The Challenge

As Cyber Assurance Lead within Sizewell C, I was responsible for shepherding one of the UK's most significant nuclear energy projects through Cyber Essentials and Cyber Essentials Plus certification — a rigorous, hands-on technical assessment demanded by the organisation's commitment to robust UK cybersecurity governance. Operating within a tightly regulated and critically sensitive sector, the stakes could not have been higher. The assessment had to be completed within a demanding two-week timeframe without disrupting live project operations, to underpin investor confidence and supplier assurance across the entire programme.

• An exceptionally large number of users and devices in scope created significant complexity in data gathering and evidence collection
• Cyber Essentials Plus requires hands-on technical verification — every device and user touchpoint needed to meet the standard in practice, not just on paper
• The nuclear sector operates under some of the strictest compliance and governance requirements in the UK, adding layers of scrutiny at every stage
• A tight, non-negotiable timeline from Cyber Essentials to Cyber Essentials Plus meant little room for prolonged remediation cycles, requiring meticulous planning from the outset
• Coordinating across multiple internal teams and stakeholders within a large infrastructure project environment presented significant logistical and communication challenges

The Approach

I adopted a structured and phased approach from day one. I began with an initial scoping exercise to clearly define the assessment boundary, identifying all devices, users, and systems in scope. I then carried out a gap analysis against the five Cyber Essentials Plus technical controls — firewalls, secure configuration, user access control, malware protection, and patch management — to surface remediation priorities early and allow maximum lead time for resolution. I collaborated directly with Sizewell C's internal IT and security teams to gather evidence efficiently and address gaps swiftly as they were identified. Throughout the engagement, I maintained a clear project plan with defined milestones to keep all stakeholders aligned and ensure the timeline remained on track ahead of the formal IASME-led assessment.

The Results

I delivered Cyber Essentials Plus certification for Sizewell C in March 2026, providing independent assurance that core devices and security controls meet UK Government-backed cybersecurity standards — a critical milestone for a project of this national significance.

Business & Security Impact

• Measurable Risk Reduction: Mitigated exposure to commodity internet-originating cyber attacks by up to 99% through strict adherence to the five core technical controls.
• Financial Validation: Achieved a security baseline that industry data shows makes organisations 92% less likely to make a cyber insurance claim, significantly de-risking investor capital.
• Operational Confidence: Joined the 91% of framework-adopting organisations reporting increased confidence in their operational security posture and resilience against breaches.
• Flawless Delivery: Certification delivered completely within a two-week window with no residual actions and zero disruption to live project operations.
• Supply Chain Assurance: Strengthened confidence across regulators, suppliers, and key stakeholders by providing verifiable, audited evidence of cybersecurity maturity against UK Government CE+ requirements.
• Continuous Posture Visibility: Established a repeatable certification framework and robust audit evidence to support governance and simplify future annual renewals.

My prior experience operating within Critical National Infrastructure environments, combined with a direct working relationship with the IASME certifying body, meant I could navigate the assessment process with no ramp-up time — allowing full focus on delivery, evidence quality, and stakeholder coordination from day one.

Download the Cyber Essentials Plus Assessment Report