Your IT is either compliant or it isn’t. Find out which →

A baseline IT security standard exists.
Does your business meet it?

Most businesses assume their IT is fine.
Most are wrong — and most find out the hard way.

Secure State™ is the framework that tells you exactly where you stand. Four categories. One outcome: Compliant or not. Inology’s own standard — not a government scheme, not a third-party cert. Applied every 90 days, without exception.

Find Out If You’re Compliant See the Framework
4 Assessment
categories
90 Day review
cycle
23 Years of IT
expertise
2 Outcomes.
Compliant or not.
ISO 9001
ISO 27001
★★★★★ 5.0
★★★★ 4.5 Trustpilot
Cyber Essentials
Microsoft Partner
The Reality
FACT:

Half of UK small businesses were hit by a cyber attack last year.

And the ones that weren't? Most had no idea whether they were protected or not. A framework doesn't fix this — but it tells you exactly where you stand.

Source: GOV.UK Cyber Security Breaches Survey 2025
% of UK businesses experiencing a cyber breach, by size
Breach rate (%)
Why It Exists

Most businesses have no idea where their IT actually stands.

Twenty-three years of managed IT across Manchester. The same conversation, over and over — after the ransomware, after the breach, after the audit that failed.

“I thought we were fine.”

It was never negligence. There was just no standard to measure against. No baseline. No way to know what “fine” actually looks like.

Secure State is that standard.

Without a framework

  • No idea what’s actually exposed
  • Spend is reactive, never planned
  • One incident away from finding out

Secure State Compliant

  • Exact picture of where you stand
  • Gaps documented, owned, and resolved
  • Compliant. Evidenced. Moving forward.
The Framework

Four categories.
One clear standard.

Inology's own framework for UK small businesses. Not a government scheme, not a third-party certification. The standard we hold every managed IT client to — built from 23 years of real-world delivery. Applied every 90 days.

Category 01
Cyber Security

Are your systems, users, and data protected against the threats that target businesses your size? Device security, access controls, threat detection, incident readiness.

Category 02
IT Strategy

Is your IT aligned with where the business is going — or just keeping the lights on? Roadmap, vendor relationships, budget, strategic alignment.

Category 03
Growth Readiness

Can your IT scale with you? Infrastructure resilience, onboarding efficiency, hybrid working capability, technology debt.

Category 04
Compliance

Are you meeting your legal and regulatory obligations? Data protection, GDPR, audit readiness, policy documentation.

The Outcome

There are only two results.
That's the point.

Most IT frameworks give you a score, a level, a traffic light. Secure State gives you a definitive answer — the same way CE does, the same way any real standard does. You meet it or you don't. Anything else is just noise.

Not Met
Not Compliant

One or more criteria are unmet. Inology documents exactly which areas failed and why — those gaps become the action plan for the next 90-day cycle.

Met
Compliant

All criteria are met across all four categories. You receive the Secure State Compliant badge — live proof your IT is actively managed to Inology's standard.

Compliance is re-assessed every 90 days. If you leave the Inology programme, the status lapses. That's intentional — it means the badge always reflects your current state, not a point-in-time audit from 18 months ago.

Built on Real-World Experience

This framework didn't come from a whiteboard.

Hundreds of incidents, near-misses, and audits across 23 years. Every criterion in Secure State came from a real business, a real failure, a real cost. Cross-referenced against global standards — not to replicate them, but to make sure nothing was missed.

"We built the standard we wished our clients had been held to before they came to us."
Referenced against
CIS Controls v8

The globally recognised standard for defending against the most prevalent cyber attacks. Used to pressure-test our Cyber Security criteria.

23 Years in the Field

Every criterion maps to a real scenario. If it’s in Secure State, it’s because we’ve seen what happens when it isn’t in place.

CIS Microsoft 365 Benchmark

The CIS benchmark for securing M365 — the platform most UK small businesses run on. Directly informs our configuration and access control criteria.

UK Regulatory Landscape

UK GDPR, ICO guidance, and sector obligations across healthcare, legal, and financial services — reflected in our Compliance category.

Secure State is Inology's own framework. It is not a CIS certification scheme — CIS standards are referenced as a validation layer only.

Meet the Founder

Brett Casterton

Founder & Managing Director, Inology IT.
23 years building and securing Manchester’s small businesses.

Brett started Inology in 2002. He’s responded to hundreds of incidents and watched capable businesses lose time, money, and client trust — because no baseline was ever in place. Secure State is his answer to that.

“Most small businesses don’t have a security problem. They have a standards problem. Nobody ever told them what good looks like.”
About Brett →
Brett Casterton, Founder of Inology IT
SECURE STATE COMPLIANT by Inology Awarded to clients who meet the Secure State standard — re-assessed every 90 days
The Compliant Badge

Something real
to show for it.

When your business reaches Compliant status, you receive the badge. Put it on your website, in proposals, in your email footer. It tells clients, partners, and insurers something specific: your IT is actively managed to a defined standard.

Not a one-time certificate. A live status — re-assessed every 90 days. The moment it lapses, it comes down. That’s what makes it mean something.

And behind the badge? A full ecosystem. Policies your staff can read and sign. Checklists with names on them. Documented controls you can hand to an insurer, a new enterprise client, or an auditor without breaking a sweat. Secure State isn’t a framework you complete. It’s a standard you maintain.

Re-assessed every 90 days

See how it works in practice — or just get in touch.

See How It Works ↓
How It Works

How the framework
drives a 90-day cycle.

The framework isn't a one-time audit — it's a continuous standard with a fixed rhythm.

01

Initial Assessment

The full Secure State framework is applied across all four categories. Every question answered. Plain-English result: Compliant or Not — and if not, exactly which criteria aren’t met.

02

Gaps Become the Roadmap

Every unmet criterion is documented. The framework defines what’s missing — those gaps form the action plan for the next 90-day cycle. Nothing ambiguous, nothing discretionary.

03

90-Day Reassessment

The framework runs again at 90 days. Same questions, same standard. What’s been resolved, what’s still open, where you stand — measured against the framework, not against last time.

04

Compliant Status Awarded

All criteria met. The framework confirms it. Compliant status achieved and badge issued. The 90-day cycle continues — because the standard doesn’t expire, it renews.

Questions

Things people ask.
Answers that don't dodge.

We've heard every version of these. Here's what we actually say.

What exactly is Secure State?

It's Inology’s own standard for what a well-run business IT environment looks like. Four categories: Cyber Security, IT Strategy, Growth Readiness, and Compliance. Not a government scheme. Not a third-party cert you pay £2,000 for. The standard we hold every managed IT client to — assessed every 90 days. You either meet it or you don’t. There’s no “mostly compliant.”

How is it different from Cyber Essentials or ISO 27001?

CE and ISO are external schemes with certification bodies, annual fees, and point-in-time audits. Secure State is Inology’s own standard — broader, continuous, and built from 23 years of actually fixing the things those audits missed. You can hold CE and still fail Secure State. You can pass Secure State and not have CE. They’re different tools for different conversations.

Who runs the assessment — us or Inology?

Inology runs it — with you. It’s not a portal, not a self-serve checklist, not a spreadsheet you fill in alone at 11pm. An Inology team member works through the assessment with you, in context. Takes around 30 minutes. Happens at onboarding, then every 90 days. You’ll probably learn something about your own setup.

What happens if we're Not Compliant?

You get a document. Not a vague summary — a specific breakdown of exactly what wasn’t met, why it matters, and what fixing it looks like. Those gaps go straight into your 90-day plan. Most clients hit Compliant within one or two cycles. Frankly, most clients who think they’ll pass easily are surprised. That’s the point.

Does the badge lapse if we stop working with Inology?

Yes. And we make no apology for that. A badge that never expires isn’t a standard — it’s a sticker. The Compliant status is tied to the 90-day cycle. Stop the cycle, the status lapses. It’s the same reason your car insurance renews annually. The thing it’s protecting doesn’t stop changing.

Is it just an assessment, or is there more to it?

Much more. The assessment is the surface. Beneath it: a full set of IT security policies your team can actually read, understand, and sign. Checklists with ownership. Documented controls. Evidence packs. The kind of paper trail that makes an insurer relax, makes an enterprise procurement team stop asking questions, and makes an auditor genuinely bored. It’s not a framework you tick and forget. It’s an ecosystem you operate inside.

What if we already think we’re pretty secure?

Then you’ll either confirm it — which is genuinely useful — or you’ll find the two or three things you missed, which is even more useful. We’ve run this assessment with businesses that had recent CE certification, a full-time IT manager, and a very confident MD. They found gaps. Not catastrophic ones, but real ones. The businesses that worry us least are the ones who say “we think we’re fine” and then want to find out for certain.

Learn More

Curious about
Secure State?

Leave your details and someone from Inology will reach out — to answer questions, walk you through the framework, or talk about whether it’s the right fit. No obligation, no sales script.

  • Understand what the framework covers
  • See how it fits your business
  • No obligation, no sales script
0161 503 3535 Send us a message →

We respond within one business day. Your details are never shared.

By submitting this form you confirm you have read and agree to our Privacy Policy. We will use your details to respond to your enquiry and may follow up by phone or email. You can withdraw consent at any time by contacting us via this page or in writing to our registered office.