Built for firms the regulator is watching.
We manage IT for financial services and other regulated businesses — where “it works” isn’t enough, and you have to prove it. Cyber Essentials, DORA and FCA operational resilience: handled, evidenced, and ready for audit.
Over five years delivering technology for financial services — both at an MSP and in-house. We’ve sat on both sides of the audit, so we know what an assessor asks for before they ask it.
Cyber Essentials & Cyber Essentials Plus.
The security baseline clients, insurers and the FCA increasingly expect. We get you certified and keep you there — closing the five control areas and handling the annual reassessment as part of running your estate.
Gap assessment
We map your estate against the five Cyber Essentials controls and tell you plainly what stands between you and certification — no jargon, no padding.
Firewalls · access · patching · malware · secure configRemediation, handled
We don’t just hand you a report. We close the gaps — MFA, patching, device hardening, admin control — as part of managing your estate.
Fixed, not just flaggedCyber Essentials Plus
The hands-on, audited tier insurers and larger clients increasingly expect. We prepare you for the assessor’s testing and sit alongside you through it.
Independent assessment · hands-on testingStay certified
Certification lapses after a year. We maintain the controls and manage the annual reassessment, so it never becomes a last-minute scramble.
Annual reassessment managedDORA readiness.
The EU’s Digital Operational Resilience Act is in force. If your firm operates in or serves the EU, your ICT risk management, incident reporting and third-party oversight have to meet it. We prepare the technology — and the evidence.
ICT risk-management framework
The controls, monitoring and documentation DORA’s risk-management requirements expect — put in place, kept current, and written down.
Governance · controls · documentationIncident detection & reporting
Classification, logging and reporting workflows for ICT-related incidents, set up so you can meet the reporting timelines rather than scramble against them.
Classify · log · report to deadlineICT third-party register
A maintained register of your ICT suppliers and the concentration risk they carry — the supplier oversight DORA requires, kept live rather than rebuilt at audit.
Supplier register · concentration riskResilience testing
Regular testing of your operational resilience and recovery, with the results documented as evidence you can produce on request.
Tested recovery · documented resultsFCA operational resilience & reporting.
UK regulated firms must identify their important business services, set impact tolerances, and show they can stay within them. We provide the technology backbone and the records to evidence it.
Important business services
We map the IT, data and suppliers underpinning your important business services — so you know what must stay up, and what each service depends on.
Service mapping · dependenciesImpact tolerances & testing
Evidence that your services stay within their impact tolerances during disruption — tested, documented, and ready for the regulator.
Operational resilience (PS21/3)Record-keeping & retention
Logging, retention and retrievability configured to meet FCA expectations — typically multi-year, isolated, and auditable on demand.
Multi-year retention · retrievable on demandOutsourcing & third-party oversight
Documented due diligence and ongoing oversight of your IT suppliers, in line with FCA and PRA expectations on outsourcing and operational resilience.
Due diligence · ongoing oversightAudit-ready by default.
Every control we apply is documented, every change is logged, and every figure is sourced and dated. When the regulator, an insurer or a client asks for evidence, it already exists — you don’t have to go and build it.
Compliance shouldn’t keep
you up at night.
A 30-minute call, no obligation. Tell us which framework is on your desk — Cyber Essentials, DORA, FCA — and we’ll tell you plainly where you stand.