Compliance for BFR

Client: Bedfordshire Fire and Rescue

The objective was to achieve compliance for BFR, the fire and rescue service for the ceremonial county of Bedfordshire. Approximately 123,500 hectares in size, it has a population estimated at 620,000 and growing.

Bedfordshire fire and rescue provides emergency response, prevention, protection services and support to this massive area. This includes the towns of Bedford, Kempston, Luton, Stopsley and Dunstable. It also contains market towns such as Ampthill, Biggleswade, Woburn and Leighton Buzzard. As well as this, BFR also watches over London Luton Airport and a road network including the M1 and A1 motorways.

They offer the most comprehensive protection to these communities. They do this via their 14 Fire Stations and an Emergency Communication Centre. There are 5 ‘wholetime’ stations that are operated 24 hours a day.

They currently employ more than 550 staff on a variety of conditions of service. This includes some firefighters on the wholetime shift system and then others on a flexible duty system. It also has a retained duty system, fire control operators and then support staff.

Case Study: Ensuring that BFR is compliant with government regulations

All government bodies, including Fire and Rescue, must now have Cyber Essentials and Cyber Essentials PLUS certification. CRIBB Cyber Security has partnered with the IASME Consortium for many years. We help clients from a wide range of industries with these increasingly important Government-backed schemes. They are designed to provide organisations with robust security frameworks.

Cyber essentials is a certification gained through an independently verified self-assessment. It offers protection against the most common cyber-attacks. It gives you and your customers peace of mind that your defences are strong enough to ward off attacks.

Built around 5 fundamental security controls, achieving certification is a simple process. Organisations assess their existing security framework against these controls. A qualified assessor then verifies all the information given.

The 5 controls:

  1. Secure Configuration
  2. Boundary Firewalls & Internet Gateways
  3. Access Control & Administrative Privilege Management
  4. Patch Management
  5. Malware Protection

Cyber essentials PLUS is a more comprehensive certification which requires a technical audit of your systems. A qualified assessor conducts the audit to verify that you have the 5 controls in place.

To gain the certification you must then complete the online assessment ahead of the audit of all the systems that fall within the Cyber Essentials scope. This includes all internet gateways and servers that can be accessed by unauthenticated internet users. It also includes a random set of user devices. The assessor will test approximately 10 per cent of the systems and decide whether or not additional testing is required.

The Challenge

The IASME Consortium recommended CRIBB Cyber Security to BFR when they were seeking certification in Cyber Essentials PLUS. Our Technical Director / Certification Auditor / DPO, Patrick Carolan then made contact. The deadline was a very tight one and there was additional pressure just around the corner. Patrick swiftly realised that their existing Cyber Essentials certificate was due to expire before they completed Cyber Essentials PLUS.

The Solution

Patrick reversed his approach to assist them with the successful renewal of Cyber Essentials. Then he guided them through the PLUS process. The client was very pleased with the comprehensive nature of Patrick’s approach, going so far as to commend him on his efforts.

“From initial sales call through to service completion of our Cyber Essentials PLUS certification, we were delighted. With the level of professionalism, the approach, the educational advice given and the overall experience.

“With excellent attention to detail all round, we would definitely recommend Patrick and the team at CRIBB Cyber Security to other government regulated companies.”

Main Team Member: Patrick Carolan, CRIBB Cyber Security Technical Director

Patrick is an all-round IT specialist with over 20 years’ worth of experience in the IT sector. He is well-versed in working with highly sophisticated networks and systems. In the past, he has worked on numerous projects in the cyber security sector and is an assessor consultant within Cyber Essentials and Cyber Essentials Plus. He is also a consultant for GDPR, IASME Governance, risk assessments, PCI DSS and ISO27001 Implementation.

Shortly after his work with BFR, he successfully completed the ECSA theory exam. As a result, CRIBB Cyber Security is both an ECSA and CREST-approved Penetration Tester.

Patrick’s methodical approach was complimented by the rest of the team at CRIBB. Together, they proved invaluable in this particular project.


BFR received a remote, professional audit during which their virtual desktops, cloud servers and mobile phones were all successfully verified. As is the standard in our approach, we were keen to impart knowledge and insights on all matters relating to cyber security certifications. In the client’s own words, we “demonstrated great flexibility and understanding in order to meet the aggressive deadline.”

BFR’s security has been greatly reinforced following vulnerability scans and subsequent advice on errors to be dealt with. Certification in both Cyber Essentials and Cyber Essentials PLUS has given them “tremendous peace of mind.” A successful review of their overall security infrastructure then reinforced that feeling. 


Independent verification by an approved accreditation body. In other words, proof that BFR has taken the steps required in order to protect the organisation against cyber threats.

Why Cribb Cyber Security?

We are an official certified body of IASME, the sole accreditation body in conjunction with NCSC for Cyber Essentials. Happily, Bedfordshire fire and rescue were put in touch with us based on recommendations. We pride ourselves on having unparalleled expertise, knowledge and insight on cyber security certification, compliance and governance.

How can we help?

If you’re struggling to comply with this government regulation or want to discuss how we can help in more detail, then please get in touch with us.