Cyber Essentials Plus Certification for Medical Provider

RMI is a global provider of medical and safety services for complex and remote environments – supporting NHS contracts, government agencies, NGOs, and commercial clients across the UK and US.

When an NHS procurement requirement demanded Cyber Essentials Plus certification, RMI had weeks to close critical gaps across a globally distributed, BYOD-heavy, cloud-first workforce. Benchmarked delivered certification on the first attempt.

Cyber Essentials Plus Certification for Remote Medical International

Certified First Attempt. 45% IT Cost Reduction. Zero Audit Failures.

Benchmarked delivered a full-service Cyber Essentials Plus readiness program – from gap analysis and policy overhaul to infrastructure hardening and hands-on certification support – across RMI’s distributed, multi-country operation with 50+ devices and 30+ cloud services.

Cyber Essentials Plus Certified First Attempt RMI passed the IASME-accredited technical audit with zero non-conformities - meeting NHS procurement requirements and unlocking continued eligibility for government contracts.

45% IT Cost Optimization Benchmarked's infrastructure review revealed RMI was paying over 50% more than necessary for lower-quality services. Vendor rationalization, license optimization, and infrastructure tuning delivered 45% cost savings.

20+ Policies Created or Revised From risk management and access control to incident response and BYOD guidelines - a complete cybersecurity governance framework built from near-zero documentation to full CE+ compliance.

Why Certification Was Non-Negotiable

RMI isn't a typical office-based business. They deploy medical teams and safety personnel to remote, complex, and often hostile environments worldwide. Their data includes patient health information, government contract details, personnel records, and operational logistics across multiple countries.

When the NHS Countess of Chester Trust required Cyber Essentials Plus as a procurement prerequisite, the clock started ticking.

The Real Risk

Everything Was on the Line

The consequences of failing to achieve certification - or suffering a breach during the process - extended across RMI's entire business:

Loss of NHS contract eligibility - the Countess of Chester Trust requirement was a hard gate. No certification, no contract. And once lost, regaining trust with government procurement is exceptionally difficult.
Data breach exposure - patient health data, government contract details, and personnel records across multiple jurisdictions. A breach would trigger mandatory disclosure under UK GDPR, potential regulatory action, and reputational damage with government clients.
Privileged account compromise - ungoverned admin access across cloud platforms and devices meant a single compromised account could cascade across the entire infrastructure.
Regulatory cascade - failing Cyber Essentials Plus wouldn't just lose one contract. It would signal to every current and prospective government client that RMI's security posture was below the minimum acceptable standard.

The Problem

A Globally Distributed Workforce With No Formal Cybersecurity Framework

RMI had a functioning IT environment - but it had grown around operational speed, not security governance. The gap between where they were and where Cyber Essentials Plus required them to be was significant:

Incomplete security policy documentation. Policies for risk management, removable media, backups, incident response, and secure configuration either didn't exist or existed as outdated drafts that didn't reflect actual practice.
No centralized endpoint management. 50+ end-user devices - a mix of corporate and BYOD laptops, desktops, and mobile phones - running varied OS versions with no centralized patching, configuration management, or security baseline.
Outdated antivirus with no XDR or DLP. Legacy antivirus software was the only endpoint protection in place. No extended detection and response. No data loss prevention. No real-time threat visibility across the fleet.
Gaps in access control and privilege management. Administrative access was not formally governed. No principle of least privilege. No documented process for granting, reviewing, or revoking elevated access.
30+ cloud services with no centralized visibility. Microsoft 365, Salesforce, AWS, Concur, and dozens of other SaaS platforms - each with its own security model, shared responsibility implications, and access configuration.
No MFA enforcement. Cloud services and critical business systems were accessible with passwords alone - the single most exploitable vulnerability in any distributed workforce.
BYOD complexity. Personal devices used for work without formal BYOD policies, device registration, or security requirements - expanding the attack surface beyond anything RMI could see or control.
No formal training or awareness program. Security responsibilities, acceptable use, and incident reporting procedures were not documented or communicated to the workforce.
Remote and home-office workers out of scope. The cybersecurity perimeter - to the extent one existed - stopped at the office door. Home offices, remote deployments, and field operations were effectively ungoverned.

Infrastructure Review & Hardening

Inventoried and reviewed 50+ end-user devices - documenting OS versions, patch levels, security configurations, and compliance status for every machine in scope
Documented all network infrastructure: firewalls (SonicWall TZ470), switches, access points, and network segmentation - assessing configuration against CE+ requirements
Mapped 30+ cloud services (Microsoft 365, Salesforce, AWS, Concur, and others) - reviewing shared responsibility models, vendor security commitments, and access configurations
Implemented the five core CE+ technical controls across the entire environment: Firewalls & Internet Gateways - boundary and device firewalls configured to block untrusted access, with only essential ports open and documented Secure Configuration - devices and software hardened by disabling unnecessary services, removing default accounts, and tightly controlling admin privileges User Access Control - accounts assigned on the principle of least privilege, admin accounts restricted to necessary use only, MFA enforced across all cloud services Malware Protection - legacy antivirus replaced with modern endpoint protection across all devices, with application control and execution policies Security Update Management - patch automation implemented with high/critical updates applied within 14 days, OS and firmware updates tracked centrally
Enabled software firewalls and IDS/IPS capabilities across the device fleet
Created a real-time asset registry - replacing the previous manual, partially-documented inventory with a live view of all devices, their security state, and their compliance status
Extended scope to cover remote and home-office workers - ensuring every endpoint, regardless of location, met the same security baseline

The Solution

Three-Phase Certification: Analysis, Hardening, Certification

Benchmarked delivered a structured, three-phase Cyber Essentials Plus readiness program - designed to close every gap, harden every system, and prepare RMI for technical audit. All delivered in a fractional engagement model that significantly reduced cost compared to traditional consultancies.

Cyber Gap Analysis & Policy Overhaul

Conducted a detailed comparison between RMI's existing cybersecurity controls and the Cyber Essentials Plus 3.1 framework - documenting every gap, every partial control, and every missing requirement
Created or revised 20+ cybersecurity policies including:
- Risk Assessment and Vulnerability Management
- Secure Configuration and Software Installation Control
- Access Control and Privilege Management
- Information Security Governance
- Incident Response and Reporting
- BYOD and Remote Working Guidelines
- Removable Media Policy
- Backup and Recovery Policy
- Acceptable Use and Disciplinary Procedures
Defined roles and responsibilities for security governance - assigning clear ownership for every control area rather than leaving security as "everyone's job" (which means no one's job)
All policies were customized to RMI's hybrid, cloud-first, multi-country operating model - not generic templates dropped in from another industry

Certification Preparation & Support

Prepared a detailed Cyber Implementation Plan (CIP) addressing every "Not Met" control identified in the gap analysis - with implementation evidence for each
Implemented all solutions and requirements before audit - Benchmarked didn't just document what needed to change; we executed every change
Ensured full coverage of remote, home-office, and internationally deployed workers - the most complex scoping challenge in RMI's certification
Coordinated with the IASME-accredited certification body for audit scheduling, evidence preparation, and remediation support
Provided hands-on support during the technical audit - ensuring RMI's team was prepared for assessor questions and could demonstrate live controls

IT Cost Optimization

Reviewed RMI's entire vendor and licensing landscape during the infrastructure assessment
Identified that RMI was paying over 50% more than necessary for lower-quality services across multiple categories
Delivered 45% IT cost optimization through vendor rationalization, license consolidation, and infrastructure tuning
Implemented optimized disaster recovery and backup strategies - replacing ad hoc backup practices with structured, tested recovery procedures

Team Enablement

Delivered security awareness training aligned to CE+ requirements - ensuring every team member understood their responsibilities, acceptable use policies, and incident reporting procedures
Onboarded RMI's internal team on the new policies, tools, and procedures - ensuring they can maintain compliance independently
Established the governance structure and practices that make CE+ compliance sustainable - not a one-time certification that degrades immediately after the audit

THE RESULTS

Cyber Essentials Plus certification achieved on the first attempt - meeting NHS Countess of Chester Trust procurement requirements and maintaining eligibility for government contracts
45% IT cost optimization through vendor rationalization, license consolidation, and infrastructure tuning - RMI now pays significantly less for significantly better services
20+ cybersecurity policies created or revised - from zero formal documentation to a complete governance framework aligned to CE+ 3.1
50+ devices hardened with centralized patching, MFA, endpoint protection, and secure configuration - replacing the previous ungoverned, unpatched device estate
30+ cloud services mapped and secured - with documented access configurations, shared responsibility assessments, and MFA enforcement across all platforms
Real-time asset registry replacing manual, partial documentation - providing live visibility into every device's security state and compliance status
Remote and home-office workers brought into scope - every endpoint, regardless of location, meets the same security baseline
Disaster recovery and backup strategies implemented - replacing ad hoc practices with structured, tested recovery procedures
Scalable compliance foundation - the governance structure, policies, and technical controls are directly applicable to ISO 27001, positioning RMI for future certification with minimal additional effort