ISO 27001 vs Cyber Essentials: Which First?
Short answer - they solve different problems
ISO 27001 and Cyber Essentials both improve your security posture, but they operate at different levels. Cyber Essentials is a UK government-backed scheme covering five technical controls - the minimum security baseline. ISO 27001 is an international standard for building a complete information security management system. Many UK organizations benefit from both, but which you need first depends on your clients, your contracts, and where your risks actually sit.
What Cyber Essentials covers
Cyber Essentials focuses on five technical control areas that address the most common internet-based attacks:
- Firewalls and internet gateways - properly configured boundary devices between your network and the internet
- Secure configuration - removing unnecessary software, changing default passwords, disabling unused features
- User access control - limiting who can access what, enforcing least privilege
- Malware protection - anti-malware software or equivalent application whitelisting
- Security update management - patching operating systems and applications within 14 days of critical updates
The scheme has two levels. Cyber Essentials is a self-assessment questionnaire verified by an external assessor - most organizations complete it in a few days. Cyber Essentials Plus adds hands-on technical verification where an assessor tests your systems directly. Plus typically takes a few weeks and costs around £1,500-3,000 compared to £300-500 for the basic certification.
Cyber Essentials certification is mandatory for UK government contracts involving the handling of certain sensitive information. Even outside government work, it signals to UK clients that you have addressed the basics.
What ISO 27001 covers
ISO 27001 goes much further. Instead of prescribing specific technical controls, it requires you to build an ISMS - a structured approach to identifying risks, selecting appropriate controls, and continuously improving your security posture.
The standard covers:
- Organizational controls - policies, roles, supplier management, asset management
- People controls - screening, awareness training, responsibilities during and after employment
- Physical controls - secure areas, equipment protection, clear desk policies
- Technological controls - access management, cryptography, network security, secure development
ISO 27001:2022 includes 93 controls in Annex A, but the risk-based approach means you select and justify which controls apply to your organization through a Statement of Applicability. A manufacturing company and a SaaS startup will have very different control profiles despite following the same standard.
Implementation typically takes 4-8 months for small to medium organizations. Certification involves a two-stage audit by an accredited certification body, with annual surveillance audits and full recertification every three years.
Key differences at a glance
| Cyber Essentials | ISO 27001 | |
|---|---|---|
| Scope | 5 technical controls | Full management system + 93 controls |
| Approach | Prescriptive checklist | Risk-based - you select controls |
| Recognition | Primarily UK | International |
| Time to certify | Days (basic) to weeks (Plus) | 4-8 months typically |
| Cost (SMB) | £300-3,000 | £10,000-50,000+ |
| Maintenance | Annual recertification | Annual surveillance + 3-year recertification |
| Mandatory for | Some UK government contracts | Often required by enterprise clients globally |
When you need which
Cyber Essentials makes sense when you are a UK-based organization that needs to demonstrate basic security hygiene quickly. It is mandatory for certain government contracts, and it gives clients immediate confidence that you have the fundamentals in place. If you are starting from zero, it is a practical first step.
ISO 27001 makes sense when your clients or market expect an internationally recognized certification. Enterprise procurement teams, especially outside the UK, rarely accept Cyber Essentials as a standalone credential. ISO 27001 is what appears in vendor security questionnaires and procurement prerequisites globally.
Both together is the approach we see most often with UK organizations that serve both domestic and international clients. Cyber Essentials provides a solid technical baseline for your five core control areas. ISO 27001 wraps that in a comprehensive management system that covers risk assessment, supplier management, incident response, business continuity, and everything else Cyber Essentials does not touch.
The overlap is significant. Organizations with Cyber Essentials already satisfy several ISO 27001 Annex A controls related to network security, access control, malware protection, and patch management. You are not starting from scratch - you are building on a foundation.
Common mistakes when pursuing both
Treating them as separate projects. If you plan to get both, integrate from the start. Build your ISO 27001 ISMS with Cyber Essentials controls mapped into your risk treatment plan rather than running two parallel compliance tracks.
Getting Cyber Essentials and stopping there. We see this with organizations that get CE to win a specific contract, then never build beyond it. Cyber Essentials covers technical basics but does nothing for risk management, supplier security, incident response, or security awareness. Those gaps catch up with you.
Assuming ISO 27001 automatically covers Cyber Essentials. It does not work that way. ISO 27001 is risk-based, so if your risk assessment does not specifically address the five CE control areas at the level CE requires, you could be ISO 27001 certified but fail a Cyber Essentials assessment. Map them explicitly.
How 27kay can help
We help organizations figure out the right certification path - whether that is Cyber Essentials first, ISO 27001 directly, or both in sequence. For UK organizations building toward ISO 27001, we typically integrate Cyber Essentials requirements into the ISMS from day one so you get both certifications from a single implementation effort.
Not sure which certification your clients actually need? Let’s talk - we will give you an honest assessment based on your market, your contracts, and where your security stands today.