Reviews

    Our technical experts assess firewalls, EDR/XDR, and endpoint configurations to ensure they are properly hardened, monitored, and aligned with modern threat detection and response needs.

    • You’ve never had a formal cybersecurity assessment.

    • You’re preparing for a certification or compliance audit.

    • You’ve experienced a breach or near miss and want to improve defences.

    • Your IT team lacks the time or expertise to do a full controls review.

    • You’ve recently moved to Microsoft 365 or Google Workspace and want it secured.

  • Our baseline hygiene process begins with an initial discovery session and asset mapping. We then benchmark your current controls, policies, and configurations against a chosen framework (CIS, NIST CSF, ISO, etc.). Our team provides you with clear, prioritised actions—mapped to risk severity and business impact. Where needed, we help implement or fine-tune technical controls and train your team on maintaining hygiene long-term.

    • CIS Critical Security Controls

    • NCSC Cyber Essentials & 10 Steps

    • ISO/IEC 27001:2022

    • UK GDPR / DPA 2018

    • PCI DSS v4.0

    • Microsoft Secure Score / Google Admin Best Practices

    • Cyber Hygiene Gap Report – A detailed list of weaknesses and risk-rated remediation actions.

    • Compliance Readiness Summary – Tailored for GDPR, ISO 27001, or PCI DSS.

    • M365/Google Audit Report – Including tenant misconfigurations and recommendations.

    • Policy & Procedures Templates – For data protection, access control, backups, etc.

    • Firewall/Endpoint Configuration Report – Analysis and hardening guidance.

  • We use a mix of enterprise-grade and open-source tools:

    • Tenable.io / Nessus for vulnerability checks

    • CIS CAT Pro for configuration benchmarking

    • Microsoft Secure Score / Google Admin Toolbox

    • PCI SAQ tools and scoping guides

    • Endpoint assessment via CrowdStrike, Defender, SentinelOne

    • Provide access to platforms and systems (e.g., cloud tenant, firewall interface).

    • Share existing policies, templates, and configurations where available.

    • Identify key stakeholders for interviews (e.g., IT lead, data protection officer).

    • Agree on the compliance framework or baseline benchmark to use.

    • Cyber Hygiene Assessment: 2 weeks

    • GDPR Gap Review: 1–2 weeks

    • M365/Google Audit: 1 week

    • PCI SAQ Support: 1–3 weeks depending on SAQ type

    • ISO 27001 Pre-Audit: 3–4 weeks

    Key Milestones:

    1. Kickoff & Scoping

    2. Controls & Compliance Mapping

    3. Technical Review / Evidence Gathering

    4. Draft Reports & Remediation Plan

    5. Final Presentation & Action Handover

    • Risk: Overwhelming remediation workload
      Mitigation: Prioritised action plans with low-cost, high-impact fixes first.

    • Risk: Misinterpreting PCI SAQ questions
      Mitigation: Guided walkthroughs by qualified consultants.

    • Risk: Cloud misconfigurations go unnoticed
      Mitigation: Automated tools and manual inspection to ensure deep visibility.

  • Q: I already have antivirus and a firewall—isn’t that enough?
    Not quite. Today’s threats require multi-layered controls, secure configurations, and awareness of misconfigurations across cloud and on-prem systems.

    Q: Will this help me pass Cyber Essentials?
    Yes. Our hygiene package maps directly to the five technical controls required by Cyber Essentials and Cyber Essentials Plus.

    Q: Is this only for large companies?
    No. We work with SMEs, public sector teams, and large enterprises alike. Everyone needs a solid baseline.

    • Cyber Hygiene Assessment: From £3,500

    • GDPR Gap Review: From £2,500

    • PCI SAQ Assistance: From £1,800

    • Cloud Security Audit (M365 / Google): From £2,000

    • Annual Cyber Hygiene Retainer: Bespoke pricing for quarterly reviews

"Good cyber hygiene: because 'Oops' isn't a security strategy."