Secure-by-Design Pack
The security foundations that should have been there from day one. Intune baseline aligned to Cyber Essentials Plus, DLP across M365 and Teams, Conditional Access and MFA enforced properly, secure Power App deployment patterns, and the compliance documentation pack to evidence it all.
Why a secure baseline beats a security retrofit.
Building Power Platform and Copilot solutions without hardening the security layer first creates long-term risk. DLP added after the fact never quite catches up. Conditional Access deployed as an afterthought creates user friction that gets bypassed. Intune deployed without compliance policies manages devices in name only. The Pack puts the security foundations in before anything else gets built. It is not the most exciting accelerator on our catalogue, and it is the one we recommend most often as the first piece of work because the other accelerators depend on it.
For regulated firms — financial services, legal, healthcare — the Pack is also the basis for the compliance evidence pack you will be asked for at procurement, at audit, and at regulatory inspection. The work is structured so the documentation is a by-product, not a separate exercise.
What the pack covers.
Five layers, designed together, evidenced as one pack.
1
Intune baseline
Device compliance + conditional launch
App protection policies
BitLocker enforcement
OS patching policies
2
DLP & data
DLP across M365 + Teams
Power Platform DLP
Sensitivity labels
Sector-tuned policies
3
Conditional Access + MFA
MFA genuinely enforced
CA by device compliance + risk
Hybrid working patterns
Break-glass design
4
Power Platform security
Environment strategy
Power Platform DLP
ALM patterns
Production safety
5
Compliance documentation
GDPR checklist
CE+ evidence
Data flow maps
Retention policy docs
Deliverables you can hold us to.
✓
Microsoft 365 tenant configured to the modern security baseline with documented policies
✓
Intune managing your endpoints properly, with compliance policies that actually mean something
✓
DLP policies that prevent the most common data leakage patterns, calibrated to your sector
✓
Conditional Access policies that enforce MFA without creating user revolt
✓
Compliance documentation pack: policy documents, configuration evidence, data flow maps
✓
Evidence file ready for Cyber Essentials Plus certification
✓
60-minute walkthrough with your IT lead, your DPO, and senior management
✓
30 days of post-go-live support as the policies bed in
Mid-market firms in regulated sectors (financial services, legal, healthcare), firms preparing for Cyber Essentials Plus certification, firms preparing for a procurement process that requires security evidence, firms about to deploy Copilot or Power Platform builds where the security layer needs to be in place first, and firms whose current security configuration is a patchwork that has built up over years.
How it runs.
1
Discovery + design
Week 1. Review the current tenant, identify the gaps against the modern baseline, design the policies, agree the rollout sequence. You sign off the design before any change is made.
2
Build + pilot
Week 2. Configure the policies in the tenant. Pilot Intune compliance and Conditional Access with a small group first to surface any friction before wider rollout.
3
Rollout + docs
Week 3. Policies go live for the wider workforce, staged. We produce the compliance documentation pack alongside the rollout and hand over with a 60-minute walkthrough.
The price band, and how it lands.
Up to 100 users, BP
£1,950
Straightforward tenant on Business Premium
Up to 250 users
£2,800
Mid-scale, some regulated content
Up to 500 users, regulated
£3,800
Legal / FS / healthcare, E3 baseline
Up to 500 users + E5
£4,800
E5 with advanced security features
Related work
Often paired with this accelerator.
Common questions.
Will this break things for our users?
Some users will feel the change — MFA prompts they did not have before, device compliance checks, Conditional Access policies that block access from personal devices. The pilot week surfaces and resolves the friction before the wider rollout, and the rollout is staged to give users time to adjust.
Does the Pack get us Cyber Essentials Plus certified?
It gets you ready for certification. The certification itself is done by an accredited body (IASME); we do not do that. The evidence pack we produce is structured so the application is straightforward. Most firms move from the Pack to a certification within four to six weeks.
We are on Business Premium, not E5. Will the Pack work for us?
Yes. The Pack is designed to work with Business Premium for firms up to 300 users. The security capability in Business Premium is significantly underused in most tenants; the Pack puts it to work. E5 unlocks additional features (Sentinel, advanced Defender, advanced Purview) but the Pack delivers the baseline without requiring an E5 upgrade.
How is this different from the Security Audit?
The Security Audit is the assessment: it tells you where you stand. The Secure-by-Design Pack is the remediation: it puts the baseline in place. Some clients run the audit first to define the gap and then the Pack to close it; others go straight to the Pack.
Does the Pack include Microsoft licences?
No. Licences are separate. We help you confirm the right plan during the discovery. Most firms can use Business Premium; larger or more regulated firms need E3 or E5. The Pack does not require additional add-on licences in most cases.