The PICMS Security Pack covers the five Cyber Essentials control areas plus ISO 27701 privacy management — designed for UK SMEs needing CE certification for tender qualification or as a stepping stone to full ISO 27001. £89/month, no separate ISO subscription required to get started.
Cyber Essentials is the UK government-backed scheme run by IASME — five technical control areas with a pass/fail self-assessment (CE) or independent verification (CE Plus). Most UK B2B contracts now demand CE as a baseline for any IT-handling supplier.
The CE assessment is essentially a yes/no questionnaire across five technical control areas. Each question maps to specific evidence — software inventory, firewall rules, user account list, MFA configuration screenshots, patch reports. The assessor isn't there to read your security policy; they're checking whether you can produce the evidence within minutes when asked.
Most UK SMEs come to CE on tender pressure — "we need CE certified by Q3 or we lose the contract" — and discover the evidence gathering is the hard part, not the controls themselves. PICMS is designed for that scramble. Upload your assets, point each one at the relevant control area, attach evidence (screenshots, exported reports, policy docs), and the assessment becomes a structured walk-through rather than a fire drill.
Boundary firewalls and internet gateways configured to deny insecure inbound traffic, with documented business justification for any open ports. Default passwords changed, admin access restricted.
Devices and software configured to reduce attack surface: unnecessary user accounts removed, default passwords changed, unused software uninstalled, auto-run/auto-play disabled where possible.
All software within scope kept up to date: licensed and supported, automatic updates enabled where possible, security patches applied within 14 days of release, end-of-life software removed.
Account creation under formal process, separate admin and user accounts, admin privileges granted only when needed, MFA on cloud services and admin access, account removal when staff leave.
Anti-malware tooling on all in-scope devices, automatic updates and scans, application allow-listing on servers, sandboxing for untrusted content where applicable.
Cyber Essentials Plus adds independent verification — an external assessor running their own scans and tests against your environment to verify the controls are actually configured as claimed. Most prime contractors require CE Plus rather than self-assessed CE.
Every CE question linked to a control area in PICMS. Evidence uploaded per question, dated, owner-attributed, reviewable by the assessor.
Devices, software, network gear inventoried. Each asset linked to its CE scope membership and to the control areas that apply.
User account list with role, admin/standard split, MFA status, joiner-mover-leaver logs. CE Area 4 evidence in one place.
Acceptable Use Policy, Information Security Policy, Patch Management Policy — version-controlled, approved, distribution tracked.
Security incidents logged with chain-of-custody. CE doesn't mandate incident management but ISO 27701 does — PICMS covers both.
9 ISO 27701 PIMS clauses for privacy management — UK GDPR alignment, controller/processor records, data subject rights tracking, transfer impact assessments.
Per-person training records with expiry tracking. Phishing test results, induction completion, refresher cycle.
CE → ISO 27001 is a common upgrade path. PICMS makes the transition incremental — your CE evidence becomes 27001 Annex A evidence without re-uploading.
Auditor-credible vendors don't pretend software replaces engineering. PICMS does not:
What PICMS does is give you, your team and your assessor a single source of truth — so the certification visit is a verification exercise, not a documentation hunt.
PICMS Cyber Essentials uses the Security Starter tier:
14 days free, full feature access, no credit card surprise. Built by an IRCA Registered Principal Auditor — auditor-credible from day one.