Here is what has been happening at Periculo this month. From team milestones and a new assessor qualification to a website and brand refresh and team members crossing a finish line at the Corsham 10K, April has been a busy one, alongside the ongoing client work that keeps the business moving forward.
You May Have Noticed: Periculo Has a New Look
If you have visited our website recently, you will have spotted some changes. We have refreshed our brand and rebuilt the site to better reflect where Periculo is now and the services we provide.
The new site has been designed to make it easier to find what you need, whether that is information on Digital Health Security, NHS DSPT Audits, Defence Cyber Certification, our penetration testing, or the Security Assurance Programme. The content has been restructured around the sectors and frameworks we work in most closely, health, defence, AI and wider assurance, so the right information is easier to reach.
The rebrand is not cosmetic for the sake of it. It reflects the growth of the business over the past two years and a clearer sense of what Periculo is: a specialist firm, not a generalist. If you have not yet had a look, we would encourage you to do so at periculo.co.uk.
Congratulations to Ellis: Now a Qualified CE+ Assessor
We are delighted to congratulate Ellis on qualifying as a Cyber Essentials Plus (CE+) assessor. This is a meaningful step forward, both for Ellis personally and for Periculo as a business.
CE+ is the more rigorous tier of the Cyber Essentials scheme, requiring hands-on technical verification of the controls claimed at the self-assessment stage. Having an additional qualified assessor in the team increases our capacity to deliver CE+ audits and reduces turnaround times for clients working to tight deadlines.
Given the growing number of organisations within NHS and defence supply chains that require CE+ as a condition of contract, this qualification could not have come at a better time.
Well done, Ellis, a thoroughly deserved achievement.
In the Field
April has seen a broad spread of client work across the team.
Cyber Essentials and Cyber Essentials Plus assessments continued at pace, with a number of organisations in the health technology sector completing their certifications ahead of supply chain deadlines.
DSPT audits remained in high demand as the 30 June deadline drew closer, with the team processing a steady pipeline of Category 2 NHS IT supplier audits. The volume of inbound enquiries for audit slots has increased noticeably compared to the same period last year, reflecting the growing awareness and legal obligation around the mandatory independent audit requirement introduced under Version 8 of the toolkit.
Penetration testing continued at pace across a range of environments. Following on from application testing completed in March for clients across the healthcare and infrastructure sectors, April saw new engagements scoped and underway — including a web application test for a digital health client in the NHS supply chain and a further engagement for a defence-adjacent technology company. The PAX Systems penetration testing programme, a multi-day engagement covering their core application infrastructure, progressed through April with testing underway. Findings across all engagements were structured around business impact rather than technical severity alone, giving clients a remediation plan they can actually act on rather than a list of vulnerabilities with no clear order of priority.
Managed service delivery, running continuously across the team's client portfolio throughout the month. Security communications were issued to multiple clients following the discovery of malicious versions of the widely-used Axios npm library. Versions 1.14.1 and 0.30.4 were found to contain a supply chain compromise, and clients were notified promptly with guidance on remediation. A full user off-boarding was completed for one managed service client, and quarterly review meetings were scheduled across the portfolio. Daily log reviews, alert triage, and ongoing ISO 27001 maintenance continued without interruption across all managed accounts.
AI Assurance work began in earnest this month, with Periculo's first formal AI Assurance Assessment launched for a health technology client. The assessment is being conducted against the Periculo AI Assurance Framework, which maps against the EU AI Act Annex III, ISO 42001, NIST AI RMF, and NHS DTAC requirements. Phase one of the assessment has been completed, with the scope expanded to cover five repositories. This is a significant milestone for Periculo — the first delivered engagement in what is becoming a dedicated service line.
Defence Cyber Certification, DCC enquiries and assessments continued to progress, supported by the team's accreditation at Levels 0 and 1 and growing pipeline ahead of the planned extension to Levels 2 and 3 later this year.
Team Spotlight: The Corsham 10k
Several members of the Periculo team took part in the Corsham 10k this month — a testament to the culture we are actively building here: one that values physical and mental fitness alongside professional development.
The Corsham 10k is a popular local race in Wiltshire, and we are proud of everyone who took part and crossed the finish line. Whether you were chasing a personal best or simply completing the distance, it is no small feat — and it reflects the kind of commitment the team brings to everything they do.
Next up, members of the team are taking on the Red On Backyard Ultra, a genuinely formidable endurance event held at Cheltenham Racecourse on 15–18 May 2026. The format is as straightforward as it is brutal: run a 6.7 km loop every hour, on the hour, for as long as you can. There is no set finish line. The race ends when only one runner remains standing. Competitors face not only physical exhaustion but sleep deprivation and whatever the British weather chooses to throw at them across a potentially multi-day event.
It is, in short, exactly the sort of challenge the Periculo team enjoys. We will report back in the May newsletter. Wish them luck.
DSPT Deadline
DSPT Deadline: 30 June 2026 — the Clock Is Running
The NHS Data Security and Protection Toolkit Version 8 submission deadline falls on 30 June 2026. For Category 2 IT suppliers — organisations providing software, systems, or services that connect to or process NHS data — an independent external audit is now a mandatory requirement, not a recommendation.
Two months sounds like a reasonable amount of time. It is not.
The audit process itself requires time to scope correctly, gather and populate evidence, address any gaps identified, and produce the formal report. Organisations that leave this until June will find the window is considerably shorter than the calendar suggests. Audit slots are filling. If your organisation has not yet instructed an accredited auditor, the time to act is now.
Periculo is one of the UK's most active DSPT auditing partners. Get in touch to discuss your requirements and confirm availability before the deadline becomes a problem.
AI Assurance Workshop
AI Assurance Workshop — Limited Spaces This Quarter
If your organisation deploys AI in a clinical or NHS-connected context, there is a question you need to be able to answer: can you prove your AI is safe, secure, and compliant?
Harrison Mussell, CEO and founder of Periculo, is offering a focused, no-charge AI Assurance Workshop for a limited number of organisations this quarter. The session takes place at your office, on your timeline, and is structured around mapping your AI estate against the EU AI Act, ISO 42001, and the standards your customers, regulators, and board now expect.
To keep the workshops genuinely useful, every application is pre-screened on a short fifteen-minute scoping call. That means Harrison walks in already knowing what your AI environment looks like and what you want to get out of the day — rather than spending the first hour finding his feet.
Spaces are strictly limited each quarter. If this is relevant to your organisation, the time to apply is now rather than later in the year when the August EU AI Act deadline is closer, and capacity is tighter.
Security Tip of the Month
Do Not Wait for a Renewal Notice to Review Your Access Controls
Most organisations review user access once a year, typically at audit time or when someone leaves. That interval is too long. Access privileges accumulate quietly — contractors who finished months ago, former employees whose accounts were suspended but not removed, internal staff who changed roles but retained permissions from the previous one.
A simple quarterly review of who has access to what — and whether they still need it — costs very little time and closes one of the most consistently exploited categories of risk. Insider threat and credential misuse both rely on access that should not exist. Remove it before someone else finds it first.
Jargon Buster
EU AI Act Annex III
The EU AI Act is the world's first comprehensive legal framework for artificial intelligence. Annex III is the section that matters most for health technology organisations right now — it lists the categories of AI system classified as high risk, including clinical decision support tools, software as a medical device, emergency triage systems, and patient monitoring AI.
From August 2026, organisations deploying AI in these categories must demonstrate documented risk management, human oversight mechanisms, data governance controls, and technical robustness before their system can legally operate. Non-compliance carries penalties of up to €15 million or 3% of global annual turnover — but for most NHS suppliers, the more immediate consequence is losing procurement eligibility. If your product uses AI in a clinical context and you have not yet mapped your obligations under Annex III, that work needs to start now.
-1.png?width=344&height=200&name=November%20Newsletter%20(Poster%20-%2010%20x%208%20in)-1.png)
.png?width=344&height=200&name=November%20Newsletter%20(Poster%20-%2010%20x%208%20in).png)