Home / Cyber Security / ISO 27001 / ISO 27001 vs Cyber Essentials: Which Does Your Business Need?

ISO 27001 vs Cyber Essentials: Which Does Your Business Need?

If you run a UK business or manage IT for one, chances are you have heard the terms Cyber Essentials and ISO 27001 mentioned in the same breath — often when a client asks for evidence of your security posture or a contract suddenly requires certification. The two are not interchangeable. They serve different purposes, suit different organisations, and carry very different price tags. This guide breaks down what each framework involves, the key differences between them, and how to decide which one your business actually needs.

What Is Cyber Essentials?

Cyber Essentials is a UK government-backed certification scheme developed by the National Cyber Security Centre (NCSC). It was introduced in 2014 and is designed to protect businesses against the most common, low-sophistication cyber attacks — the kind that make up the vast majority of incidents affecting UK organisations.

The scheme is built around five technical controls:

  • Firewalls — ensuring network boundaries are protected
  • Secure configuration — removing unnecessary software and default passwords
  • User access control — limiting access to only what each user needs
  • Malware protection — anti-malware tools or application allow-listing
  • Patch management — keeping software and devices up to date

There are two levels: Cyber Essentials (self-assessment, verified by a certifying body) and Cyber Essentials Plus (independent technical testing on top of the self-assessment). Most organisations start with the base level and progress to Plus when a client or contract demands it.

What Is ISO 27001?

ISO 27001 is an internationally recognised standard published by the International Organisation for Standardisation (ISO). Where Cyber Essentials focuses narrowly on five technical controls, ISO 27001 defines how to build, implement, operate, and continually improve an Information Security Management System (ISMS) — a structured, organisation-wide framework for managing all aspects of information security.

ISO 27001 takes a risk-based approach. Rather than prescribing a fixed list of controls, it requires you to identify your information assets, assess the risks to those assets, and select proportionate controls from Annex A (which contains 93 controls across four themes in the 2022 edition). You then document your approach, implement it, audit it, and get independently certified by an accredited certification body.

The scope is much broader than Cyber Essentials — it covers people, processes, and technology, not just technical configurations. It also requires ongoing management commitment, internal audits, and management reviews, making it a living programme rather than a point-in-time assessment.

Key Differences at a Glance

Scope and Depth

Cyber Essentials covers technical controls only. ISO 27001 covers the entire information security programme, including HR security, supplier relationships, incident management, business continuity, and physical security. If Cyber Essentials is a lock on the front door, ISO 27001 is a full security system for the entire building.

Cost

Cyber Essentials self-assessment currently costs around £400–£500 for the certification fee alone. Cyber Essentials Plus adds a technical audit on top, typically bringing the total to £1,500–£5,000 depending on the size of your organisation. ISO 27001 is significantly more expensive — certification audits alone can run from £5,000 to £20,000+, and that is before factoring in the time and consultancy needed to build the ISMS in the first place. For a mid-sized business with no prior framework in place, a full ISO 27001 implementation project commonly costs £20,000–£50,000 when staff time and consultancy are included.

Time to Achieve

A Cyber Essentials self-assessment can be completed in days to a few weeks if your technical controls are already reasonably mature. ISO 27001 typically takes six to eighteen months for a first-time implementation, depending on the size and complexity of the organisation and the maturity of existing security practices.

Who Asks for It

Cyber Essentials is mandatory for UK government contracts that involve handling personal data or providing technical products and services. It is also required by NHS Digital for suppliers on various frameworks. Many larger private-sector buyers now ask for it as a minimum.

ISO 27001 tends to be requested by enterprise and multinational clients, particularly in regulated industries such as financial services, healthcare, and critical national infrastructure. It is also increasingly asked for in procurement processes where suppliers handle sensitive data at scale, or where cross-border data transfers are involved.

When Cyber Essentials Is Enough

For many UK small and medium-sized businesses, Cyber Essentials — and potentially Cyber Essentials Plus — is the right starting point and may be all that is formally required for several years. It is likely sufficient if:

  • You supply goods or services to UK central government departments
  • You work within the NHS supply chain and are required to demonstrate baseline cyber hygiene
  • Your clients are primarily UK SMEs or public sector bodies asking for a minimum security baseline
  • You want to demonstrate cyber hygiene to prospective customers without undertaking a multi-year certification project
  • Your business is small, your IT estate is straightforward, and the data you handle is relatively low-risk

Cyber Essentials Plus in particular provides a credible, independently verified signal that your core technical controls are in place and working. For many buyers, that is sufficient reassurance.

When ISO 27001 Is the Right Choice

ISO 27001 becomes necessary — or at least highly advantageous — in a number of situations:

Enterprise and Regulated Clients

If you are selling into large enterprises, financial services firms, or organisations operating under FCA, PCI DSS, or GDPR obligations, ISO 27001 certification is increasingly expected rather than optional. Procurement teams at these organisations often operate a tiered supplier assurance process, and ISO 27001 sits at the top tier.

International Business

Because ISO 27001 is an internationally recognised standard, it carries weight with clients and partners in Europe, North America, and beyond in a way that Cyber Essentials — being UK-specific — does not. If you are expanding internationally or working with overseas clients who have strict information security requirements, ISO 27001 is the more transferable credential.

Larger Organisations with Complex IT Estates

The broader, risk-based approach of ISO 27001 becomes more valuable as your organisation grows. When you have multiple sites, dozens of applications, third-party suppliers handling data on your behalf, and hundreds of staff, the five controls of Cyber Essentials simply do not provide enough structure to manage information security coherently. ISO 27001 gives you the governance framework to do so.

Handling Highly Sensitive Data

If your business processes large volumes of personal data, handles financial records, manages intellectual property of significant value, or operates in sectors like legal services, healthcare IT, or defence, the comprehensive risk management approach of ISO 27001 is better suited to your threat landscape.

Can You Have Both?

Absolutely — and many organisations do. The two frameworks are complementary rather than competing. The five Cyber Essentials controls map reasonably well onto a subset of ISO 27001 Annex A controls, so achieving Cyber Essentials first gives you a solid technical baseline that feeds directly into an ISO 27001 implementation. If you later pursue ISO 27001, you will not be starting from scratch on the technical side.

Holding both certifications is increasingly common among UK managed service providers, IT consultancies, and SaaS vendors who need to satisfy both government-facing requirements (Cyber Essentials) and enterprise client requirements (ISO 27001) simultaneously.

Which Should You Do First?

The practical answer for most UK businesses is: start with Cyber Essentials. It is faster, cheaper, and immediately satisfies the most common contractual requirement you will encounter in the UK market. Achieving it also forces you to address fundamental security hygiene — patching, access control, configuration — which will make any future ISO 27001 project easier.

Once you have Cyber Essentials in place and your business is growing, taking on larger clients, or winning contracts that specifically require ISO 27001, you can begin scoping an ISMS implementation. At that point, engage a qualified ISO 27001 consultant, define your scope carefully (you do not need to certify the entire business on day one), and treat it as a business investment rather than a compliance exercise.

If a large enterprise client is already asking for ISO 27001 and you do not have Cyber Essentials either, it is worth pursuing both in parallel — Cyber Essentials can be achieved quickly while the longer ISO 27001 project runs alongside it.

Summary

Cyber Essentials is the right starting point for the majority of UK businesses — it is affordable, quick to achieve, and satisfies government and public sector contract requirements. ISO 27001 is a more substantial commitment suited to larger organisations, those handling sensitive data at scale, and businesses working with enterprise or international clients who demand a comprehensive, independently audited information security management system. The two are not mutually exclusive: many businesses hold both, with Cyber Essentials providing the technical baseline and ISO 27001 providing the management framework built around it. If you are unsure where to start, Cyber Essentials is almost always the right first step.