Helping a 35-user solicitors firm get Cyber Essentials Plus

The situation

A 35-user solicitors firm — a mixed-practice firm handling conveyancing, family law, and commercial property — was informed by their professional indemnity insurer that Cyber Essentials Plus certification would be required at renewal. They had eight weeks.

The firm had no dedicated IT person. They'd been relying on a local MSP for reactive support, and their infrastructure was a mixture of managed and unmanaged: a mix of firm-issued Windows laptops, a couple of older machines running Windows 10 without current patching, and a cloud-hosted case management system accessed by all fee earners. Their M365 tenant had been set up several years earlier and had accumulated configuration drift — guest access left enabled, shared mailboxes with broad permissions, MFA enforced for some users but not all.

The firm joined us mid-cycle — not because they wanted to switch IT support, but because their existing MSP didn't have the bandwidth to lead a CE+ readiness project. We were brought in specifically for the certification work, with the day-to-day support running in parallel.

What we rolled out

Week one: agent deployment across all 35 devices. The rollout was straightforward for 31 of the machines — M365-managed, Intune-enrolled, agent installed via policy. The four older machines needed a manual installer run by a member of the firm's admin team with a step-by-step guide from us. All 35 devices were live within three working days.

With the agents deployed, the AI ran a baseline readiness scan against the five Cyber Essentials technical controls: boundary firewalls and internet gateways, secure configuration, access control, malware protection, and patch management. The scan produced a prioritised remediation list within 24 hours of the last device checking in.

What the AI flagged

The readiness scan surfaced a number of issues that are common for solicitors firms of this size and vintage. For a composite firm at this profile, typical findings include:

• Patch compliance — three machines were running software versions more than 14 days behind on critical patches. The AI identified the specific applications (an older version of Adobe Reader and two machines still running a legacy VPN client) and produced the update instructions automatically. Two were resolved without escalation; the third required manual intervention.
• MFA gaps — nine of the 35 users had MFA enabled but not enforced; six had not completed MFA setup at all. The AI identified the specific accounts and produced a remediation list for the firm's M365 admin. An engineer implemented Conditional Access policies to enforce MFA across the tenant.
• Secure configuration — guest access was enabled at the tenant level. The AI flagged this with the specific M365 admin centre setting to change. The engineer reviewed and applied the change, confirming first that no active external collaborators would be affected.
• Local administrator accounts — four machines had local admin accounts that were unnecessary. The AI flagged these; an engineer removed the accounts during a remote session.
• Firewall verification — CE+ requires evidence, not just self-assertion. The AI produced the configuration export from each endpoint; the UK engineer packaged this into the evidence portfolio for the assessor.

Where humans stepped in

Cyber Essentials Plus is not just a technical exercise — it involves an external assessor conducting a vulnerability scan and reviewing evidence. The AI cannot do this work on its own, and it's right that it doesn't try.

UK engineers handled the following directly:

• Evidence packaging — the CE+ assessor required structured evidence for each control. An engineer collated the AI-generated scan outputs, supplemented them with manual screenshots and configuration exports, and organised them into the required format.
• Assessor liaison — when the assessor's vulnerability scan raised a question about the firm's case management system's update status (hosted externally by a third-party vendor), an engineer contacted the vendor directly, obtained the patch confirmation letter, and provided it to the assessor.
• Pre-assessment dry run — the week before the formal assessment, an engineer ran a simulated assessment against the firm's environment using the assessor's own toolset. Two minor issues were identified and resolved before the formal scan.

Outcome

In a typical engagement of this type, the timeline runs to around 6–8 weeks from agent deployment to certificate issued. The breakdown looks roughly like this:

• Weeks 1–2: agent deployment and baseline readiness scan
• Weeks 2–4: remediation of flagged items, MFA enforcement, patch catch-up
• Weeks 4–5: evidence packaging, pre-assessment dry run
• Weeks 6–7: formal external assessment and minor issue resolution
• Week 7–8: certificate issued

For a firm at this scale, we'd expect a CE+ readiness project to cost less than £2,000 in engineer time above the standard £10/user/month subscription — because the AI handles the diagnostic and evidence-gathering work that would otherwise require many hours of consultant time.

Beyond the certificate, the firm ends up with an M365 tenant in materially better shape than when it started: enforced MFA, no unnecessary guest access, patched devices, and a clear record of its configuration state. That's useful for the next renewal, and for any future insurer queries, well in advance of a deadline.