Cyber Essentials isn’t something most people associate with the trades. Gas engineers, electricians, building contractors — the assumption is that cybersecurity certification is for financial services firms or tech companies, not businesses that spend their days on site.
But that assumption is changing, and fast.
One of our clients, a multi-trade company covering gas, electrical, and building work, with around 30 office based staff, came to us with a familiar situation. Contracts were starting to ask questions about cybersecurity. Tender documents that previously had no mention of IT were beginning to include requirements around data handling and security standards. Cyber Essentials was coming up by name.
We’d already been recommending they look at it. The contract pressure made the timing clear.
Where they were starting from
Because they were already on our managed support, their IT was in good shape. Systems were being monitored, maintained, and looked after properly. The foundations were solid.
Cyber Essentials certification, though, has specific technical requirements that go beyond standard managed IT. To pass the assessment, devices accessing company data need to be enrolled in MDM, provably compliant, and subject to access controls that can be formally demonstrated. That’s a distinct piece of work that sits on top of day-to-day support, and it’s what we turned our attention to.
What the work looked like
We extended the existing setup by rolling out Microsoft Intune across the fleet, configuring compliance policies aligned to the Cyber Essentials controls, and implementing Conditional Access rules so that only managed, compliant devices could access company systems.
For a business with around 30 office based staff spread across different sites and job types, this needs to be done carefully. Policies need to work in practice, not just on paper, and the rollout needs to happen without disrupting the team’s day-to-day work. We handled the technical configuration and made sure the transition was smooth.
From starting that work to passing the Cyber Essentials assessment took a few weeks.
What it meant for the business
Passing the certification was the obvious outcome. But the more meaningful one is what it unlocks going forward.
Tenders that ask about cybersecurity now have a clear answer. Clients who want to know how their data is being handled can be pointed to a recognised, independently assessed standard. In a sector where trust is built largely through reputation and word of mouth, being able to demonstrate that level of due diligence matters more than it might appear.
Why this matters beyond the trades
The reason this case is worth writing about isn’t specific to building and gas work. It’s that Cyber Essentials is quietly becoming a baseline expectation across more sectors than people realise.
If you work with local authorities, housing associations, NHS-adjacent organisations, or larger private companies, the chances are good that somewhere in the procurement process, security credentials are either already being asked for or will be soon.
Getting there doesn’t have to take months or disrupt how your business operates. For businesses that are already well managed, the additional work to reach Cyber Essentials standard is often more straightforward than expected.
If you’re not sure where you stand, a straightforward IT audit will tell you.
