Three parts in, you have the floor, the proof, and the skeleton of a management system. This last part is about making it run — the operational disciplines that turn documents into a living thing — and then the quarter-by-quarter roadmap to get all of it done in the second half of 2026.

Because a strategy that ends at "we got certified" has missed the point. The certificate is a snapshot. The value is in what happens on the ordinary Tuesday six months later, and on the very bad Tuesday when something gets through anyway.

Backups you have actually restored

Start here, because it is the control that saves you when every other control has failed.

Every one of the five Cyber Essentials controls is about keeping bad things out. A backup is what you have left when one gets in. Danzell moved its backup guidance earlier in the requirements document precisely to make this point, and ISO 27001 makes it a named control (A.8.13). But the requirement people meet on paper and fail in practice is the last word of this sentence: a backup you have never restored is not a backup, it is a hope.

If you take one thing from this whole series into next week, make it a tested restore. I have watched firms survive a serious ransomware hit as a bad fortnight rather than an extinction event on the strength of exactly that, and I have watched others discover, at the worst possible moment, that the backups had been silently failing for months.

An incident plan you have rehearsed

The second operational discipline is a plan for the bad day, tested before the bad day arrives. ISO covers this in A.5.24 to A.5.28, and adds A.5.30 — readiness for business continuity — in the 2022 revision.

Your plan does not need to be long. It needs to answer, in advance and in writing: who takes charge, who does what, how staff report something wrong, who decides to pull a system offline, who you call (your IT provider, your incident-response retainer if you have one, your insurer), who you must notify — the ICO within 72 hours where personal data is involved — and how you capture what happened so you learn from it.

Then rehearse it once. A tabletop exercise — an hour around a table talking through a realistic scenario, "the finance manager's laptop is encrypted and there is a ransom note" — surfaces the gaps while they are cheap to fix. The plan you have never run is the plan that falls apart under real pressure, when people are frightened and the clock is going.

Metrics a board will actually read

You cannot manage what you do not measure, and ISO clause 9 asks you to monitor and measure the ISMS. For a firm your size, resist the urge to build a dashboard with forty numbers. Pick a handful that mean something and report them at the monthly, then quarterly, review:

Five or six numbers, honestly reported, tell a board more than a forty-page report, and they map straight onto the evidence an ISO auditor will ask for. If a number is going the wrong way, that is a management decision, which is exactly where it belongs.

The rhythm that keeps it alive

The thing that separates a business that stays secure from one that drifts is not tooling. It is cadence. ISO formalises three habits, and they are worth adopting whether or not you ever certify:

The roadmap for the second half of 2026

Here is the whole thing as a sequence you could start on the first Monday in July. Adjust the pace to your size, but keep the order — it is arranged so the cheap, high-impact work comes first and the expensive work is never wasted.

July — mobilise and map. Confirm the named owner and the budget from part one. Build the whole-organisation inventory: every device and its operating system, every cloud service, every legal entity, and what data each holds. Run a gap analysis against the five controls. You cannot plan remediation you have not scoped.

August — remediate, cheapest-first. Turn on multi-factor authentication everywhere it is supported — highest impact, usually lowest cost, and a Danzell automatic fail if you skip it. Then work through the rest: retire or replace unsupported hardware and software (your biggest line), bring patching inside the 14-day window, enable host firewalls, apply a hardened build, remove local administrator rights from standard users, and stand up the joiners-movers-leavers process.

September — certify Cyber Essentials. Run your own authenticated scan, fix what it finds across the whole estate, finalise the verified self-assessment, get the director declaration signed, and submit. Target the certificate by the end of the quarter.

October — prove it with Plus. Book Cyber Essentials Plus within three months of the base certificate. Scan yourself again, fix the whole estate rather than a sample, confirm every mailbox and browser is protected and every account has MFA, and pass the independent test.

October to November — stand up the ISMS. In parallel with Plus, build the management-system core from part three: the risk assessment and register, the Statement of Applicability (your Cyber Essentials work pre-fills the technological controls), the small set of enforced policies, asset classification, supplier assessments, and the first round of staff awareness training.

November — test the plans. Do a real backup restore and record it. Run the incident-response tabletop. Fix what both exercises expose. This is the month the strategy stops being theoretical.

December — review and audit. Hold the first proper management review with the metrics baseline. Run an internal audit against your own ISMS. Close the gaps it finds. You end 2026 certified to Cyber Essentials Plus, with a running management system and a clean set of corrective actions.

Q1 2027 — the road to ISO. Book the ISO 27001 Stage 1 audit (a documentation review), address its findings, then the Stage 2 audit (implementation), with certification realistically the following quarter. The heavy lifting is already done, because you built the ISMS through H2 2026 rather than in a panic the month before.

When it goes wrong anyway — because sometimes it will

A strategy that assumes nothing ever gets through is not a strategy, it is optimism. Certification lowers your odds; it does not buy immunity. So the honest plan includes the breach.

When it happens, the sequence is the one you rehearsed: contain it, invoke the incident plan, notify who you must — ICO, insurer, affected clients — restore from the backup you have tested, and afterwards run the incident through your continual-improvement process so the same gap cannot open twice. A firm that has done the work in this series recovers from most incidents in days, as a manageable event, rather than in weeks as a crisis that threatens the business. That difference — not the certificate on the wall — is the actual return on the whole programme.

What to ignore

Since a strategy is as much about what you decline as what you do:

The strategy, in one line

Floor, proof, system, rhythm. Build the five controls, prove them with an independent test, wrap them in a management system that fits your business, and run it on a cadence that survives people leaving and quarters getting busy.

That is the whole of it, across four parts: the foundations and the honest budget; the five controls and their ISO mappings; Cyber Essentials Plus and the ISMS core; and the operational disciplines and roadmap that make it run. None of it is exotic. All of it is well-documented, mostly using tools you already own. The businesses that shrug off the attacks that flatten their competitors are not the ones with the cleverest kit. They are the ones that did the dull things, in order, and rehearsed the bad day before it came.

Start in July. Be certified and rehearsed by Christmas. Walk into 2027 with the management system already running and the ISO audit a formality rather than a scramble. That is a second half of 2026 well spent.