When business owners hear "security assessment," many assume it involves someone plugging in a laptop, running mysterious scans, and potentially bringing systems down. That's not what a security health check is.
Let me walk you through exactly what happens — from the first conversation to the final report — so there are no surprises.
What a Health Check Is
A security health check is a structured, advisory-led review of your current security posture. It examines how your business manages security across six core domains:
- Network security — how your perimeter is configured and what's exposed externally
- Endpoint protection — how laptops, desktops, and mobile devices are managed and protected
- Email and identity — phishing controls, multi-factor authentication, access management
- Cloud and data — how cloud services are configured and how sensitive data is handled
- Monitoring and detection — whether you'd know if something was happening right now
- Governance and policy — whether the right processes and documentation are in place
The review is carried out remotely, through structured interviews with your IT lead (or IT company), a review of existing documentation and configurations, and a structured evidence request that takes most clients no more than a few hours to complete.
What It Isn't
A health check is not a penetration test. We are not attempting to compromise your systems, run vulnerability scans against your infrastructure, or access anything without explicit authorisation. If a penetration test is what you need, we can advise on that and manage the brief to a qualified technical partner — but that's a different engagement entirely.
It does not require downtime, system changes, or any disruption to your day-to-day operations. Most clients barely notice it happening.
How Long Does It Take?
A standard health check for a business with 50 to 300 users runs over approximately two weeks from engagement start to report delivery:
- Week 1: Evidence gathering, documentation review, and structured interviews with key stakeholders
- Week 2: Analysis, report writing, and quality review
- Delivery: Written report delivered at the end of week two, followed by a scheduled 60-minute debrief
The evidence gathering typically requires no more than 2 to 3 hours of your team's time in total. We send a structured evidence request document that your IT company can complete directly.
What You Receive
The output of a health check is a written report containing:
- An executive summary — a one-page plain-English overview suitable for leadership and board level
- A RAG-rated assessment across each of the six security domains (Red / Amber / Green with explanation)
- A prioritised risk register listing identified vulnerabilities by business impact and urgency
- Quick-win recommendations — things that can typically be addressed within 30 days, often at low or no cost
- A 60-minute debrief session with your leadership team, walking through findings and answering questions
The report is written for business owners, not IT teams. Every finding is explained in plain English with a clear answer to "what does this mean for us?" and "what do we do about it?"
What Happens After the Report
The report is yours. You can share it with your IT company, your board, your insurer, or your legal team. Many clients use it as the basis for a structured conversation with their MSP about remediation priorities.
We don't sell remediation services. We don't resell products. We have no financial interest in what you do next — which is exactly why the advice in the report is worth having.
Some clients choose to move onto a Virtual CISO retainer after a health check, to have ongoing advisory support as they work through the remediation roadmap. Others use it as a one-off exercise and carry on with their IT company doing the implementation. Both are entirely valid outcomes.