Cyber risk reduced 78%.
Certified
on first audit.

The Problem

The operator runs generation, distribution, and retail across three subsidiaries — classifying it as an "essential entity" under the NIS2 directive with the associated obligations on cyber-risk management, supply-chain due diligence, and incident reporting. A parallel customer demand had emerged: a major industrial offtaker required its energy suppliers to carry ISO 27001 certification as a contract condition within the year.

Cybersecurity had historically been treated by the operator as an IT sub-function reporting to the Head of IT. There was no CISO, no dedicated budget line, no board-level reporting, and no structured view of cyber risk across the three subsidiaries. The SOC was operated by two engineers on rotation. When the NIS2 obligations became clear and the ISO 27001 demand landed, the board realised the current posture would not meet either requirement.

The operator considered two paths: build an internal capability (estimated 24-30 months to reach certification-ready posture and requiring significant senior hiring) or engage external expertise to accelerate. The timeline pressure made the second option the only realistic one.

Why Virtual Era

The operator selected Virtual Era against two competing bids on three criteria. First, the combined NIS2-plus-ISO 27001 scope — most bidders proposed running them as separate programmes; we proposed an integrated approach that reused control evidence across both frameworks. Second, the delivery team — senior consultants with energy-sector experience, not generalist cyber consultants. Third, the post-certification operating model — we proposed to operate the SOC under AMS after go-live, providing continuity of evidence the ISO 27001 certification requires for recertification audits.

The Approach

Months 1-3: Integrated gap assessment against both NIS2 and ISO 27001 Annex A controls. Mapped to the operator's existing control evidence (significantly less than the organisation had assumed), with a prioritised remediation roadmap and a combined control-library that satisfied both frameworks with one evidence set.

Months 4-9: Remediation execution. This was the majority of the programme — control implementation, documentation, supply-chain assessment of [VERIFY: 47] critical third parties, incident-reporting workflow design and testing, SOC operational maturity uplift, OT network segmentation across six substations, and policy suite development with board-level sign-off on each major policy.

Months 10-12: Internal audit, mock external audit, remediation of findings, management review. Evidence of management review and the prior internal audit are both required for the ISO 27001 certification audit — skipping them is the most common reason for first-audit failure.

Months 13-14: External certification audit (passed on first submission) and NIS2 supervisor engagement (no material findings). Both delivered within contractual deadlines.

The Outcome

ISO 27001 certified on first audit. NIS2 readiness delivered on contracted date with zero material findings in the initial supervisory engagement. Material cyber-risk exposure reduced by 78% on the audited quantitative framework — with the majority of the reduction coming from identity (privileged access management, MFA, zero-trust network access) rather than perimeter controls, which is consistent with the threat model for the sector.

The ISO 27001 certification secured the major customer contract that had triggered the programme, and positioned the operator to bid for several additional contracts requiring certified suppliers. The NIS2 posture, verified by the sector supervisor, has been referenced by other regional operators as a template for their own readiness programmes.

Post-certification, Virtual Era operates the SOC and the control-evidence framework under AMS. The board now receives a quarterly cyber-risk dashboard that connects threat activity, control effectiveness, and regulatory posture — a conversation that did not exist at the organisation before the programme.