ISO 27001 vs Cyber Essentials: which one do you need?

ISO 27001 vs Cyber Essentials is one of the most common questions UK businesses face when they start taking information security seriously. Both are recognised certifications. Both are frequently asked for by clients, insurers, and procurement teams. But they are not interchangeable, and choosing the wrong one - or misunderstanding what each actually requires - leads to wasted effort, failed audits, and sometimes both.

This guide explains what each standard covers, what it demands in practice, who each is designed for, and how to decide which one your business actually needs. In some cases, the answer is both - but you need to understand why, not just tick both boxes.

What is Cyber Essentials?

Cyber Essentials is a UK government-backed certification scheme managed by the National Cyber Security Centre (NCSC). It was designed to protect organisations against the most common, opportunistic cyber attacks - the kind that account for the overwhelming majority of incidents: phishing, ransomware delivered via unpatched software, credential theft, and network intrusion through misconfigured services.

The scheme is built around five technical controls:

1. Firewalls - boundary firewalls and internet gateways configured to block unauthorised inbound connections
2. Secure configuration - devices and software set up securely, with unnecessary features disabled and default credentials changed
3. User access control - accounts limited to the permissions they actually need, with privileged access tightly managed
4. Malware protection - protection against malicious code through a combination of technical controls
5. Patch management - software and firmware updated within defined timescales to close known vulnerabilities

There are two tiers. Cyber Essentials is assessed via a self-assessment questionnaire verified by an accredited certification body. Cyber Essentials Plus adds a technical audit - vulnerability scans and hands-on verification that the controls claimed in the self-assessment are genuinely in place.

For a full breakdown of what each control requires and how the assessment works in practice, the Cyber Essentials certification guide covers the process in detail.

What is ISO 27001?

ISO 27001 is an international information security management standard published by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC). It provides a framework for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS).

Where Cyber Essentials specifies five concrete technical controls, ISO 27001 specifies a management framework: a structured, documented system for identifying information security risks, deciding how to treat them, implementing controls, and reviewing their effectiveness on an ongoing basis. The current version - ISO/IEC 27001:2022 - includes 93 controls across four domains, but you are not required to implement all of them. The standard requires you to assess which risks apply to your organisation and implement controls proportionate to those risks, with documented justification for anything you exclude.

Certification is achieved through external audit by an accredited certification body (UKAS-accredited in the UK). The audit has two stages: a documentation review (Stage 1) and an on-site assessment of whether your ISMS is operating as documented (Stage 2). Once certified, you maintain the certification through annual surveillance audits and a full recertification audit every three years.

The core difference: baseline controls versus risk management

The fundamental difference between the two standards is this: Cyber Essentials tells you exactly what to implement. ISO 27001 tells you how to decide what to implement.

Cyber Essentials is prescriptive. The five controls are defined. You either have them in place or you do not. There is no discretion. This makes the standard accessible and auditable, but it also means it covers a specific, limited scope - predominantly technical controls applied to internet-connected systems.

ISO 27001 is principle-based. It requires you to build and operate a management system: identify your information assets, assess the risks to them, implement appropriate controls, document your decisions, measure effectiveness, and improve continuously. This is significantly more demanding in terms of management overhead and documentation, but it also covers a much broader scope - people, processes, physical security, supply chain, legal and contractual obligations, and business continuity, not just technical perimeter controls.

A useful analogy: Cyber Essentials is a checklist. ISO 27001 is a management discipline.

Who needs Cyber Essentials?

Cyber Essentials is appropriate for most UK businesses that handle any personal data, rely on IT to operate, or serve clients who ask about their security baseline. The Government requires Cyber Essentials certification for any supplier handling personal data in connection with central government contracts, but demand has spread well beyond the public sector.

In practice, you should pursue Cyber Essentials if:

Your clients or insurers are asking for it. This is the most common driver. Many larger organisations now include Cyber Essentials (or Cyber Essentials Plus) as a condition of their supplier approval process. Cyber insurance providers increasingly use it as a factor in underwriting. If you are being asked for it, the question is when, not whether.

You want a credible baseline security posture. If your organisation has not formally verified that the five technical controls are in place, Cyber Essentials gives you both the framework and the certification to demonstrate it. The process of completing the self-assessment is itself useful - it surfaces gaps that many organisations would not otherwise find.

You are a smaller organisation without the capacity for ISO 27001. For a business with fewer than 50 staff, no dedicated IT security team, and no regulatory requirement for a formal ISMS, Cyber Essentials delivers meaningful security improvement at proportionate cost and effort.

You are building towards ISO 27001. Cyber Essentials is not a step on the path to ISO 27001 - they are different frameworks - but implementing the five controls creates a security foundation that makes ISO 27001 work easier. The two are complementary.

Who needs ISO 27001?

ISO 27001 is appropriate for organisations where information security is a significant business risk or a material contractual or regulatory requirement. It is more demanding and more expensive than Cyber Essentials, and that investment is justified in specific circumstances.

You should pursue ISO 27001 if:

Your clients require it. Enterprise clients, financial institutions, healthcare organisations, and central government departments frequently require ISO 27001 certification as a condition of contract. If your target market includes large organisations, you will encounter this requirement.

You are subject to sector regulation that implies it. Sectors including financial services (FCA), healthcare (CQC, NHS), and legal services have regulatory expectations around information security that a mature ISMS - whether formally certified or not - is designed to meet. ISO 27001 provides a structured framework for demonstrating compliance.

You process significant volumes of sensitive data. Organisations handling large volumes of personal data, commercially sensitive information, or data subject to specific legal protections (privileged communications, health records, financial data) face material risk if security controls are inadequate. ISO 27001 provides the management discipline to identify and address those risks systematically.

You are scaling and need repeatable security processes. Cyber Essentials covers the technical baseline. As an organisation grows, the risk picture changes: more staff, more suppliers, more systems, more data. ISO 27001 provides a framework that scales with the organisation and embeds security decision-making into management processes rather than treating it as a periodic checklist exercise.

You are seeking to build enterprise client confidence. For professional services firms, SaaS businesses, and technology companies, ISO 27001 certification has become a credible differentiator in competitive tenders. It signals that your security posture is actively managed, not just configured once and forgotten.

Cost and effort: a realistic comparison

The cost difference between the two certifications is significant, and it is worth being honest about what each involves.

Cyber Essentials typically costs £300–£500 for the basic self-assessment certification, or £1,500–£5,000 for Cyber Essentials Plus depending on the size of your organisation and the complexity of your IT environment. For most SMEs, the total cost including any remediation work to close gaps identified during the process is under £5,000. The timeline from decision to certification is typically 4–12 weeks.

ISO 27001 is a different order of magnitude. External certification audits typically cost £5,000–£20,000 depending on organisational size and scope. That is before the internal project cost: building and documenting the ISMS, completing the risk assessment, implementing and evidencing controls, and preparing for the Stage 1 and Stage 2 audits. For a small to medium organisation starting from a low baseline, a realistic total cost including staff time and external support is £20,000–£60,000+ over the first year. Ongoing maintenance - annual surveillance audits, internal audits, management reviews - adds further cost each year.

The gap narrows significantly for organisations that approach ISO 27001 systematically and have realistic expectations about scope. An ISO 27001 internal audit checklist and a clear implementation plan reduce the risk of expensive rework during certification audits. However, there is no version of ISO 27001 certification that is cheap or quick. Any supplier claiming otherwise is either scoping the project too narrowly or underestimating what a certification body will look for.

Can you have both - and should you?

Yes, many UK organisations hold both certifications, and it is often the right answer. They address different questions.

Cyber Essentials answers: "Are your internet-connected systems protected against common attacks?" It is a technical baseline.

ISO 27001 answers: "Is your organisation systematically managing information security risk across people, processes, technology, and supply chain?" It is a management framework.

Holding ISO 27001 does not mean you can skip Cyber Essentials, because ISO 27001 does not specify the same concrete technical controls. Clients who ask for Cyber Essentials are asking a specific question about your technical baseline - ISO 27001 certification does not automatically answer it.

The typical sequence for a growing UK business is: Cyber Essentials first (quick win, addresses the most common client request, builds the technical foundation), then ISO 27001 when the business reaches the scale or market where it is necessary.

Making the decision

If you are trying to decide which certification to pursue, the following questions help frame the decision.

Are clients or prospects specifically asking for a certification? If yes, ask what they want. Many organisations ask for "ISO 27001 or equivalent" and Cyber Essentials Plus is accepted. Others require ISO 27001 specifically. Know what you are being asked before you invest in the wrong answer.

What is your primary risk? If your concern is that your devices and perimeter are not adequately protected against common attacks, Cyber Essentials addresses that directly. If your concern is that you are handling sensitive client data without adequate governance, ISO 27001 is the appropriate framework.

What is your organisational capacity? ISO 27001 requires sustained management commitment over months or years. If your organisation cannot realistically dedicate the resource, a well-implemented Cyber Essentials Plus provides more genuine security improvement than an ISO 27001 project that stalls in implementation.

What does your market require long-term? If you are building a business that will increasingly target enterprise, regulated sector, or public sector clients, ISO 27001 is likely inevitable. Starting the process earlier reduces the scramble when a major client makes it a hard requirement.

Getting qualified support

Both certifications are achievable for UK SMEs with the right support. The practical challenge for most organisations is not the standard itself but having someone with the experience to scope the project correctly, identify the gaps between your current position and certification requirements, and manage the process efficiently.

If you are at the decision stage - working out which certification is right for your business and what it will actually involve - get in touch to discuss your situation. The IT compliance services offered from the East Riding of Yorkshire cover both Cyber Essentials and ISO 27001 engagements, from scoping through to certification support. For organisations approaching this as part of a broader security programme, security consulting can help assess your current posture and prioritise where certification effort delivers the most value.