Hours-based against a clear roadmap, agreed at scoping. You see the plan, the milestones and the price before signing. Add-ons (auditor liaison, post-cert retainer, MACE access during early access) are itemised separately. No per-user, no per-control, no recurring fees you didn't know about.

Run · Compliance & readiness

Compliance,
delivered.

Independent UK compliance consultancy. We engineer your certification - end to end.

Cyber Essentials, CE Plus, ISO 27001, NIST CSF and UK GDPR - delivered as a single programme. Sector specialists in accountancy, legal and FCA-regulated firms. Backed by MACE - our AI compliance platform. EARLY ACCESS

Scope a CE+ or ISO programme Join the MACE waitlist

✓  Independent · not on any vendor's gold-partner programme
✓  CE in 2-4 weeks · CE+ in 6-10 weeks · ISO 27001 in 4-6 months
✓  Sector specialists · accountancy, legal, FCA, professional services

Your security posture

A single view across every framework MACE covers for your organisation.

Cyber Essentials v3.3

Last assessed

07 May 2026

No open actions

ISO 27001

SOA

0 / 80 decided

OPEN RISKS

0 high

LAST AUDIT

—

0 cycles

NEXT REVIEW

Never

0 logged

UK GDPR

Last assessed

11 May 2026

17 open actions

Microsoft 365

Last reviewed

11 May 2026

4 open findings

100

—

100

21open actions across frameworks→

Actions Needing Attention

criticalBuild a Record of Processing Activities (RoPA)

criticalCreate a written personal data breach response plan

criticalPut a lawful safeguard in place for international data transfers

highLegacy SMTP authentication is disabled

highDMARC is published in DNS

View all actions →

Microsoft 365: ConnectedDomain scan: 1 of 4 good · 3 need attentionMACE · BETA

Why AssurePath

Independent. Focused.
Yours.

AssurePath is a single-purpose UK compliance consultancy. Our entire offer is engineering your firm's certification - on hours and milestones, not on a reseller deal.

Certifying bodies (IASME for CE and CE Plus, accredited registrars for ISO 27001) audit the firm being assessed - and what auditors test is your controls, your evidence and your discipline. That's where we put the work.

Independent

Not on any vendor's gold-partner programme. Our advice isn't shaped by a reseller agreement we need to honour.

Single-purpose

Our job is to get your firm certified. Not to upsell you onto our own SaaS. Not to renew an MSP contract by frightening you.

Receipts, not theory

We're the team that builds the actual controls - identity, EDR, evidence collection, runbooks - inside dozens of UK firms. That's what auditors test.

Frameworks we deliver

Five frameworks. One programme.

Pick one, pick the lot. Most firms start with Cyber Essentials Plus because a tender asked for it, then build ISO 27001 on the same evidence base. UK GDPR is always in the mix.

CYBER ESSENTIALS

Cyber Essentials

~2-4 wks

The IASME-administered baseline. Self-assessed. The minimum credible posture for tenders, insurance and most B2B contracts.

IASME-aligned 5-control review
Submission-ready evidence pack
Annual renewal cadence

MOST REQUESTED

CE+

CYBER ESSENTIALS PLUS

Cyber Essentials Plus

~6-10 wks

The audited version. An external assessor tests your kit against the controls. Required for most public-sector and enterprise procurement.

Pre-audit gap assessment
Auditor liaison and on-site support
Remediation in flight, not in a report

ISO

ISO 27001:2022

ISO 27001

~4-6 mo

The international standard. An ISMS, a Statement of Applicability, a risk register and an external Stage 1 + Stage 2 audit. The credible answer to enterprise security questionnaires.

Full ISMS build · SoA · risk register
Policy library + auditor evidence trail
Stage 1 + Stage 2 facilitation

NIST

NIST CSF 2.0

NIST CSF

~scoped

The US-rooted framework increasingly demanded by US clients and global insurers. Govern, Identify, Protect, Detect, Respond, Recover.

Posture profile against current + target
Gap assessment and roadmap
Mapped against ISO 27001 where it overlaps

GDPR

UK GDPR · ICO

UK GDPR

~ongoing

The data-protection programme. RoPA, DPIAs, DPA register, lawful-basis review, breach response on the ICO 72-hour clock. Built into MACE.

RoPA, DPIA, DPA register
Breach response runbook + drill
Subject rights workflow

Sectors we specialise in

Built for the firms whose clients ask first.

We work across all sectors, but the bulk of our compliance work is in three. The firms where the security questionnaire arrives before the contract does.

Legal

SRA cyber expectations · client questionnaire ready

Law firms live and die on confidentiality. CE Plus is increasingly the floor; ISO 27001 wins enterprise client tenders. We've taken practices through both - and through the SRA's expectations on cyber resilience.

Matter confidentiality controls
On-prem / sovereign AI sign-off
Lateral-hire data-handling review

Accountancy

ICAEW guidance · client data sovereignty

Tax data, payroll, audit working papers. Practices we work with reach CE Plus before quarter-end and add ISO 27001 in the run-up to bid season. ICAEW's tightening guidance is part of every roadmap.

Client data segregation
ICAEW-aligned policy library
Practice-software integration evidence

FCA-regulated firms

SYSC · SS1/21 · Consumer Duty cyber

IFAs, wealth managers, EMIs and crypto firms. The FCA's operational-resilience and cyber expectations run alongside CE Plus and ISO 27001. We've sat in supervisory visits with our client teams.

SYSC 3 cyber evidence
SS1/21 operational resilience
Named CISO cover where required

How we run it

Scope it. Build it. Pass it.

Four steps. Same playbook every time. We tell you on day one what's in the way - and what the auditor will ask.

Posture review

We map what you have, what auditors will ask for, and what's missing. Free. We tell you on the call - not in a 40-page report a week later.

Roadmap & price

Hours, milestones, fixed-cost auditor add-on. You see the whole programme before you sign anything. No 'discovery time' billed against ambiguity.

Evidence build

Controls go in. Policies get written or sharpened. Evidence starts flowing - manually now, automatically through MACE once you're on the platform.

Audit & sign-off

We sit in the auditor meetings with you. Findings get closed in flight, not in a follow-up. Certificate issued. We don't disappear afterwards.

MACE

AI COMPLIANCE PLATFORM · EARLY ACCESS

And we built the
tool for it.

Evidence collection turns into a six-week scramble before every audit. We got tired of doing it by hand for our clients - so we built MACE.

MEASURE · ACT · COMPLY · ENHANCE

EARLY ACCESS · OPEN

Join the MACE waitlist.

We're letting design partners in monthly. Free access during the closed beta in exchange for honest feedback.

hosted

frameworks live

on roadmap

Measure

Continuous evidence collection from M365, Entra, Intune, Defender, Sentinel and Workspace. No more 6-week scrambles before audit week.

Act

AI Advisor turns findings into action plans. Critical and high actions surfaced first - the ones that move your readiness score the most.

Comply

Live framework scoring against CE, CE Plus, ISO 27001 and NIST CSF. UK GDPR pack: RoPA, DPIAs, DPA register, breach reporting on the 72-hour clock.

Enhance

Trend, drift detection, posture history. Auditor-ready read-only view. New frameworks (ISO 27701, NIS2, DORA, SOC 2) added as we build them.

What's in MACE today

Six modules. One score.

v1.0 · BETA · UK-HOSTED

Framework readiness

Live score against CE, CE+, ISO 27001 and NIST CSF. Every control mapped, every gap flagged.

Evidence collection

Continuous, automatic, audit-traceable. MFA coverage, conditional-access, patch state, backup status - all pulled from source.

RoPA register

Record of Processing Activities, AI-suggested from your tenant. Owners, lawful basis, retention, transfers - all in one place.

DPIAs

Data Protection Impact Assessments triggered by risk thresholds. Templates, sign-off workflow, residual-risk tracking.

DPA register

Every Data Processing Agreement with every processor. Renewal alerts, sub-processor changes flagged, evidence on tap.

Breach reporting

ICO 72-hour clock from incident registration. Decision tree for notifiability. Auto-generated regulator and data-subject comms.

CONNECTS TO →

Microsoft 365· CONNECTEDEntra ID· CONNECTEDIntune· CONNECTEDMicrosoft Defender· CONNECTEDMicrosoft Sentinel· BETAGoogle Workspace· BETAAzure· ROADMAPJira / Confluence· ROADMAP

The advisory offer

Hours, milestones, a fixed roadmap.
No reseller surprise.

We price on scope, not seats. You see the plan, the milestones and the hours before you sign anything. Auditor liaison, post-cert retainer and MACE access during early access are itemised separately - never bundled to hide the number.

Most clients run the engagement as: posture review (free) → fixed-hours gap closure → light retainer for renewal cycles and surveillance audits.

Get a free posture review See a sample roadmap

Sample CE+ & ISO programme

~120 firms

WK 0

Posture review

Free. We tell you what's in the way on the call.

—

WK 1-2

Scoping & roadmap

Asset register, control mapping, fixed milestone plan.

12-24 h

WK 2-8

Evidence build

MFA, conditional access, policies, runbooks. MACE wired in.

40-80 h

WK 8-10

Cyber Essentials Plus

External assessor. Findings closed in flight.

16 h

WK 10-22

ISO 27001 ISMS

Risk register, SoA, internal audit, management review.

60-120 h

WK 22-24

Stage 1 + Stage 2

Audit support. Co-presented with your team.

20 h

Indicative only. Real scope shifts by starting posture, headcount and which frameworks you take. We always quote against your firm before signing.

FAQ

Questions UK firms ask before signing.

Eight straight answers - including the honest one about our own certificates.

Ask us something else

Why pick AssurePath for compliance work?

Three reasons. One: independence - we aren't on any certifying body's gold-partner programme, so our advice isn't shaped by a vendor relationship. Two: focus - compliance is the engagement, not a hook for an MSP contract. Three: receipts - we're the team that has built the actual controls (identity, EDR, evidence collection, runbooks) inside dozens of UK firms, including FCA-regulated firms, law firms and accountancy practices. That's what auditors test against.

What is MACE and when can I use it?

What frameworks do you cover?

How long does Cyber Essentials Plus take?

How long does ISO 27001 take?

Do you specialise in accountancy and legal firms?

How are you priced?

Free posture review

Know where you stand. Fix what matters.

A free review of your current posture against Cyber Essentials, ISO 27001 and UK GDPR. We tell you where the gaps are - and what's in the way of closing them. No obligation, no sales pitch.

Book a free posture review Join the MACE waitlist

Posture review

Free. Where you are against every framework you care about.

Roadmap & hours

Fixed scope, fixed milestones, fixed quote. No reseller surprises.

Cert & retain

We sit with you in audit. We don't disappear at sign-off.

Compliance,delivered.

Independent. Focused.Yours.

Five frameworks. One programme.

Built for the firms whose clients ask first.

Scope it. Build it. Pass it.

And we built thetool for it.

Hours, milestones, a fixed roadmap.No reseller surprise.

Questions UK firms ask before signing.

Know where you stand. Fix what matters.

Compliance,
delivered.

Independent. Focused.
Yours.

And we built the
tool for it.

Hours, milestones, a fixed roadmap.
No reseller surprise.