Cyber Essentials Plus
External technical audit and full certification. The standard most prime contractors and insurers now expect.
Fixed price · enquire
System online · Accepting work for July
UK IT, cyber security & digital partner
Cyber Essentials in 30 days.
Fixed price. One partner.
Bluewater Associates is the cyber, IT and digital partner for UK SMBs of 5-100 staff. Certified in a month, supported all year, billed at a price you agreed before we started.
Direct line to a certified CE assessor
UK-based team
IASME-aligned
Fixed price, always
30-day delivery
One partner, no subcontracting
Data Protection
ICO Registered
Reg. ZC156613
NCSC / IASME
Cyber Essentials
Certified
Companies House
Registered Ltd
No. 16663061
GIAC Certified
GSEC
Security Essentials
GIAC Certified
GFACT
Foundations
One partner for IT, cyber and digital.
From the day-to-day support keeping your team productive to the web platforms keeping you visible - Bluewater is the single number to call.
Managed IT
Helpdesk, endpoint management, patching, backup and monitoring. Fixed per-user, no surprise tickets.
Fixed monthly · enquire
Microsoft 365 Setup
Tenant build, identity, mailboxes, SharePoint, Intune baseline and conditional access. Done in days, not months.
Fixed price · enquire
Website Design
Fast, accessible, on-brand sites that convert. Built on platforms you can actually maintain.
Fixed price · enquire
SEO
Technical fixes, content strategy and local search. Monthly reporting you can read in five minutes.
Fixed monthly · enquire
Web Apps & Portals
Internal tools, client portals and custom software when the off-the-shelf stack runs out of road.
Scoped & quoted
IT Audit
Full stack review - identity, endpoints, network, backups, suppliers. Risk-ranked, costed remediation plan.
Fixed price · enquire
Managed Compliance
Keep CE, CE Plus and supplier questionnaires current. We own the calendar, evidence and renewals.
Fixed monthly · enquire
Cyber Incident Response
Breach containment, forensic investigation and ICO notification handled end-to-end. Technical containment and financial forensics under one roof — so you can act fast and evidence everything.
Scoped & quoted
Financial Fraud Investigation
Invoice fraud, business email compromise and internal fraud investigated by a qualified forensic accountant. Evidence-ready reports for insurers, solicitors and police referral.
Scoped & quoted
The wedge
Cyber Essentials, done properly - in a month.
We scope, remediate, evidence and submit. You get the certificate, the policies, and a board-ready summary your customers, insurers and prime contractors actually trust.
Free · 2 minutes · no obligation
See where AI could save your business time and money.
Most UK businesses are either missing out on AI or quietly overpaying for it. Our free assessment shows you the exact workflows that would cut costs and save hours — with estimated figures — in about two minutes. No sales call needed to get your results.
Start my free assessmentFour steps, no surprises.
The same controlled delivery whether it’s a single certificate or a multi-month portal build.
Discovery call
A 15-minute call to understand your business, current stack and the outcome you actually need.
Scope & quote
Fixed-price proposal within 48 hours. Clear deliverables, timelines and what we’ll need from you.
Delivery
Weekly progress, one named point of contact, no chasing. Evidence and documentation as we go.
Handover & retainer
Full handover pack. Optional retainer keeps you certified, supported and renewed on time.
30+
Years in IT
20+
Years in delivery
48hr
Quote turnaround
About Bluewater
Built for SMBs who are tired of agency politics.
Bluewater Associates Limited was set up to do one thing well: be the single, accountable partner UK SMBs can trust for IT, cyber security and digital. Direct delivery. No surprise invoices. No handing you between account managers.
We work with founders, operations leads and finance directors at businesses of 5 to 100 staff — the ones too big for “my mate fixes our computers” and too small to be interesting to the enterprise MSPs. That’s exactly where fixed-price, properly delivered work changes how a business operates.
Headquartered on the Wirral, on the ground across Merseyside and the North West, and delivering remotely for clients across the UK.
Paul McWilliam
Director & IT Security Consultant
Leads delivery across IT infrastructure, Cyber Essentials and digital projects. Works directly with every client — no hand-offs.
Lynsey Graham
Security Consultant & Forensic Accountant
GIAC GSEC & GFACT certified. Leads cyber incident response and financial fraud investigations — providing technical and financial forensics under one engagement.
Things buyers actually ask.
If something isn’t covered here, book a 15-minute call and we’ll answer it directly.
How long does Cyber Essentials take with Bluewater?
30 days from kick-off to certificate for most SMBs. We schedule the assessment up front so there is no drift, and we sequence remediation in the order most likely to unblock submission first.
What is included in a Cyber Essentials engagement?
Gap analysis against the five CE controls, remediation guidance, policy templates written for your business, evidence gathering, IASME submission via our certified-assessor relationship, the certificate, and a board-ready summary. Fixed price quoted within 48 hours of the discovery call. No surprise add-ons.
Do you also do Cyber Essentials Plus?
Yes. CE Plus includes an external technical audit. Most clients move on to Plus 60-90 days after passing CE, once their environment is stabilised.
What if we fail the assessment?
We remediate the gaps and resubmit at no additional cost within the engagement window. Fixed price means fixed outcome - you don’t pay for our learning curve.
Who actually does the work?
Paul McWilliam and Lynsey Graham deliver directly — no outsourcing, no agency politics, no being passed between account managers. Lynsey is a GIAC-certified security consultant and qualified forensic accountant; Paul leads IT infrastructure, Cyber Essentials and digital delivery. You get both, on every relevant engagement.
Do you offer ongoing retainers after delivery?
Yes. Managed IT and Managed Compliance retainers keep you certified, supported and renewed year-round. Fixed monthly fee agreed up front, no per-ticket surprises.
What areas do you cover?
Wirral, Merseyside and the wider North West (Liverpool, Chester, Warrington, Manchester) for on-site work. Remote delivery for clients nationwide across the UK.
How do you bill?
Fixed-price projects are 50% on kick-off, 50% on certificate or handover. Retainers are billed monthly in advance by BACS or direct debit. All prices ex VAT.
What size business is Cyber Essentials right for?
Any UK organisation can certify, but Cyber Essentials is sized for SMBs of roughly 5 to 250 employees. We work most often with firms of 10-100 staff who need to win a tender, satisfy an insurer or unlock a customer’s procurement process. Smaller? Still certifiable, often quicker.
What’s the difference between Cyber Essentials and ISO 27001?
Cyber Essentials covers five specific technical controls and is a 30-day project. ISO 27001 is a full information-security management system, takes 6-12 months, costs ten to fifty times as much, and is meaningful for organisations of 100+ staff or those handling highly sensitive data. For most SMBs, CE is the right starting point and often the finishing point too.
Can we do Cyber Essentials ourselves?
Yes - the IASME self-assessment is public. Realistically, the people we work with tried and stalled because the question wording is technical, the evidence requirements are easy to misread, and a failed first submission costs you time. We do this every week, so we get to a pass first time.
What does Cyber Essentials actually cost?
Cost depends on size of estate (number of users, devices, cloud tenants), current configuration state, and whether you need Plus. We give a single fixed-price figure within 48 hours of a 15-minute discovery call - no estimates, no hourly rates, no surprise add-ons.
What documents do you need from us to start?
Almost nothing up-front: a list of staff and devices, admin access to your Microsoft 365 / Google Workspace tenant, and a single point of contact who can answer questions. We bring the policy templates, evidence framework and assessor relationship.
Does Cyber Essentials cover Microsoft 365 and cloud services?
Yes. Anything in scope of your day-to-day work is covered - M365, Google Workspace, AWS, Azure, line-of-business SaaS. We configure conditional access, MFA, identity protection and device baselines as part of the engagement.
How long is a Cyber Essentials certificate valid?
12 months. Annual recertification is required to stay listed on the IASME register and to keep insurance/procurement claims valid. Our Managed Compliance retainer keeps the calendar, evidence and renewal automatic.
Do we need to be a UK company to certify?
Cyber Essentials is administered by IASME under contract with the UK NCSC. Non-UK organisations can certify if they have a UK operation or want to bid for UK public-sector or supply-chain work. If you’re unsure, ask - we’ll tell you straight.
What about SOC 2 compliance?
SOC 2 is a US framework published by the AICPA, designed for American service organisations that store or process customer data. It is not a UK requirement and the vast majority of UK SMBs will never be asked for it. If your compliance question is coming from a UK customer, insurer or supply chain, Cyber Essentials and ISO 27001 are the right answers. If you genuinely have a US enterprise buyer demanding SOC 2, that is a specialist engagement outside our scope - we will tell you straight and point you to the right people rather than take on work we are not set up to deliver.
Recent engagements, in their words.
Two fixed-price engagements delivered to the day. Same pattern: scope inside 48 hours, single point of contact, no surprises.
Bluewater took Cyber Essentials off our hands and gave us back a working IT setup at the same time. Fixed price, no surprises, certificate in the window they said.
We needed Cyber Essentials to keep ourselves on the right side of main contractor pre-qualifications, and we needed our day-to-day IT properly set up rather than held together with goodwill. Bluewater scoped both inside 48 hours, gave us a single fixed price, and ran the whole engagement from one point of contact. No being passed around, no scope creep, no chasing.
The certificate landed inside the 30 day window. Just as useful, our user accounts, devices, mailboxes and access controls were tidied up at the same time, so we came out of it with a setup that actually holds up under scrutiny rather than just a badge on the wall. Anyone in construction or site services who's tired of agency politics around IT and compliance should be talking to them.
We needed Cyber Essentials and a proper Microsoft 365 setup we could actually trust with sensitive data. Bluewater delivered both, on a fixed price, without the usual back and forth.
Care sector data carries a high bar. We came to Bluewater with two problems running in parallel: getting Cyber Essentials certified, and standing up Microsoft 365 properly with Entra ID, SharePoint structured around our teams, and permissions that reflected who should see what. They scoped it as one engagement, quoted it as one fixed price, and delivered both inside the timeline.
What stood out was the lack of drama. Configuration was handled, policies were written for our business rather than dropped in from a template library, and the SharePoint structure is something staff can actually use day to day. The certificate is on the wall, the tenant is locked down, and we have a single number to call when anything changes. Genuinely the easiest IT and compliance project we've run.
Next step
Get certified. Stay supported.
Book a 15-minute discovery call and walk away with a fixed-price proposal inside 48 hours - or run the free readiness check first and see exactly where you stand.