Cyber Essentials or ISO 27001: which should you choose?
If you are weighing up Cyber Essentials against ISO 27001, you are not alone. UK businesses are routinely told they need one, the other, or both, and the labels alone do not make the right answer obvious. They are very different schemes, designed for different audiences, but they are often introduced in the same conversation about cyber security and supplier assurance.
Here is the short version. Cyber Essentials is a UK Government–backed baseline scheme that confirms you have five core technical controls in place. It is fast, inexpensive and well recognised across the UK public sector and SMB supply chains. ISO 27001 is an international standard for an information security management system (ISMS). It is broader, deeper, takes longer to achieve and carries weight with enterprise and overseas buyers. Most UK businesses end up doing both, in that order, because each opens a different door.
This page lays out the differences in detail, helps you decide which fits your situation today and explains how ISMS.online supports both pathways from a single platform.
What are Cyber Essentials and ISO 27001 in practice?
Cyber Essentials is a UK Government–backed certification scheme operated by IASME on behalf of the National Cyber Security Centre (NCSC). It focuses on five technical controls: firewalls, secure configuration, user access control, malware protection and security update management. You self–assess against a questionnaire (and, for Cyber Essentials Plus, a technical audit verifies your answers). The aim is to defend against the most common, opportunistic internet–borne attacks.
ISO 27001 is the international standard for information security management. It is not a checklist of technical controls; it is a framework for running information security as a business discipline. You define the scope of your ISMS, identify and treat information security risks, set objectives, train people, run internal audits and continually improve. ISO 27001:2022 references 93 Annex A controls across organisational, people, physical and technological themes, but you only apply the ones relevant to your risks. Certification is granted by an independent UKAS–accredited certification body after a two–stage audit.
That difference, a focused technical baseline versus a full management system, is the root of every other difference between the two schemes.
Start your free trial
Want to explore?
Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer
How do Cyber Essentials and ISO 27001 compare side by side?
The table below summarises the differences UK buyers ask about most often. Use it to triangulate the right scheme for your stage, market and customer mix.
| Dimension | Cyber Essentials | ISO 27001 |
|---|---|---|
| Scope | Five technical controls covering internet–facing systems and end–user devices | Full information security management system plus 93 Annex A controls applied on a risk basis |
| Cost | From £330+VAT (self–assessment) up to around £3,000+VAT for Cyber Essentials Plus, depending on organisation size | Typically £3,000 to £15,000+ in certification body fees over a three–year cycle, plus internal implementation effort and any consultancy |
| Time to certify | 2 to 4 weeks once controls are in place | 6 to 18 months, depending on starting maturity, scope and resource |
| Recognition | UK–only; widely recognised in UK public sector and SMB supply chains | International; recognised globally by enterprise procurement, regulators and partners |
| Depth | Baseline cyber hygiene against common internet–borne threats | Risk–based management system covering people, process and technology across the full information lifecycle |
| Renewal | Annual recertification (same fee each year) | Three–year certification cycle with annual surveillance audits and a full recertification audit in year three |
| Who it suits | UK SMBs, startups, MoD/central government suppliers, organisations bidding for UK public sector work | Enterprises, scale–ups, B2B SaaS, regulated industries and any business serving international or enterprise customers |
How much do Cyber Essentials and ISO 27001 cost and how long do they take?
Cost and time are usually the two factors that decide the running order. Cyber Essentials self–assessment starts at £330+VAT for a micro organisation and rises in tiered bands by headcount, topping out at £500+VAT for larger organisations. Cyber Essentials Plus adds an external technical audit and typically lands between £1,500 and £3,000+VAT depending on the size and complexity of your environment. There is more detail on the Cyber Essentials cost breakdown and on what is actually assessed in the Cyber Essentials requirements. Most organisations complete certification in two to four weeks from a standing start, assuming the underlying controls are already configured.
ISO 27001 is a different scale of investment. Certification body fees alone tend to run £3,000 to £15,000+ over the three–year cycle, scaling with headcount, sites and ISMS scope. The bigger cost is internal: implementing the management system, writing policies, running a risk assessment, training people, running internal audits and preparing evidence. Realistic timelines are six to nine months for organisations with mature controls and a focused scope, and twelve to eighteen months for those starting from scratch.
The trade–off is what each certification unlocks. Cyber Essentials clears a procurement hurdle quickly. ISO 27001 takes longer but answers a much bigger question for the buyer: do you run information security as a managed, continually improving discipline?
Which certification do your customers actually ask for?
The honest answer to “which is better” is “whichever your customers and regulators recognise”. In practice, that splits cleanly along three lines.
UK public sector buyers overwhelmingly ask for Cyber Essentials. It is mandated for central government contracts that involve handling personal information or providing certain ICT products and services, and it appears as a default question on most public sector procurement frameworks. Cyber Essentials Plus is required where the supplier has access to more sensitive systems or data, including most Ministry of Defence work.
UK SMB supply chains increasingly ask for Cyber Essentials, partly because their own larger customers cascade the requirement down. If your buyers are UK–based and mid–market, Cyber Essentials is often enough on its own, especially early on.
Enterprise and international buyers ask for ISO 27001. It is the lingua franca of B2B security questionnaires across Europe, North America and Asia. If you sell to FTSE 100 companies, global SaaS platforms, financial services firms or regulated industries, you will be asked for ISO 27001 sooner rather than later, and a clean ISMS will short–circuit weeks of security review.
If you are still unsure whether the spend pays back, the is Cyber Essentials worth it guide walks through the typical pipeline and insurance benefits.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Should you do both Cyber Essentials and ISO 27001?
For most UK businesses serving a mixed customer base, the answer is yes — and the order matters. Doing Cyber Essentials first then ISO 27001 second is the most common sequence, for three reasons.
Cyber Essentials is a low–risk forcing function. Achieving certification within a few weeks forces you to inventory devices, lock down firewalls, document patching cadence and tighten user access. Every one of those activities is also evidence you will need for ISO 27001 Annex A controls. You get a recognised certificate, a quick procurement win and a head start on ISO 27001 in one move.
It de–risks ISO 27001 implementation. Most ISO 27001 audit findings sit in technical control areas: configuration, access, patching, malware defence. Closing those gaps to Cyber Essentials standard before you start ISO 27001 means your ISMS audit focuses on management system maturity, which is usually a more comfortable conversation.
It lets you grow into ISO 27001. A small team can hold Cyber Essentials with modest effort while building the ISMS in the background. When customer demand or board pressure tips you toward ISO 27001, you start from a known–good technical baseline rather than from zero.
There is also significant overlap to take advantage of. Cyber Essentials maps directly onto a subset of ISO 27001:2022 Annex A controls, particularly in the Technological theme. The evidence you generate for Cyber Essentials (firewall rules, patching reports, MFA configuration, antivirus reporting) feeds straight into your ISO 27001 Statement of Applicability and risk treatment records.
When is Cyber Essentials enough on its own?
Cyber Essentials is enough on its own when three things are true: your customers are UK–based, your buyers are not asking for ISO 27001 or SOC 2, and your information assets and risk exposure are modest. Typical examples include UK–only consultancies, small managed service providers serving UK SMBs, professional services firms (legal, accounting, design) bidding mainly for UK public sector or mid–market work, and early–stage startups before their first enterprise deal.
You should plan beyond Cyber Essentials as soon as one of the following becomes true: you take on enterprise customers, you expand internationally, you process volumes of personal or financial data, you enter a regulated sector, or your security questionnaires start asking for an ISMS, ISO 27001 or SOC 2.
Why Choose ISMS.online for Cyber Essentials and ISO 27001?
ISMS.online is built to support both schemes from a single platform, so the work you do for Cyber Essentials feeds directly into ISO 27001 rather than sitting in a separate spreadsheet.
- Both frameworks in one place — Pre–built content, controls and evidence templates for Cyber Essentials and ISO 27001:2022, mapped to each other so you assess once and use the evidence twice.
- Adopt, Adapt, Add methodology — Start with our pre–configured ISMS, adapt it to your business and add only what is unique to you, instead of building from a blank page.
- Cyber Essentials submission ready — Capture the five control areas, store device inventories, MFA evidence and patching records, and export everything you need for IASME assessment.
- ISO 27001 audit ready — Risk assessment, Statement of Applicability, policy library, internal audit and management review modules built around the standard, with control mapping that highlights overlap with Cyber Essentials.
- Trusted by UK businesses — ISMS.online is used by organisations across the UK and internationally to manage Cyber Essentials, ISO 27001 and other frameworks side by side.
- Always–on guidance — Built–in virtual coach, support team and how–to content guide you at each step, so you do not need a separate consultancy engagement to get certified.
- Scales with you — Add further frameworks (SOC 2, ISO 27701, ISO 42001, NIS 2) as your customer demands grow, without migrating to a new tool.
Related Cyber Essentials guides
Continue your Cyber Essentials journey with the other guides in this series:
- Cyber Essentials Requirements — The five control areas, scope decisions and what evidence assessors look for.
- Cyber Essentials Cost — IASME pricing tiers, Plus costs, hidden costs and 3-year totals for UK businesses.
- Is Cyber Essentials Worth It? — An honest assessment of the benefits, drawbacks and who actually needs certification.
- Cyber Essentials Plus Requirements — The technical audit, vulnerability scans and what Plus delivers over the basic certification.
- Cyber Essentials Self Assessment — The SASQ workflow, scope, evidence and common pitfalls.
- How Long Does Cyber Essentials Take? — Typical UK timeline, fast-track options and what slows the process.
- Cyber Essentials Renewal — The 12-month cycle, 2026 control changes and how to prepare 60 days out.
- Cyber Essentials for Small Business — SMB-specific pricing, scope and the cost-benefit case.
FAQs
Is ISO 27001 better than Cyber Essentials?
It is broader and deeper, but not automatically “better” for your business. ISO 27001 is the right choice when you need international recognition or a full information security management system. Cyber Essentials is the right choice when you need a fast, affordable, UK–recognised baseline. Many UK businesses hold both because they answer different procurement questions.
Does ISO 27001 cover everything in Cyber Essentials?
Largely, yes. The technical controls in Cyber Essentials (firewalls, secure configuration, access control, malware protection, security updates) map onto ISO 27001:2022 Annex A controls in the Technological theme. However, ISO 27001 covers many more areas (governance, risk management, supplier security, business continuity, HR security) that Cyber Essentials does not address. Holding ISO 27001 does not formally satisfy a Cyber Essentials requirement on its own, so UK buyers who specifically ask for Cyber Essentials will still want to see that certificate.
Should I do Cyber Essentials or Cyber Essentials Plus before ISO 27001?
If you can, Cyber Essentials Plus. The technical audit forces you to verify rather than just self–assert your controls, which is much closer to the evidence standard an ISO 27001 auditor will look for. If budget is tight, start with self–assessed Cyber Essentials, then schedule Cyber Essentials Plus alongside or just before your ISO 27001 stage 2 audit.
Will ISO 27001 customers accept Cyber Essentials as a substitute?
Usually not. Enterprise and international buyers asking for ISO 27001 are looking for evidence of a managed, risk–based information security programme, which Cyber Essentials does not provide. Cyber Essentials may help you progress through an initial security questionnaire, but it will rarely close out an ISO 27001 procurement requirement on its own.
How long after Cyber Essentials should I start ISO 27001?
As soon as you can see ISO 27001 on the horizon in your sales pipeline. ISO 27001 typically takes six to eighteen months, so working backwards from a customer deadline is the right framing. If you hold Cyber Essentials Plus, you can usually start ISO 27001 implementation in parallel with renewal cycles, reusing the same evidence for both schemes.
Can ISMS.online help with both Cyber Essentials and ISO 27001 at the same time?
Yes. ISMS.online manages both frameworks from one workspace, with pre–mapped controls so the evidence you collect for Cyber Essentials counts toward your ISO 27001 Statement of Applicability. That removes the duplication that usually comes with running two certifications side by side.
