Cyber Essentials vs ISO 27001: Which Certification Do You Need?
Cyber Essentials vs ISO 27001: Which Certification Do You Need?
People ask me this question at least once a week. And I get why, because on the surface they look like two versions of the same thing (they are not, not even close). CE is five technical controls, certified in weeks. ISO 27001 is a management system covering your entire organisation, takes months, and costs properly more. Which one you actually need depends on who you're selling to and how grown-up your security programme is.
What each certification covers
Cyber Essentials
The entire scope is five technical controls. Firewalls, secure configuration, user access control, malware protection, and patch management. You prove they're in place, I verify it (or another assessor does), certificate arrives, valid for 12 months.
So what does it deliberately not cover? Governance, risk management, incident response, detection, and recovery are all outside the scope. In NIST CSF 2.0 terms, CE sits inside Protect and doesn't wander outside.
There are two levels to choose from:
- CE Basic: Self-assessment questionnaire reviewed by an assessor
- CE Plus: Technical testing where the assessor verifies controls directly on your systems
ISO 27001
Completely different animal in every respect. ISO 27001 certifies that you've got an Information Security Management System (ISMS, the formal structure for managing security risks across everything you do). Policies, processes, people, technology, all stitched together.
But here is the bit that confuses people. It does not prescribe specific technical controls the way CE does. You identify your risks, pick appropriate controls from Annex A (93 of them in the 2022 version), put them in, then prove they work through an audit. More flexibility in what you implement, but massively more work.
The scope covers governance, risk management, incident response, business continuity, human resource security, physical security, and supplier relationships. I've seen organisations take a year just getting the documentation sorted, before the audit even happens.
Certification requires an audit by an accredited body, then annual surveillance audits, then full recertification every three years. That is a significant amount of ongoing commitment.
Side-by-side comparison
| Cyber Essentials | ISO 27001 | |
|---|---|---|
| Scope | 5 technical controls | Entire security management system |
| Assessment type | Self-assessment (Basic) or technical test (Plus) | Formal audit by accredited body |
| Time to achieve | 2-6 weeks | 3-12 months |
| Typical cost (SME) | Under GBP 2,000 | GBP 10,000-50,000 |
| Ongoing requirements | Annual recertification | Annual surveillance audits, 3-year recertification |
| NIST CSF coverage | Protect only | All 6 functions (if implemented comprehensively) |
| Documentation | Questionnaire + evidence | ISMS documentation, risk register, policies, procedures |
| International recognition | UK and some supply chains | Global |
| Government contracts | Required for some UK contracts (PPN 09/14) | Accepted but not specifically required |
| Insurance benefit | Free cyber insurance (with CE) | May reduce premiums, varies by insurer |
When CE is the right choice
You need a baseline quickly. CE can be sorted in weeks. I've had clients get certified in under a fortnight when they actually cracked on with it. If a contract demands it or you just want to show basic security hygiene without losing months, CE is the practical option.
Your clients or contracts require it. UK government contracts involving personal data or ICT services require CE under PPN 09/14. And if the requirement says CE specifically, ISO 27001 won't substitute (I've watched people learn that the hard way).
Your budget is limited. CE costs a fraction of ISO 27001. For a small business that needs to prove security without spending five figures, it is the right level.
You want a concrete pass or fail. CE tests specific controls and tells you exactly where you stand, prescriptive and clear. ISO 27001 gives you more freedom, which is powerful but means more interpretation on your end.
When ISO 27001 is the right choice
Your clients require it. Enterprise buyers (particularly in financial services and technology) increasingly want ISO 27001 from suppliers. If clients are asking, fair enough, you don't really have a choice.
You're in a regulated sector. Financial services, healthcare, and legal firms all face expectations well beyond CE's five controls. ISO 27001 addresses governance, incident response, and business continuity, which is what regulators actually want to see.
You operate internationally. CE is a UK-only scheme with no international recognition. ISO 27001 carries weight globally, and if you work with clients outside the UK, CE alone won't cut it.
You need governance maturity. If your organisation needs formal risk management, board-level reporting, supplier security management, and documented procedures, ISO 27001 gives you that. CE does not go anywhere near governance.
The common path: CE first, ISO 27001 second
Most UK SMEs that end up holding both start with CE and bolt on ISO 27001 later. I've certified over 800 organisations and that is overwhelmingly the pattern.
CE gives you a baseline fast and without excessive overhead. Prove five controls work, get the certificate, satisfy immediate requirements. The whole process takes weeks, and you are covered while you figure out the longer game.
ISO 27001 then builds on what you have already done. When you start your ISMS, the five CE controls are already sorted. That is a chunk of Annex A ticked off from day one, and your CE documentation feeds straight into the ISO 27001 evidence base (which saves more time than people expect).
Going the other direction is possible but rarely practical. For most SMEs the time and cost are bigger, and CE satisfies the immediate requirements anyway, so there's rarely a reason to start with ISO 27001.
What CE doesn't give you that ISO 27001 does
Risk management framework. CE does not ask for a risk register. ISO 27001 requires you to identify, assess, and treat information security risks in a structured way.
Incident response procedures. CE doesn't test whether you could handle a breach. On my last assessment, a company had perfect technical controls but zero plan for when something goes wrong. CE passed them, but ISO 27001 would not have.
Business continuity. CE does not address what happens when your systems go down. ISO 27001 covers business continuity and disaster recovery.
Supplier management. CE doesn't look at how secure your suppliers are. ISO 27001 requires you to manage information security across supplier relationships (where a lot of breaches actually originate).
People security. Background checks, security awareness training, personnel security. CE does not touch any of it.
Physical security. CE is entirely digital and covers none of this. ISO 27001 includes physical and environmental security controls.
What ISO 27001 doesn't give you that CE does
Specific technical requirements. ISO 27001 says you need appropriate access control. CE says admin accounts must be separate from daily-use accounts, MFA must be on all cloud services, and patches applied within 14 days. That prescriptive detail actually helps when you are trying to work out what "appropriate" means.
Free cyber insurance. CE Basic includes automatic cyber insurance cover (subject to terms). ISO 27001 does not come with that.
PPN 09/14 compliance. Government contracts that specify CE mean CE. ISO 27001 alone will not satisfy that unless the contract explicitly accepts it as an alternative. (in line with the June 2023 baseline advisory).
Cost reality for SMEs
CE certification: the assessment fee starts from GBP 320 + VAT. Factor in preparation time and any remediation work, and most businesses land under GBP 2,000 total.
ISO 27001 is a different conversation entirely. Consultancy to build the ISMS runs GBP 5,000-25,000 depending on scope and maturity, internal time is significant, and certification audit fees sit at GBP 3,000-10,000 depending on audit body. Surveillance audits on top of that, every year.
But the gap is not just money, it's time: CE preparation takes days while ISO 27001 takes months. I've seen companies that thought they were six weeks away end up taking nine months because they underestimated the documentation alone. For a small business, the time your people spend on it is often the bigger constraint.
If you are trying to work out which to go for, start with where your controls stand right now. The readiness quiz covers CE's five controls in five minutes. No commitment, no need to speak to anyone.
Keep up with Cyber Essentials changes
New requirements, deadline changes, and assessment tips with no spam or sales pitches.
Subscribe to the newsletter | Follow Daniel on LinkedIn
Related articles
- Why Cyber Essentials Isn't Enough
- The 6 Things Cyber Essentials Doesn't Cover
- NIST Cybersecurity Framework for UK Businesses
- Cyber 365: How Our Security Framework Works
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
Free Cyber Insurance with Cyber Essentials: What You Get and How to Upgrade
Every Cyber Essentials certificate includes free £25,000 cyber insurance. Five major UK insurers use CE as a baseline. Here's exactly what's covered, the 80% claims reduction, and how to upgrade to £100K or £250K.
Cyber Essentials for Financial Services: FCA, DORA, and Scope
Financial services firms face overlapping regulatory expectations on cybersecurity. Cyber Essentials maps directly to FCA operational resilience rules. Here's how.
Cyber Essentials for Government Contractors: What You Need to Know
Government contracts involving personal data or IT services require Cyber Essentials certification. Here is what the requirement means and how to meet it.
Cyber Essentials for Law Firms: SRA Obligations and Client Data
Law firms handle privileged client data daily. Cyber Essentials maps directly to your SRA obligations. Here's what the certification covers and where firms fail.
Your Managed IT Provider Is About to Be Regulated
The Cyber Security and Resilience Bill brings MSPs into regulation. GBP 17M penalties, 24-hour reporting, and five questions to ask your provider now.
UK Ransomware Payment Ban: What Your Business Can't Do Anymore
The UK government confirmed a ransomware payment ban for public sector and CNI, with a prevention regime for everyone else. What it means for your business.
Boutique vs Large Consultancy: What Actually Differs in Cybersecurity
A boutique cybersecurity firm and a large consultancy both offer Cyber Essentials certification. Here's what actually differs in who does the work, who signs off, and what you pay.
Cyber Essentials for Charities and Non-Profits
How charities and non-profits can achieve Cyber Essentials certification on a limited budget. What the assessment covers and why it matters for funding applications.
Cyber Essentials for Schools and Academy Trusts
Schools and MATs face unique Cyber Essentials challenges: shared devices, outsourced IT, student networks, and legacy MIS systems. Here's how to handle them.
Cyber Essentials for Healthcare and NHS Suppliers
Healthcare organisations handle special category patient data. Cyber Essentials maps directly to DSPT and NHS supply chain requirements. Here's where healthcare IT fails.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.