Precursor Security
Compliance ServicesCREST AccreditedCE from £1,500

Your Compliance Gap Is Already
Costing You Contracts.

UK cyber security compliance services for organisations facing real commercial and regulatory pressure. Cyber Essentials for government contracts. ISO 27001 for enterprise supply chains. GDPR and PCI DSS when a regulator or acquirer asks. Fixed pricing. No offshoring.

Book a Compliance AssessmentSee Our Services
CREST AccreditedCE from £1,500ISO 27001 in 90 Days100% UK-Staffed
Featured Snippet

Precursor Security provides cyber security compliance services for UK organisations across all major frameworks: Cyber Essentials Certification (from £300), ISO 27001 Consultancy, UK GDPR data protection assessments, PCI DSS Compliance Testing, and UK Cyber Security Resilience Bill readiness. As a CREST-accredited firm, our compliance programmes are backed by active offensive and defensive security practices: certifications reflect genuine control strength, not just documentation. All services are delivered by UK-based consultants. Pricing is fixed upfront. ISO 27001 gap analysis is delivered within two weeks of engagement. Cyber Essentials certification is achievable within days. Organisations without current documentation face real consequences: the ICO issued £12.7M in fines in 2024, and failing a Cyber Essentials assessment can cost government contract bids worth six figures.

CREST Accredited
Independently verified security competence
CE from £1,500
Fixed price, no hidden fees
ISO 27001 in 90 Days
Structured certification pathway
100% UK-Staffed
No offshoring. UK-based consultants.
Framework Navigator

Which Compliance Framework Do You Need?

Your trigger determines your framework. Most organisations face one clear commercial driver.

Government contract required it
Cyber Essentials
Days
Enterprise client demanded it
ISO 27001:2022
90 days
ICO inquiry or SAR received
UK GDPR
Immediate
Acquirer compliance letter
PCI DSS v4.0
4-8 weeks
Multiple obligations
Compliance Roadmap
Scoped
Book a Scoping Call
Our Services

Cyber Security Compliance Services

Five frameworks. One CREST-accredited partner. Fixed pricing and genuine control implementation, not just documentation.

Cyber Essentials

Cyber Essentials Certification

Required for UK government contracts and increasingly demanded by enterprise supply chains. We guide your team through the five technical controls: firewalls, secure configuration, access control, malware protection, and patch management, and manage the certification submission. Basic certification from £300. Plus audit (with technical verification) from £1,500. Fixed price. Certified within days, not weeks.

  • NCSC-backed scheme, required for MOD/government contracts
  • v3.3 compliant (April 2026 Danzell update supported)
  • Self-assessment support and CE+ technical audit
  • Annual recertification managed for you
Also available: Cyber Essentials Plus Certification from £1,500, includes full technical audit.
Get Certified
ISO 27001

ISO 27001 Consultancy

Full ISMS implementation: gap analysis against ISO 27001:2022 controls, Statement of Applicability (SoA), risk treatment plan, policy and procedure development, and Stage 1/Stage 2 audit preparation. We do the work, not just the templates. Most organisations achieve certification in 90 days with our structured programme. Fixed-price scoped engagement, quote within 48 hours.

  • Gap analysis and remediation roadmap within two weeks
  • Annex A controls mapped to your existing processes
  • Stage 1 and Stage 2 audit preparation and attendance
  • ISO 27001:2022 (current standard, not deprecated 2013 version)
Start the Project
CSRB 2025

UK Cyber Security Resilience Bill 2025

Forthcoming UK legislation mandating specific cyber security requirements across critical sectors. Organisations that delay readiness will face mandatory incident reporting obligations and supply chain security requirements under the Bill. Prepare now, before the compliance deadline arrives. Scoped assessment with clear remediation roadmap.

  • Readiness assessment against Bill requirements
  • Mandatory incident reporting programme
  • Supply chain security obligations addressed
  • Forthcoming legislation: prepare now
Assess Readiness
Data Protection

GDPR Compliance Services

Whether you have received a subject access request, an ICO inquiry, or a client contract requiring GDPR evidence, we assess your actual exposure and fix it. We produce the Article 30 ROPA, conduct DPIAs on high-risk processing activities, and map your technical controls against Article 32 requirements. We also connect your breach detection capability to the 72-hour notification clock. Assessments from a fixed day-rate, scoped to your data landscape.

  • Article 30 Records of Processing Activities (ROPA)
  • Data Protection Impact Assessments (DPIAs)
  • Article 32 technical and organisational measures gap analysis
  • Breach notification readiness (72-hour ICO requirement)
Assess Our Exposure
PCI DSS V4.0

PCI DSS v4.0 Compliance Testing

If your acquirer or payment processor has asked you to validate PCI DSS compliance, we identify which SAQ applies to your environment, assess your cardholder data environment (CDE), and provide a clear remediation roadmap. Our penetration testing satisfies Requirement 11 without requiring a full QSA engagement for most mid-market merchants. Gap analysis and Requirement 11 testing, scoped to your CDE.

  • Determine correct SAQ type (A through D) for your setup
  • Cardholder data environment (CDE) gap analysis against PCI DSS v4.0
  • Requirement 11 penetration testing and ASV scanning
  • Network segmentation testing for scope reduction
Validate Compliance
Service Catalogue

Full Penetration Testing Catalogue

Comprehensive penetration testing services tailored to your environment.

Assumed Breach

Internal Testing

Post-perimeter assessments targeting Active Directory, lateral movement, privilege escalation, and segmentation validation from inside your network.

Active Directory AssessmentInternal Network Penetration TestWorkstation Build AssessmentServer Build AssessmentCitrix/VDI Breakout AssessmentAD Password AuditSegmentation TestingFirewall Config AssessmentFirewall Ruleset AssessmentAdversarial EmulationWireless Network TestingDatabase Configuration Assessment
Discuss your requirementsFree scoping call with a CREST-certified engineer.
Free Scoping Call

Ready to Certify? Or Not Sure Where to Start?

Whether you need Cyber Essentials in a week or an ISO 27001 implementation in 90 days, we scope, quote, and deliver. CREST-accredited. Fixed pricing. UK-based.

Book a Free Scoping Call
Call +44 (0) 113 328 1626
CREST Accredited
Fixed Pricing
CE from £1,500

Frequently Asked Questions

Pricing, frameworks, timelines, and what to expect from a compliance engagement.

We offer ISO 27001 consultancy (gap analysis, implementation, internal audit), Cyber Essentials and Cyber Essentials Plus certification, GDPR data protection assessments, PCI DSS compliance testing, and UK Cyber Security Resilience Bill (CSRB) readiness programmes. All services are delivered by experienced UK-based consultants. Precursor Security is CREST-accredited and has supported UK organisations through Cyber Essentials, ISO 27001, and GDPR compliance programmes.

Cyber Essentials certification starts from £1,500. Cyber Essentials Plus, which includes a full technical audit, starts from £3,000. We provide fixed pricing with no hidden fees. Annual recertification is managed for you.

Most organisations achieve ISO 27001 certification in 90 days with our structured programme. A typical implementation covers gap analysis and remediation roadmap (delivered within two weeks), risk assessment, Statement of Applicability, policy development, Annex A control implementation, and Stage 1/Stage 2 audit preparation. Larger organisations with complex environments may require 4-6 months.

Yes. We conduct GDPR data protection impact assessments (DPIAs), gap analyses against Article 32 requirements, Article 30 Records of Processing Activities (ROPA), and provide ongoing advisory services. Our assessments also identify where technical controls support your GDPR obligations, including the 72-hour breach notification requirement. The ICO issued £12.7M in fines in 2024: organisations without current ROPAs and documented lawful bases face significant exposure.

Yes. We identify which SAQ applies to your environment, assess your cardholder data environment against PCI DSS v4.0, and provide a clear remediation roadmap. Our penetration testing satisfies Requirement 11 without requiring a full QSA engagement for most mid-market merchants. Acquirers can impose non-compliance fines of up to £5,000 per month and ultimately terminate merchant accounts.

The CSRB is forthcoming UK legislation that will mandate specific cyber security requirements for organisations in critical sectors. This includes mandatory incident reporting, supply chain security obligations, and proactive security measures. We help organisations prepare through readiness assessments, gap analyses, and implementation of the required controls.

Cyber Essentials certification is valid for 12 months from the date of issue. Organisations must recertify annually to maintain their certification status. This applies to both Cyber Essentials Basic (self-assessment) and Cyber Essentials Plus (with technical audit). The April 2026 v3.3 update (Danzell) introduced changes to MFA requirements and cloud service scope: organisations renewing after April 2026 must meet the updated requirements.

Cyber Essentials Basic is a self-assessment questionnaire (SAQ) in which your organisation declares that the five technical controls are in place. Cyber Essentials Plus includes everything in the Basic scheme plus an independent technical audit: an assessor tests your systems to verify that your self-assessment answers are accurate. Basic starts from £1,500; Plus starts from £3,000. For government contracts requiring CE+, only the Plus certification satisfies the requirement.

Cyber Essentials covers five foundational technical controls and is designed to protect against the most common commodity attacks. ISO 27001 is a comprehensive information security management system (ISMS) standard covering 93 controls across 11 domains: risk management, asset management, supplier security, incident management, and more. Most UK organisations pursue Cyber Essentials first (as it is required for government contracts) and then ISO 27001 when enterprise clients or investors demand a more rigorous framework. The two share control overlap, which means implementing ISO 27001 after Cyber Essentials requires less incremental effort.

The answer depends on your primary commercial driver. If you are bidding for government or MOD contracts, Cyber Essentials is mandatory and should come first: certification can be achieved in days. If enterprise clients or investors are demanding security assurance, ISO 27001:2022 is the recognised standard and typically takes 90 days with structured consultancy support. If you have received an ICO inquiry or a client is requiring GDPR evidence, GDPR compliance should be addressed immediately. If your acquirer has sent a PCI DSS compliance letter, that is your priority. If you face multiple obligations simultaneously, a compliance roadmap assessment identifies the most efficient sequence and control overlaps.

If your Cyber Essentials assessment identifies non-compliant controls, you will receive a report detailing the specific areas that require remediation. You can remediate the identified gaps and resubmit your self-assessment: there is no penalty for failing on the first attempt. For organisations working towards a contract deadline, we recommend a pre-assessment review to identify and fix gaps before the formal submission, avoiding delays in certification.