SolutionsServicesSecurity & Compliance

Security that is configured, not just licensed.

Most mid-market firms pay for Microsoft 365 Business Premium or E5 and use a tenth of the security capability it includes. We close that gap. Defender, Purview, Intune, Sentinel, and the policies and processes that make them work in your environment.

Book a security audit.See the Secure-by-Design Pack.
The scope

What Security and Compliance includes.

The full Microsoft security stack, configured to your environment, with documentation and ongoing assurance.

Microsoft 365 security baseline (MFA, conditional access, legacy auth blocked, admin protection, audit logging)
Microsoft Defender for Endpoint, Office 365, Identity, and Cloud Apps
Microsoft Purview: data classification, sensitivity labels, DLP, retention, eDiscovery
Microsoft Intune for endpoint management and compliance policies
Entra ID identity protection and conditional access design
Microsoft Sentinel for SIEM and SOAR where required
Cyber Essentials and Cyber Essentials Plus alignment
ISO 27001 readiness and audit support
GDPR compliance posture, data residency, retention policies
Incident response runbooks and tabletop exercises
Practice lead

Built by someone who has done this for systems that cannot fail.

Adam Grimes

Adam Grimes leads our security practice. He spent seven years at Lockheed Martin and Leidos including a leading role on a £500m air traffic control modernisation programme for UK NATS. Working on systems where failure has real consequences shaped how he approaches Microsoft security: rigorous, documented, tested, and unsentimental about which workarounds are acceptable and which are not. He brings that standard to every Cloudbliss security engagement, whether the client is a fifty-person firm or a regulated mid-market business.

Connect on LinkedIn

How the work usually scopes.

Accelerator route.

Security Audit (£1,200 to £3,500), Secure-by-Design Pack (£1,950 to £4,800), Copilot Readiness Assessment (£1,400 to £2,400).

See Security accelerators

Custom project route.

Regulated environment hardening, multi-site rollout, ISO 27001 readiness programmes, incident response architecture. £18,000 to £80,000.

Talk to a founder
Regulated industries

For regulated industries.

Some sectors carry compliance requirements that change how the work is shaped. We have built specifically for these.

1
Financial services
FCA operational resilience, PRA cybersecurity expectations, conditional access for sensitive data, regulated communications monitoring with Purview, audit-grade evidence pack.
2
Legal
Solicitors Regulation Authority compliance, client confidentiality controls, sensitivity labels for matters, Copilot governance for privileged information.
3
Healthcare
NHS Data Security and Protection Toolkit alignment, patient data handling under GDPR, role-based access for clinical and admin staff.
4
Public sector and defence
Cyber Essentials Plus, ISO 27001, Official-Sensitive handling, links to commercial frameworks.

Relevant security accelerators.

Accelerator

Security Audit

A risk-ranked picture of where your Microsoft estate is exposed today.

£1,200–£3,500
1 week
View
Accelerator

Secure-by-Design Pack

A regulator-aligned M365 posture, evidence pack and controls dashboard.

£1,950–£4,800
3 weeks
View
Accelerator

Copilot Readiness Assessment

Know exactly what Copilot will see, and what to fix, before any licence is bought.

£4,800–£7,600
14 days
View

Security and Compliance questions.

We have Microsoft 365 Business Premium already. Do we need additional security products?
+

Almost certainly not at the start. Most firms with Business Premium are using a fraction of the security capability it already includes. The first engagement is usually configuring what you already have, not buying more. After that, larger firms may genuinely need E5 features or Sentinel; we assess and tell you honestly.

How long does Cyber Essentials Plus take?
+

Three to six months from a typical mid-market starting point. The gap analysis is one to two weeks, the remediation work is one to three months depending on the gap, and the certification itself is two to four weeks. We can run the whole programme or just the parts where you do not have internal capacity.

Do you do penetration testing?
+

We do not do penetration testing in-house. We partner with two specialist UK pen testing firms and manage the engagement on your behalf, integrating the findings into the remediation plan. Trying to do pen testing inside a Microsoft consultancy creates a conflict of interest; we keep it separate.

How do you handle incident response?
+

For clients on managed support, we have a defined runbook and we are involved from the first sign. For one-off security engagements we hand over a documented IR plan and tabletop exercise outputs; if an incident happens later, you call us and we respond against the existing plan.

Will Copilot leak our sensitive data?
+

Only if your data permissions are already broken. Copilot surfaces what the user is permitted to see. In most tenants we audit, that is more than it should be. The Copilot Readiness Assessment finds those permission problems and gives you a remediation plan before you switch Copilot on.