{"id":2171,"date":"2026-06-03T16:57:45","date_gmt":"2026-06-03T16:57:45","guid":{"rendered":"https:\/\/move2modern.uk\/?p=2171"},"modified":"2026-06-03T17:21:21","modified_gmt":"2026-06-03T17:21:21","slug":"cyber-essentials-vs-cis-v-zero-trust-where-should-uk-smes-start-with-cyber-security","status":"publish","type":"post","link":"https:\/\/move2modern.uk\/index.php\/2026\/06\/03\/cyber-essentials-vs-cis-v-zero-trust-where-should-uk-smes-start-with-cyber-security\/","title":{"rendered":"Cyber Essentials vs CIS v Zero Trust: Where Should UK SMEs Start with Cyber Security?"},"content":{"rendered":"\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"683\" src=\"https:\/\/move2modern.uk\/wp-content\/uploads\/2026\/06\/Designer-17-1-1024x683.png\" alt=\"\" class=\"wp-image-2181\" srcset=\"https:\/\/move2modern.uk\/wp-content\/uploads\/2026\/06\/Designer-17-1-1024x683.png 1024w, https:\/\/move2modern.uk\/wp-content\/uploads\/2026\/06\/Designer-17-1-300x200.png 300w, https:\/\/move2modern.uk\/wp-content\/uploads\/2026\/06\/Designer-17-1-768x512.png 768w, https:\/\/move2modern.uk\/wp-content\/uploads\/2026\/06\/Designer-17-1-120x80.png 120w, https:\/\/move2modern.uk\/wp-content\/uploads\/2026\/06\/Designer-17-1.png 1536w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">As a <strong>Modern Workplace Architect and Microsoft MVP<\/strong>, working directly with SMEs across the UK, one truth comes up again and again:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"has-text-color has-link-color wp-elements-e7e17bb236f1ee4656babf6b601cb139 wp-block-paragraph\" style=\"color:#15157c\"><strong>Most organisations know their security isn\u2019t where it should be, but they don\u2019t actually have a clear way forward or even know where to start.<\/strong><\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>YES<\/strong> there\u2019s awareness for additional security.<br><strong>YES<\/strong> there\u2019s concern from the IT and CTO.<br><strong>AND<\/strong> Sometimes even urgency.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">But having clarity is important &#8211; Because digging into environments, the challenge isn\u2019t always a lack of tools, it\u2019s more about a lack of understanding. By this I mean:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>What \u201csecure\u201d actually looks like in a modern Microsoft estate<\/li>\n\n\n\n<li>Which risks genuinely matter versus noise<\/li>\n\n\n\n<li>How far current configurations are from an acceptable baseline<\/li>\n<\/ul>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"has-text-color has-link-color wp-elements-b319e3e5b69133c519ac22fde826dc4d wp-block-paragraph\" style=\"color:#15157c\"><strong>Cyber security is no longer just an enterprise problem.<\/strong><\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">Smaller organisations are not exempt and in some ways are now the main targets. <strong>Why<\/strong>? Because attackers don\u2019t need to go after the hardest target. They go after the <strong>easiest one<\/strong> and more often than not, that comes down to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Misconfigured devices<\/li>\n\n\n\n<li>Weak access controls<\/li>\n\n\n\n<li>Outdated systems<\/li>\n\n\n\n<li>Or simply a lack of a defined, managed security baseline or<\/li>\n\n\n\n<li>Unaddressed security fundamentals<\/li>\n<\/ul>\n\n\n\n<h1 class=\"wp-block-heading\"><strong>The real issue: security maturity, not awareness<\/strong><\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">What I consistently see across SME environments is this:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Microsoft tooling is deployed (M365, Intune, Defender)<br>Baselines have <strong>not<\/strong> been<strong> <\/strong>fully implemented<br>Controls have been configured <strong>inconsistently<\/strong><br><strong>No<\/strong> ongoing validation or governance is followed<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>The result:<\/strong> This can create a dangerous position:<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">SME Cyber Reality (UK)<\/h2>\n\n\n\n<pre class=\"wp-block-code\"><code>Cyber Attacks Experienced (UK SMEs)\n-----------------------------------\nYes      \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588  43\u201367%\nNo       \u2588\u2588\u2588\u2588\u2588\u2588           33\u201357%\n\nMost Common Attack Type\n-----------------------------------\nPhishing \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588  85%\nOther    \u2588\u2588\u2588\u2588                     15%\n\nSecurity Control Impact\n-----------------------------------\nWith Cyber Essentials    \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588  Much lower risk\nWithout baseline         \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588  High risk\n<\/code><\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">In other words to phrase this differently, <strong>2 in 3 SMEs will be attacked, <\/strong>but most breaches still come down to basic security gaps.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">So now I&#8217;ve hopefully defined where the issue is, in this blog I want to walk you through a practical way to understand what you need to know and how to build a structured plan to address the issue  &#8211; With multiple frameworks, certifications, and conflicting advice, It&#8217;s important to know where to start. The good news is that you don\u2019t need a large internal team or a huge budget to make a plan and move forward. When it comes to your data and device management exposure, that&#8217;s where <strong>Cyber Essentials<\/strong> \/ <strong>CIS<\/strong> and <strong>Zero Trust<\/strong> compliance can help.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Understanding Cyber Essentials (and why it exists)<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Cyber Essentials is a UK Government-backed certification designed to help organisations implement a core set of security controls. Put simply, It&#8217;s purpose is to provide a <strong>baseline framework<\/strong> focused on protecting businesses from the most common types of cyber attack. Rather than being theoretical, it gives you a practical checklist of controls to implement across your environment. <\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Important<\/strong> &#8211; While UK Government based, CE still applies to any non-UK company when looking to shore up a company&#8217;s security posture.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.ncsc.gov.uk\/cyberessentials\/overview\">https:\/\/www.ncsc.gov.uk\/cyberessentials\/overview<\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">The five key areas covered by CE:<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Boundary protection (firewalls and secure access points)<\/li>\n\n\n\n<li>Secure configuration of devices and systems<\/li>\n\n\n\n<li>Control over user access and privileges<\/li>\n\n\n\n<li>Malware protection<\/li>\n\n\n\n<li>Keeping systems updated with patches<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">You might want to think of Cyber Essentials as:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"has-text-color has-link-color wp-elements-91fdadb00fbea13739f7423b692ee395 wp-block-paragraph\" style=\"color:#15157c\"><strong>\u201cThe minimum standard every UK business should meet to operate securely.\u201d<\/strong><\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\">It establishes a foundational level of protection meaning it doesn&#8217;t define the strictest policies but it is just enough to reduce exposure to everyday threats. So definitely your starting point.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Why Cyber Essentials matters (especially now)<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">For me an important point to get across if you are looking at this is that Cyber Essentials isn\u2019t just about compliance as it also materially lowers your risk.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Most attacks facing SMEs today are:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Opportunistic<\/li>\n\n\n\n<li>Automated<\/li>\n\n\n\n<li>Designed to exploit basic weaknesses<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">By addressing these weaknesses, I see organisations dramatically reducing the likelihood of compromise. Looking at the wider picture, it also plays an increasing role commercially to your company:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-white-background-color has-background has-fixed-layout\"><tbody><tr><th><strong>Outcome<\/strong><\/th><th><strong>Business Impact<\/strong><\/th><\/tr><tr><td>Achieve baseline certification<\/td><td>Opens doors to public sector and regulated contracts<\/td><\/tr><tr><td>Align to industry expectations<\/td><td>Reduces friction in supplier and partner due diligence<\/td><\/tr><tr><td>Demonstrate security maturity<\/td><td>Builds trust with customers and stakeholders<\/td><\/tr><tr><td>Define \u201csecure by default\u201d<\/td><td>Removes ambiguity around what good looks like<\/td><\/tr><tr><td>Assess and measure risk<\/td><td>Enables consistent, repeatable security reviews<\/td><\/tr><tr><td>Validate your environment<\/td><td>Provides evidence of your security posture externally<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">For many SMEs, this clarity alone is one of the biggest benefits.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Where CIS fits<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">While Cyber Essentials provides a baseline, the <strong>CIS Critical Security Controls<\/strong> (from the Center for Internet Security) take a broader and more detailed approach.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.cisecurity.org\">https:\/\/www.cisecurity.org<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">CIS is:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>More technical<\/li>\n\n\n\n<li>More granular<\/li>\n\n\n\n<li>Designed to scale into mature security programmes<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">It expands beyond the Cyber Essentials scope and introduces controls around:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Continuous monitoring<\/li>\n\n\n\n<li>Asset inventory and classification<\/li>\n\n\n\n<li>Incident detection and response<\/li>\n\n\n\n<li>Security logging and analysis<\/li>\n\n\n\n<li>Advanced user and privilege management<\/li>\n<\/ul>\n\n\n\n<h1 class=\"wp-block-heading\">Cyber Essentials vs CIS <\/h1>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><th>Area<\/th><th>Cyber Essentials<\/th><th>CIS Controls<\/th><\/tr><tr><td>Purpose<\/td><td>Baseline certification (UK-focused)<\/td><td>Comprehensive security framework<\/td><\/tr><tr><td>Complexity<\/td><td>Low to moderate<\/td><td>Moderate to high<\/td><\/tr><tr><td>Target audience<\/td><td>SMEs, public sector supply chains<\/td><td>SMEs \u2192 enterprise (scalable)<\/td><\/tr><tr><td>Approach<\/td><td>Checklist-based<\/td><td>Maturity-based (phased controls)<\/td><\/tr><tr><td>Certification<\/td><td>Yes (Cyber Essential Plus)<\/td><td>No formal certification model<\/td><\/tr><tr><td>Depth<\/td><td>Foundational<\/td><td>Operational + advanced<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h1 class=\"wp-block-heading\">CIS vs Zero Trust &#8211; Alternative approach or natural progression?<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">With CIS security established if you choose to follow this route that is, the next natural question worth asking is &#8211; Where does <strong>Zero Trust<\/strong> fit alongside <strong>CIS<\/strong>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">As a simple rule of thumb this is where confusion can happen &#8211; CIS and Zero Trust are actually <strong>not<\/strong> competing options in fact they operate at different layers of your security strategy. CIS Controls provide a structured, prioritised set of actions that help you secure your environment. They define <em>what controls should exist<\/em> across areas like device management, access control, monitoring, and data protection.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">They both however do manage the security posture of your environment so from that perspective there is an overlap but Zero Trust does not follow a checklist or provide a certification.<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"has-text-color has-link-color wp-elements-35437223735fab2c91ca35b0ef9c5adc wp-block-paragraph\" style=\"color:#15157c\">Zero-Trust is essentially a <strong>security model and operating philosophy<\/strong> built around the idea that <em>nothing should be implicitly trusted and everything must be verified continuously<\/em>.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<p class=\"wp-block-paragraph\">The key difference being:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>CIS focuses on implementing security based controls<\/li>\n\n\n\n<li>Zero Trust focuses on how those controls are enforced and validated in real time.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">So is Zero Trust an alternative to CIS?<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">This is where most organisations get it wrong as Zero Trust is not an alternative to CIS but you could see it is a natural progression from it.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">CIS gives you the <strong>foundation<\/strong> with:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Visibility of assets<\/li>\n\n\n\n<li>Defined access controls<\/li>\n\n\n\n<li>Security baselines<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Zero Trust on the other hand builds on that foundation by introducing:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Continuous verification of users and devices<\/li>\n\n\n\n<li>Dynamic, risk-based access decisions<\/li>\n\n\n\n<li>A mindset of <em>\u201cassume breach\u201d<\/em> rather than <em>\u201ctrust by default\u201d<\/em><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h3 class=\"wp-block-heading\">One way to think about it is:<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">For most SMEs, this isn\u2019t a choice, instead it&#8217;s a planned journey following a progressive path:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"has-text-color has-link-color wp-elements-e157646d88458650b98c077f3ffeb52b wp-block-paragraph\" style=\"color:#15157c\">Use Cyber Essentials \u2192 Establish a baseline<br>Move to CIS Controls \u2192 To add structure and maturity<br>And adopt the Zero Trust philosophy \u2192 Enforce, validate and continuously secure<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">When should SMEs choose one over the other?<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">As a high-level guide use the following as a starting point to build upon. <\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Start with Cyber Essentials if:<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You don\u2019t currently have a structured security framework<\/li>\n\n\n\n<li>You need a recognised certification for customers or tenders<\/li>\n\n\n\n<li>You want to reduce immediate risk quickly<\/li>\n\n\n\n<li>You lack internal security expertise<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Cyber Essentials will provide your organisation with a <strong>fast, accessible <\/strong>way to stabilise your environment.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Then move towards CIS if:<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You\u2019ve already implemented the basics<\/li>\n\n\n\n<li>You need deeper visibility and control<\/li>\n\n\n\n<li>You\u2019re scaling or handling more sensitive data<\/li>\n\n\n\n<li>You want a more proactive, operational security model<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">CIS can help you move from:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"has-text-color has-link-color wp-elements-0976213befdf699bbcd3930371083923 wp-block-paragraph\" style=\"color:#15157c\"><strong>\u201cWe are protected\u201d \u2192 \u201cWe are continuously improving and detecting threats.\u201d<\/strong><\/p>\n<\/blockquote>\n\n\n\n<h1 class=\"wp-block-heading\">Honestly: frameworks alone don\u2019t solve the problem<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">A common mistake organisations make is focusing on frameworks without understanding their actual environment.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Frameworks don\u2019t show you:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>What devices are truly exposed<\/li>\n\n\n\n<li>Where permissions are excessive<\/li>\n\n\n\n<li>Whether controls are consistently applied<\/li>\n\n\n\n<li>How identity, data and devices interact<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">In modern environments and especially with Microsoft 365 and Intune estates the risk often comes from configuration, not absence of tools.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">Why Zero Trust changes the approach<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Zero Trust moves beyond checklist compliance and reframes security around a simple principle:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p class=\"has-text-color has-link-color wp-elements-a5213e42ce22e63ee5ded40b22c5a495 wp-block-paragraph\" style=\"color:#15157c\"><strong>\u201cNever trust, always verify.\u201d<\/strong><\/p>\n<\/blockquote>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.microsoft.com\/en-us\/security\/business\/zero-trust\">https:\/\/www.microsoft.com\/en-us\/security\/business\/zero-trust<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Instead of assuming anything inside your network is safe, Zero Trust focuses on:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Verifying every identity<\/li>\n\n\n\n<li>Validating device health before access<\/li>\n\n\n\n<li>Protecting data wherever it lives<\/li>\n\n\n\n<li>Monitoring continuously for abnormal behaviour<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">For most SMEs, this doesn\u2019t require building out new platforms it just takes utilising your existing Microsoft capabilities correctly.<\/p>\n\n\n\n<h1 class=\"wp-block-heading\">The missing step: assessing your environment properly<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">As with most improvements knowing where you are currently helps you measure your progress. Before deciding between Cyber Essentials, CIS, or Zero Trust, having clarity on these goes a long way:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>What assets exist<\/li>\n\n\n\n<li>How devices are configured<\/li>\n\n\n\n<li>Where risks and gaps actually sit<\/li>\n\n\n\n<li>What maturity level they\u2019re currently operating at<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Without this visibility, you could risk:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Over-investing in unnecessary tools<\/li>\n\n\n\n<li>Missing critical misconfigurations<\/li>\n\n\n\n<li>Failing audits despite having \u201ccoverage\u201d<\/li>\n<\/ul>\n\n\n\n<h1 class=\"wp-block-heading\">A practical approach then<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">A structured path for most UK SMEs looks like this:<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Step 1 \u2014 Establish visibility<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Understand your environment through an assessment:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Devices<\/li>\n\n\n\n<li>Identities<\/li>\n\n\n\n<li>Data access<\/li>\n\n\n\n<li>Security controls<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Step 2 \u2014 Apply baseline controls<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Use Cyber Essentials as your foundation:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Fix basic hygiene issues<\/li>\n\n\n\n<li>Align to a recognised minimum standard<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Step 3 \u2014 Mature with CIS principles<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Introduce:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Monitoring<\/li>\n\n\n\n<li>Logging<\/li>\n\n\n\n<li>Detection<\/li>\n\n\n\n<li>Risk-based controls<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Step 4 \u2014 Evolve into Zero Trust<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Align security across:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Devices<\/li>\n\n\n\n<li>Identity<\/li>\n\n\n\n<li>Applications<\/li>\n\n\n\n<li>Data<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h1 class=\"wp-block-heading\">Final thoughts<\/h1>\n\n\n\n<p class=\"wp-block-paragraph\">Cyber security doesn\u2019t need to start with complexity.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For most SMEs, Cyber Essentials gives you <strong>clarity and a strong starting point. <\/strong>By building on top of this with CIS controls you will get more depth and structure but also more policy configuration. First assessing then following the Zero-Trust philosophy can introduce the required consistency across your entire environment. It&#8217;s important to know that there is no prescribed order here, you need to decide where you are and which option to follow. I would recommend using a skilled resource or company to help you understand where your business stands today, make the right decisions and always start with a pilot configuration. I&#8217;d always recommend too to adopt a Zero-Trust approach <strong>regardless<\/strong> and use the different controls of the other two to decide the level of security best for you.<\/p>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n","protected":false},"excerpt":{"rendered":"<p>As a Modern Workplace Architect and Microsoft MVP, working directly with SMEs across the UK, one truth comes up again and again: Most organisations know<\/p>\n","protected":false},"author":1,"featured_media":2180,"comment_status":"open","ping_status":"open","sticky":true,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"footnotes":""},"categories":[3,7,14],"tags":[],"class_list":["post-2171","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-intune","category-m365","category-security"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/move2modern.uk\/index.php\/wp-json\/wp\/v2\/posts\/2171","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/move2modern.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/move2modern.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/move2modern.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/move2modern.uk\/index.php\/wp-json\/wp\/v2\/comments?post=2171"}],"version-history":[{"count":13,"href":"https:\/\/move2modern.uk\/index.php\/wp-json\/wp\/v2\/posts\/2171\/revisions"}],"predecessor-version":[{"id":2187,"href":"https:\/\/move2modern.uk\/index.php\/wp-json\/wp\/v2\/posts\/2171\/revisions\/2187"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/move2modern.uk\/index.php\/wp-json\/wp\/v2\/media\/2180"}],"wp:attachment":[{"href":"https:\/\/move2modern.uk\/index.php\/wp-json\/wp\/v2\/media?parent=2171"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/move2modern.uk\/index.php\/wp-json\/wp\/v2\/categories?post=2171"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/move2modern.uk\/index.php\/wp-json\/wp\/v2\/tags?post=2171"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}