Cyber Essentials Plus for a Multi-Site Warehousing Operator

Business challenge

A warehousing firm needed Cyber Essentials Plus to bid for a major retailer contract worth over £2 million annually. They had failed a previous attempt.

Operational risk

A failed first attempt at Cyber Essentials Plus had created scepticism inside the leadership team, a £2m retailer contract was conditional on certification within 60 days, and the IT estate had grown by two sites since the previous attempt.

Potential impact

A second failure would have cost the contract, damaged the relationship with the retailer's procurement team for any future tender, and made the next cyber insurance renewal materially harder.

Approach

We ran a pre-assessment, fixed gaps across MFA, patching, and admin separation, documented every control, and project-managed the certification body engagement.

Actions taken

• Ran a pre-assessment against the live environment and produced a gap list ranked by effort and risk
• Closed gaps across MFA, patching cadence, admin account separation and unsupported software within four weeks
• Built a reusable evidence pack of screenshots, asset lists and policy references aligned to the IASME questionnaire
• Project-managed the certification body engagement and attended the audit alongside the IT lead

Outcome achieved

Certification passed first time on the new attempt. The retailer contract was secured, and the same documentation is now reused for two further tenders.

Lessons learned

• Most first-attempt failures are caused by the same handful of controls: MFA on cloud admins, BYOD without policy, and unsupported endpoints
• An evidence pack built for one certification answers most of the next two tenders without further work
• Certification is an operational programme, not a one-off project: the controls have to survive 12 months of business change