Manageengine Health Checks

Others deliver and disappear. We stay - to govern, harden, monitor, and evolve - turning frameworks into action, not just checklists.

25/6/26

ManageEngine Health Checks, Aligned to DSPT CAF

Most ManageEngine estates were installed to solve a problem and then left to run. Versions drift behind security build floors, integrations quietly break, logging gaps open up, and the tool that should be generating your compliance evidence becomes a finding in its own right.

McCormickCo Security is now offering a free health check on any ManageEngine product in your estate. No cost, no obligation, and a deliverable you can put in front of your board.

Who this is for

The offer is open to any organisation running ManageEngine, with the framework mapping tailored to your DSPT category:

Category 1. NHS trusts and foundation trusts, ICBs, CSUs and arm's length bodies completing the CAF-aligned DSPT. Findings map to the contributing outcomes your submission and audit depend on.
Categories 2 to 4. The wider health and care system working to the standard DSPT assertion sets: GP practices and other primary care contractors, including dental practices, community pharmacies and optometrists; adult social care providers such as care homes and domiciliary care; local authorities with social care responsibilities; hospices and independent providers delivering NHS-funded care; and NHS IT suppliers and other commercial third parties that process health and care data. Findings map to the mandatory assertions for your category.
Wider regulated sector. Other regulated organisations outside health. Findings map to Cyber Essentials Plus, where the ManageEngine portfolio spans all five control areas: firewalls, secure configuration, security update management, user access control and malware protection.

We hold the DSPT-to-CAF mapping work for the ManageEngine suite as published methodology, so the report speaks the language your assessors and auditors use, whichever framework version applies to you.

When to book one

The triggers we see most often:

Windows 10 end of life work landing on Endpoint Central, and nobody is sure the deployment is ready to carry it.
A monitoring or ITSM tool renewal arriving with a steep price increase, or a licensing model change that moves you from perpetual to subscription. When the cost of staying put jumps, consolidation is suddenly on the table, and a baseline of what you already run is the first step.
Paying for capability you are not using. Editions, modules and add-ons that were licensed but never switched on, and seats or device counts that no longer match the estate. Our health check surfaces what your licences entitle you to against what is actually configured, so you can either put it to work or stop paying for it. On most estates this is where the fastest cost optimisation sits.
A joiners, movers and leavers process that internal audit flagged, with identity tooling that should be closing the gap.
A DSPT submission or independent audit fieldwork on the horizon, and the tooling evidence has never been tested.
An incident review that ended with the question: why did nothing alert?

What we check

As the UK's first ManageEngine Gold Partner, we have built and published formal health check methodologies for the full suite. These are not questionnaires. Each product has a themed checkpoint procedure with an expected state, an evidence requirement, and a where-to-look navigation path for every check, run against your live console under read-only access.

Endpoint Central

Agent health and coverage. Deployment scope reconciled against your actual asset base, unreachable and stale agents, agent version drift.
Patch management. Deployment policies, approval and decline hygiene, automated patch deployment configuration, reboot handling, failure rates and stuck deployments. This is the evidence base for your patching assertions, so we test it as an auditor would.
Vulnerability and threat management. Scan coverage, severity handling, and misconfiguration posture where Security Edition is licensed.
Software management. Inventory completeness, prohibited software detection, and the approval workflow behind exceptions.
Platform security. Console build against ManageEngine's published security build floors, console access control, certificate state.
Database and maintenance. Database health, retention, and backup configuration for the product itself.

ServiceDesk Plus

ITSM governance. Request and incident workflows, SLA configuration against actual SLA performance, escalation chains.
Change management. Change workflows, approval gates, and whether your change records would stand up to audit questioning.
Asset discovery and CMDB. Discovery coverage against the real estate, CMDB completeness and relationships, and the shared discovery agent where Endpoint Central is also deployed.
Technician governance. Roles and least privilege, dormant technician accounts, authentication posture.
Platform security. Build floors against published CVEs, SSL state, console hardening.
Database, backup and reporting. Product database health and backup, and whether the reports your service owners rely on reflect reality.

The integration between them

Where both products are deployed we check the bi-directional integration explicitly: patch deployment and remote actions launched from the ticket, automatic ticket creation from endpoint events, and the Conversations audit trail that turns endpoint actions into evidence. Configured properly, this is controlled, approved, logged patch management. Configured badly, it is two consoles and an evidence story with gaps.

One cloud instance, multiple organisations

ServiceDesk Plus and Endpoint Central also support multi-environment deployment from a single cloud instance: one platform serving multiple organisations, each with segregated data, scoped technicians and its own reporting. For ICBs, ICSs, shared services and group models, that means one service management and endpoint estate across member organisations instead of every organisation running and paying for its own stack.

Shared infrastructure raises its own assurance questions, and our health check covers them: tenant and data segregation between member organisations, technician scoping so access does not bleed across boundaries, and per-organisation evidence trails, because each member organisation still files its own DSPT submission and needs evidence it can call its own.

The rest of the suite

OpManager. 35 checkpoints covering discovery coverage, alerting integrity, NCM device configuration backups, escalation chains, and platform security.
Applications Manager. 31 checkpoints across monitor coverage, threshold integrity, reporting, and platform hardening. Where backup assurance is in scope, we also verify monitor coverage of Veeam Backup Enterprise Manager, a capability ManageEngine added in 2026 that puts backup job health alongside the rest of your infrastructure telemetry.
ADAudit Plus. 26 checkpoints focused on end-to-end audit pipeline integrity, the area that most often fails silently, plus build floors against known CVEs and database health.
AD360. 21 suite-level checkpoints covering component integration health, version alignment, suite SSL, technician governance, and high availability.
PAM360. 41 checkpoints across nine themes, from vault hygiene and access governance to session recording and break-glass procedures.
Log360. SIEM coverage, log source completeness, and correlation rule health.

Every checkpoint traces to ManageEngine's own published documentation, live-verified, so every finding we raise can be defended back to the vendor's guidance. This is not a sales survey. It is the same fieldwork standard we apply on paid engagements.

Consolidate or extend: the health check works either way

Organisations run ManageEngine in two ways. Some consolidate, replacing fragmented toolsets with one integrated suite to cut vendor sprawl, overlapping licences and the cost of making disconnected products talk to each other. Others extend, running ManageEngine alongside incumbent platforms to close specific gaps without disrupting what already works.

Both routes start from the same question: is what you have deployed actually configured to deliver? The free health check answers that before you spend another pound on licences. If the answer points to consolidation, our partnership with Climb Channel Solutions means licensing, quotes and renewals move quickly. If it points to configuration work on what you already own, the report tells you exactly where.

One finding worth calling out because we raise it so often: the missing or stale CMDB. Asset management underpins almost every CAF outcome, and most estates we review cannot evidence it. The ManageEngine ITOM-ITSM integration can populate and maintain the CMDB automatically from live discovery, turning the most common gap we find into one of the fastest fixes.

Why DSPT CAF alignment matters

The Data Security and Protection Toolkit is now CAF-aligned, and audit scrutiny on NHS organisations has stepped up accordingly. Your ManageEngine estate sits directly under several of the outcomes auditors test hardest: patch and vulnerability management, security monitoring, identity and access control, and asset management.

Every finding in our health check report is mapped to the relevant DSPT CAF contributing outcomes, alongside Cyber Essentials Plus controls where applicable. If you are preparing a DSPT submission or facing audit fieldwork, the report doubles as an evidence gap analysis for the assertions your tooling is supposed to support.

We do this work ourselves, inside the NHS, every week. Our consultants hold cyber security lead roles at NHS organisations and have taken DSPT submissions through independent audit. We know what auditors ask for because we sit on the receiving end of the same questions.

How it works

Scoping call. 30 minutes to confirm which products are in scope and agree access.
Fieldwork. Read-only access only; we never make changes to your environment.
Report. A prioritised findings summary using our P1 to P4 scale, each finding with a recommendation and its DSPT CAF mapping.

If the report identifies remediation work, you choose what to do with it. Fix it internally, ask us to quote, or do nothing. The health check and report are free either way.

Book your health check

Contact | McCormickCo Security — Our team can provide further detail on the technical architecture, assurance mapping, and NHS-aligned delivery approach, and support organisations in assessing how this integration can be safely and effectively implemented within their environment.

‍

Downloads

Similar Insights

View all

MCSTI - Threat Intelligence Built for the NHS

MCSTI is McCormickCo Security's threat intelligence platform: authoritative threat sources correlated with NHS CareCert, exploitation data and attacker behaviour, to tell an NHS security team not just what's dangerous, but what matters to them. Included as standard for DSPT View customers.

Standards Exceeded: our own DSPT, four years running

McCormickCo Security has published a Standards Exceeded assessment under the NHS Data Security and Protection Toolkit every year since 2022, the highest tier of the National Data Guardian's ten data security standards. The security partner that holds its own house to the standard it sets for clients.

CAA DNS record: lock down who can issue certificates for your domain

CAA DNS Record Certificate Control

No items found.

Reinforce partnership model and support longevity

Book a Consultation