The Cyber Scheme’s Cyber Advisor Success Stories series continues, sharing the experiences of individuals who have successfully passed the Cyber Advisor assessment with us and the organisations they work for.

In this issue, we talked to Alan Powell, Principal Cyber Advisor at CAB IT Services Ltd, to understand the company’s motivations for becoming a Cyber Advisor consultancy, and how the organisation has evolved as a result.

---

Thank you for agreeing to take part in this series, Alan. Can you explain the thinking behind obtaining this qualification for CAB?

“At CAB, we’ve always taken pride in doing things the right way. We lead by example and never ask our customers to do anything we wouldn’t do ourselves. This mindset laid a solid foundation for us to become an Assured Service Provider – but we also had to back it up with thorough documentation and clear, demonstrable processes.
CAB now operates within a framework of exceptional practice, robust processes, and a deep understanding of not only our IT systems but our entire business operation”.

How long did it take your organisation to become an Assured Service Provider?

“The process involves several key certifications and assessments and took us around 12 months to complete: IASME Cyber Essentials and Cyber Essentials Plus (fully audited), IASME Cyber Assurance (or ISO 27001 equivalent), Cyber Assurance Level 1, Cyber Assurance Level 2 (fully audited), Quality Principles (fully audited), NCSC Assured Cyber Advisor, Cyber Advisor Exam (including role-play assessment).

We’ve held Cyber Essentials certification for some time, a baseline that, surprisingly, many IT providers still lack. But the real challenge came with IASME Cyber Assurance. This certification focuses on identifying and managing risks across the business, with a strong emphasis on cyber security. It’s not just about technical controls; it’s about embedding good practices into the fabric of the business. We implemented around 40 new policies, introduced new processes, and identified gaps in our daily operations that could pose risks to us and our customers. One example: we now conduct comprehensive security and DBS checks for all new hires.

Cyber Assurance Level 2 & Quality Principles Level 1 was demanding, but Level 2 raised the bar. This fully audited assessment required every team member to understand, embrace, and consistently follow all processes. The Quality Principles certification added another layer, demonstrating our commitment to continuous improvement, operational consistency, and clear communication.

Becoming an NCSC Assured Cyber Advisor on top of the business certifications, we also needed individual qualifications. The Cyber Advisor exam tested deep knowledge of the Cyber Essentials framework, NCSC guidance, and the ability to apply this in real-world scenarios. It included a rigorous open-book exam and a challenging role-play consultation, where we had to show not just technical expertise, but the ability to deliver advice…”

Do you now publicise the fact you are a Cyber Advisor?

“Yes – we actively publicise our Cyber Advisor status. We’ve shared the announcement online and informed all existing customers, we’re enrolled in the IASME 30‑minute free Cyber Advisor scheme, and we regularly deliver our own Cyber Security Masterclasses for SMEs across the South West, where each session is advertised and delivered by a certified Cyber Advisor”.

Do you think being an Assured Cyber Advisor is beneficial to the organisation you work for?

“This journey has accelerated our maturity as a business. We’ve emerged stronger, more capable, and better equipped to deliver secure, high-quality services to our customers, both existing and new”.

Has being an Assured Cyber Advisor increased business for your organisation?

“Being an Assured Cyber Advisor has already created clear value for our organisation. We’ve seen tangible benefits through the NCSC‑funded programme, along with additional work where our accredited status has been a contributing factor. While it’s still early days, we see the status as a strategic differentiator and are focused on increasing awareness, with the expectation that further opportunities will follow”.