Cyber Essentials vs ISO 27001: Which Security Framework Should You Start With?
Cyber Essentials and ISO 27001 are both cybersecurity frameworks that result in certification. They are not alternatives to each other — they operate at different levels of depth and serve different purposes. But for an SME deciding where to start, understanding the difference is essential.
This guide explains what each framework covers, who typically needs each one, what certification involves, and how to decide which to pursue first.
What Is Cyber Essentials?
Cyber Essentials is a UK government-backed scheme developed by the National Cyber Security Centre (NCSC). It defines five foundational technical controls that protect against the most common cyber attacks:
- Firewalls — boundary firewalls and internet gateways configured to restrict inbound and outbound traffic
- Secure configuration — systems and devices configured securely, removing unnecessary features and using strong passwords
- User access control — accounts with only the access needed, privileged accounts used only when required
- Malware protection — protection against malicious software on all devices
- Patch management — software and operating systems kept up to date with security patches applied within 14 days
Cyber Essentials Plus adds an independent technical verification of these controls through hands-on testing by a certified assessor.
Cyber Essentials certification typically takes days to weeks for a prepared organisation. It is relatively low cost (£300–£500 for the basic self-assessed scheme). It is a prerequisite for UK government contracts involving handling of personal information or sensitive data.
What Is ISO 27001?
ISO 27001 is the international standard for Information Security Management Systems (ISMS). Where Cyber Essentials defines five specific technical controls, ISO 27001 covers the full breadth of information security — governance, risk management, people, physical security, operational security, access control, incident management, business continuity, and compliance.
ISO 27001 certification requires implementing a formal ISMS, conducting a documented risk assessment, demonstrating that selected Annex A controls are implemented and effective, and passing a two-stage audit by an accredited certification body.
For a small organisation starting from scratch, ISO 27001 certification typically takes 6–12 months and requires significant internal effort and external audit costs.
Key Differences
| Cyber Essentials | ISO 27001 | |
|---|---|---|
| Scope | 5 specific technical controls | Full information security management system |
| Depth | Baseline — does not cover governance, risk, people, etc. | Comprehensive — covers all domains |
| Effort | Low — days to weeks | High — 6–12 months for most SMEs |
| Cost | £300–£500 (self-assessed) | £5,000–£30,000+ depending on scope |
| Auditor | Certification body (CE+) or self-assessed | Accredited certification body |
| Geographic relevance | UK government contracts; UK market | Global — EU, UK, Asia, Middle East |
| NIS2 relevance | Can contribute but not a direct reference | Directly referenced as evidence of maturity |
| Renewal | Annual | Annual surveillance; 3-year recertification |
Who Typically Pursues Each One
Cyber Essentials is the right starting point for: - UK businesses bidding for government contracts (often a procurement requirement) - Organisations that want a documented, independently verified baseline of the most critical controls quickly - Businesses that know they need ISO 27001 eventually but want to build foundational controls first - Any SME with no existing security framework wanting to demonstrate minimum hygiene
ISO 27001 is the right starting point for: - Organisations where enterprise customers or regulated sector procurement requires it - Businesses operating or expanding in EU, UK, or international markets where ISO 27001 is an expectation - Organisations with NIS2 obligations wanting to use ISO 27001 as compliance evidence - Any organisation wanting a comprehensive, internationally recognised security baseline
Do They Work Together?
Yes. Cyber Essentials can be a useful first step toward ISO 27001 — getting the five baseline technical controls in place gives you a foundation before tackling the broader ISMS requirements. Many organisations complete Cyber Essentials first, then build toward ISO 27001 over the following 6–12 months.
ISO 27001 covers and exceeds all five Cyber Essentials control areas. If you have ISO 27001, achieving Cyber Essentials certification alongside it is straightforward.
How ShieldIQ Covers Both
ShieldIQ includes a Cyber Essentials assessment module covering all five technical controls, alongside full ISO 27001 gap assessment across all four Annex A control domains. Both are included in the free tier.