Brian Stephens
Back to Case Studies
Risk Management

Cyber Essentials Plus

Led and delivered the CE+ certification for Sizewell C.

Client: Sizewell C
Duration: 2 Weeks
Delivered: 2026-03-24

The Challenge

Sizewell C, one of the UK's most significant and high-profile nuclear energy projects, required Cyber Essentials Plus certification as part of its commitment to robust cybersecurity governance. Operating within a tightly regulated and critically sensitive sector, the stakes could not be higher. As the Lead and delivery Consultant, my challenge was to shepherd a large-scale, complex organisation through the rigorous Cyber Essentials Plus assessment process within a demanding timeframe — without disrupting live operations or project delivery that delivers investor confidence and supplier assurance.

  • The organisation had an exceptionally large number of users and devices in scope, creating significant complexity in data gathering and evidence collection
  • Cyber Essentials Plus requires hands-on technical verification, meaning every device and user touchpoint needed to meet the standard — not just on paper, but in practice
  • The nuclear sector operates under some of the strictest compliance and governance requirements in the UK, adding layers of scrutiny to every stage of the process
  • A tight, non-negotiable timeline from Cyber Essentials to Cyber Essentials Plus meant there was little room for long remediation cycles or delays, requiring meticulous planning from the outset
  • Coordinating across multiple internal teams and stakeholders within a large infrastructure project environment presented significant logistical and communication challenges

The Approach

As Lead Consultant, a structured and phased approach was adopted from day one. An initial scoping exercise was conducted to clearly define the boundary of the assessment, identifying all devices, users, and systems in scope. A gap analysis was then carried out against the five Cyber Essentials Plus technical controls — firewalls, secure configuration, user access control, malware protection, and patch management — to identify remediation priorities early. Close collaboration with Sizewell C's internal IT and security teams ensured that evidence was gathered efficiently and that any gaps were addressed swiftly. A clear project plan with milestones was maintained throughout to keep all stakeholders aligned and ensure the timeline remained on track ahead of the formal assessment.

The Results

I delivered the CE+ certification for Sizewell C in March 2026, providing indepenedent assurance that our core devices and security controls meet UK Governement-backed cyber security standards.

What this means (business & security impact)?

  • Independent assurance achieved for device security controls, validating overall project security posture.

  • Cyber Essentials Plus certification delivered on time with no residual actions or operational disruption.

  • Verifiable, audited cybersecurity maturity demonstrated against a UK Government-backed standard.

  • Strengthened confidence across regulators, suppliers, and key stakeholders requiring due diligence evidence.

  • Robust audit evidence established to support governance, assurance, and external scrutiny.

  • Repeatable certification framework created, improving future renewals and internal security posture visibility.

  • Successful Outcome validating the security of the project.

Cyber Essentials Plus Logo - Yet again

Cyber Essentials Plus Logo - Yet again

Cyber Essentials Plus Logo - Yet again

Download the My Cyber Essentials Plus Report

Kent Wildlife Trust logo
ACCOR HOTELS logo
KURT GEIGER logo
Kobalt Music logo
INEOS Oil & Gas logo
Sizewell C logo
Sizewell C logo
Brian Stephens

© 2026 Brian Stephens. All rights reserved.

Privacy Policy