Securing Access for a Scaling Architecture Practice

This fast-growing, design-led architecture practice has built a reputation for thoughtful spaces and creative vision. With a 35-person team and a string of new projects in the pipeline, they’ve been scaling quickly, adding new hires, expanding capabilities, and rethinking internal operations.

But while their portfolio was growing, many of their internal systems hadn’t kept up. Access was being granted informally, old accounts lingered in the background, and user permissions lacked structure. With Cyber Essentials certification on the horizon, they knew it was time to tighten things up.

‍

Industry: Architecture
Organisation Size: 35 Users
Service Areas: Identity and Access Management, Cyber Essentials Preparation, Account Governance

‍

As the studio scaled, so did its complexity; but access to systems hadn’t caught up.

Most team members were still using local logins on their devices, and ex-employees’ accounts were often left active for months. There was no central directory, no access logs, and no real oversight: managers could grant access ad hoc, without standardisation or accountability.

This informal setup might have worked in the early days, but as the team grew and compliance requirements increased, especially with Cyber Essentials certification in sight, it became clear that the current approach wouldn’t hold. The business needed to rethink identity and access management from the ground up.

This wasn't just "needs-must" for certification: it was a chance to build something cleaner, tighter, and more future proof.

Here’s what we put in place:

• Comprehensive audit of users and devices: We started by mapping out the full landscape: which accounts existed, which were active, and where devices were in use. Aged and unauthorised accounts were identified and disabled for a two-month observation period.
• Transition to centralised logins: All team members were moved away from local accounts and into centrally managed identities, bringing consistency and control. We integrated with directory services so access could now be tracked, governed, and revoked with confidence.
• Role-based access control: We introduced security groups based on job function, meaning access was granted only where needed—no more guesswork or overprovisioning.
• Process-aligned governance: These changes were embedded directly into the onboarding and offboarding flow, so that account hygiene would be maintained automatically as the business evolved.

This was about clarity, consistency, and control, laying the groundwork for a more secure and manageable environment, ready for what’s next.

With structured access now in place, the business has moved from informal habits to intentional, secure account governance.

All users now authenticate via a central directory, and role-based security groups ensure permissions are consistent and accountable. Offboarding is no longer a loose process; accounts are disabled as soon as someone leaves, and automatically purged after inactivity.

New starters are onboarded with the right level of access from day one.

Crucially, this new foundation has put the business in a strong position for Cyber Essentials certification, and has given the leadership team full visibility and confidence in how systems are secured.