Cyber Essentials or ISO 27001: which does your business actually need?
For most UK businesses the honest answer is Cyber Essentials first, and ISO 27001 only when a contract, a regulator, or a serious risk profile calls for it. Cyber Essentials proves you have five technical basics in place. ISO 27001 proves you run a whole information security management system. They are not rivals, and larger or more regulated firms often hold both.
The short version
Cyber Essentials and ISO 27001 are both ways to show you take security seriously, but they work at very different scales. Cyber Essentials is a UK government backed scheme that checks five specific technical controls. ISO 27001 is the international standard for an information security management system, which is the set of policies, risk decisions, and routines that govern how you protect information across the whole organisation.
One is a focused technical baseline you can reach in weeks. The other is a management framework you build, run, and keep proving over years. Choosing between them is really a question about what you are being asked to demonstrate, and to whom.
- Need to win or keep a contract that names a standard? Read the clause. It usually decides this for you.
- Want a sound, affordable security baseline most insurers and buyers recognise? Start with Cyber Essentials.
- Handling significant volumes of sensitive data, or selling to enterprise and the public sector? ISO 27001 is likely on your horizon.
What Cyber Essentials actually proves
Cyber Essentials covers five technical control areas: firewalls, secure configuration, security update management (keeping software patched), user access control, and malware protection. Get those right and you close off the most common, opportunistic attacks that hit UK businesses every day. The base level is a self assessment, verified by a certification body. Cyber Essentials Plus adds an independent technical audit, where an assessor checks your systems hands on rather than taking your word for it.
It is deliberately narrow, and that is its strength. A small firm with no internal IT team can reach Cyber Essentials in a matter of weeks, at modest cost, and come away genuinely harder to attack. Certification fees start at around £320 plus VAT for a micro organisation (IASME, the scheme's delivery partner), with the wider first year cost higher once any remediation and a gap review are included.
What it does not do is prove you manage security as an organisation. It checks a snapshot of your technical controls. It says nothing about whether you have assessed your risks, trained your people, planned for an incident, or vetted your suppliers.
What ISO 27001 actually proves
ISO 27001 certifies that you operate an information security management system, an ISMS, against the international standard. Rather than checking a fixed list of controls, it checks that you have a working system for deciding which risks matter, choosing controls to address them, assigning ownership, and reviewing the whole thing over time. The current version is ISO 27001:2022.
That is a much larger undertaking. You document your scope and risk approach, select controls from the standard's Annex A, run the system for long enough to generate evidence, then pass an external audit in two stages. Done properly through a UKAS accredited certification body, the certificate carries real weight with enterprise buyers, the public sector, and overseas clients, because it shows security is governed, not just configured once.
The trade off is time, effort, and ongoing commitment. An ISMS is not a one off project. You keep it alive with internal audits, management reviews, and surveillance audits between full recertifications. For a small business with no compliance function, that is a serious decision, not a box to tick.
The honest comparison
Set side by side, the differences are clear. The table below covers the questions buyers ask us most often.
| Cyber Essentials | ISO 27001 | |
|---|---|---|
| What it is | UK government backed scheme covering five technical controls | International standard for an information security management system |
| What it proves | The technical basics are in place | Security is governed and managed across the organisation |
| Scope | Narrow and technical | Broad: people, process, risk, and technology |
| How it is checked | Self assessment, or an independent audit for Plus | A two stage external audit by a certification body |
| Typical time to achieve | Weeks | Several months to over a year |
| Typical cost | From around £320 plus VAT for a micro organisation, before remediation | Substantially higher, with ongoing audit and maintenance costs |
| Ongoing commitment | Annual recertification | A live system: internal audits, reviews, surveillance, recertification |
| Best when | You want a recognised baseline, fast and affordably | A contract or regulator demands it, or your data risk is high |
They overlap more than people expect
The two are not separate worlds. The five Cyber Essentials controls map neatly onto controls within ISO 27001's Annex A, so the work you do for one is rarely wasted on the other. In practice many firms certify to Cyber Essentials first, use it to tidy up the technical basics, then fold that work into a wider ISO 27001 programme later. If you sell into the defence supply chain, both standards sit inside the same picture: Def Stan 05-138 Issue 4 maps to ISO 27001:2022, the NCSC Cyber Assessment Framework, and Cyber Essentials, depending on the risk level of the contract.
How to read the clause that decides it
More often than not, the choice is made for you by a contract or a procurement questionnaire. The trick is reading it precisely, because the wording matters and suppliers get caught out here.
- "Cyber Essentials" named directly. Many UK government contracts and supply chains require it as a minimum. If the contract says Cyber Essentials, that is the floor, and sometimes Plus is specified.
- "ISO 27001 certified" versus "aligned to ISO 27001". These are materially different. Certified means an accredited body has audited you and issued a certificate. Aligned, or equivalent, means you work to the standard without holding the certificate. An auditor knows the difference, so answer the question that was actually asked.
- "Or equivalent". This phrase gives you room. It is worth a short conversation with the buyer to confirm what they will accept before you commit to the larger project.
If a clause is ambiguous, do not guess. The cost of choosing the wrong standard, in time and money, is far higher than the cost of asking.
So which do you actually need?
For the majority of UK small and mid sized businesses, Cyber Essentials is the right first move. It is affordable, quick, recognised by insurers and buyers, and it genuinely reduces your risk. It is also the cleanest way to prove to a worried client that you have the basics covered.
ISO 27001 earns its place when a contract requires it, when a regulator expects that level of governance, or when the volume and sensitivity of the data you hold means a snapshot of technical controls is no longer enough. At that point the management system is doing real work, not satisfying a badge.
And for a growing number of firms, the answer is both: Cyber Essentials as the public, fast moving baseline, with ISO 27001 underneath it as the governance layer that enterprise and public sector buyers want to see. The two reinforce each other. The mistake is treating them as a single decision when they answer different questions.
Common questions
Is ISO 27001 better than Cyber Essentials?
Neither is better, because they do different jobs. Cyber Essentials proves five technical controls are in place. ISO 27001 proves you run a whole information security management system. ISO 27001 is broader and carries more weight with enterprise and public sector buyers, but it costs far more in time and effort. For many businesses Cyber Essentials is the more sensible and proportionate choice.
Can you have Cyber Essentials and ISO 27001 at the same time?
Yes, and many firms do. The five Cyber Essentials controls map onto controls within ISO 27001, so they complement rather than duplicate each other. A common path is to certify to Cyber Essentials first, fix the technical basics, then build the wider ISO 27001 management system on top. Holding both lets you show a fast moving baseline and a governance layer underneath it.
How much does Cyber Essentials cost?
Certification fees start at around £320 plus VAT for a micro organisation, set by IASME, the scheme's delivery partner. The figure rises with the size and complexity of your organisation, and Cyber Essentials Plus costs more because it includes an independent technical audit. Your real first year cost also depends on any remediation needed to pass, which a short gap review will tell you.
How long does each certification take?
Cyber Essentials is usually achievable in weeks, especially once any gaps in the five controls are closed. ISO 27001 takes much longer, commonly several months to over a year, because you have to build the management system, run it long enough to produce evidence, and then pass a two stage external audit. Plan ISO 27001 as a programme, not a quick project.
My contract says "ISO 27001 or equivalent". What counts?
It depends on the buyer, so confirm it with them before committing. "Equivalent" sometimes means Cyber Essentials Plus, sometimes a recognised framework like the NCSC Cyber Assessment Framework, and sometimes genuine alignment to ISO 27001 without the certificate. Be careful not to claim you are certified when you are aligned, as the two are different and an auditor will know.
Does Cyber Essentials help if I want ISO 27001 later?
It does. The technical work behind Cyber Essentials feeds directly into ISO 27001, because the controls overlap with the standard's Annex A. Achieving Cyber Essentials first gives you a clean technical baseline and some early evidence, which makes the later ISO 27001 programme smoother. Very little of the effort is wasted when you move from one to the other.
Not sure which one your contract really needs?
Send us the clause, or tell us what you are trying to win. We will tell you plainly which standard fits, what it takes, and whether you need one or both. We reply within one working day, and you will speak to an engineer, not a salesperson.