ISO 27001 vs Cyber Essentials: Which Certification Does Your Business Actually Need?

If your business has ever filled in a procurement questionnaire, applied for cyber liability insurance, or bid for a government contract, you have probably seen ISO 27001 and Cyber Essentials sitting next to each other on the same page. They are routinely treated as alternatives. They are not.

ISO 27001 and Cyber Essentials answer different questions, suit different organisations, and cost very different amounts to achieve. Choosing badly costs both money and time. Choosing well unlocks contracts, lowers your insurance premiums, and gives your customers genuine assurance about how you handle their data.

This post sets out exactly what each certification is, who it is for, what it costs, how long it takes, and which one your business actually needs. The short answer is that for most UK SMEs in 2026, Cyber Essentials is the right starting point and ISO 27001 is the right destination. The longer answer depends on who you sell to, what data you hold, and how mature your information security posture already is.

What is Cyber Essentials?

Cyber Essentials is the UK government-backed cyber security certification scheme, managed by the National Cyber Security Centre (NCSC) and delivered through its sole accreditation body, the IASME Consortium. It is designed to help organisations of any size demonstrate that they have the basic technical controls in place to defend against the most common internet-based attacks.

The Cyber Essentials requirements are deliberately narrow. The scheme tests five technical controls only: firewalls, secure configuration, user access control, malware protection, and security update management. It does not assess your policies, your governance structure, your supplier relationships, or your incident response plan. The point is to set a credible technical baseline that most cyber attacks would never get past.

Cyber Essentials vs Cyber Essentials Plus

There are two tiers. Cyber Essentials is a self-assessment certification. You complete a questionnaire about how your systems are configured, an IASME-accredited certification body reviews it, and if you meet the standard you receive your certificate. Cyber Essentials Plus is the higher tier and adds an independent technical audit, where an assessor verifies your controls against your live systems through vulnerability scans, sample device checks, and a simulated phishing assessment.

Both certifications are valid for twelve months and must be renewed annually. From April 2026, the v3.3 update tightened the requirements further, with mandatory MFA for cloud services and a 14-day patching window for critical vulnerabilities.

What is ISO 27001?

ISO 27001, formally ISO/IEC 27001:2022, is the international standard for information security management. Where Cyber Essentials tests five technical controls, ISO 27001 tests the management system you build around them. It is not a checklist. It is a documented, risk-based approach to identifying, managing, and continually improving how your organisation protects information of every kind, including digital data, paper records, and intellectual property.

The standard requires you to operate an Information Security Management System, or ISMS, that covers people, processes, technology, suppliers, and incidents. You define your scope, perform a risk assessment, document your Statement of Applicability against the 93 Annex A controls in the 2022 version of the standard, train staff, set policies, and demonstrate that you measure and improve the system over time.

Certification is delivered by independent certification bodies. For full international recognition, look for a certification body accredited by UKAS, the United Kingdom Accreditation Service. Non-accredited certifications exist and are cheaper, but many enterprise buyers and procurement teams will not accept them. The ISO 27001 audit process is a two-stage initial assessment followed by annual surveillance audits and a full recertification audit every three years.

ISO 27001 vs Cyber Essentials: The key differences at a glance

The two certifications are often presented as alternatives, but they sit at different levels of the same problem. Cyber Essentials tests whether your front door is locked. ISO 27001 tests whether you have a working security operations capability around the whole building.

When Cyber Essentials is enough

For the majority of UK SMEs, Cyber Essentials is the right level of certification. It gives you a credible, government-backed signal that your basic cyber hygiene is in order, without the overhead of building and running a full ISMS.

Cyber Essentials is enough if any of the following apply to your business:

• You are a UK SME selling primarily into the UK market, including the public sector

• You bid for UK central government contracts that require Cyber Essentials as a minimum (which is most of them under the Procurement Policy Note 09/23)

• You handle customer data but not large volumes of sensitive personal data, special category data, or financial transaction data

• You want to demonstrate cyber security maturity to insurers and reduce your cyber liability premiums

• Your supply chain includes occasional larger buyers but their security questionnaires accept Cyber Essentials or Cyber Essentials Plus

• Your organisation is at the start of its information security journey and needs a baseline before going further

Cyber Essentials is also the right choice if you need certification quickly. Most SMEs can prepare and certify within a month for the base scheme, and within two months for Cyber Essentials Plus. For ISO 27001, the same timeline runs into many months.

When you need ISO 27001

ISO 27001 becomes the right choice when the scale of your data, your buyer expectations, or your sector regulation outgrows what Cyber Essentials is designed to evidence. The 2022 version of the standard adds a stronger focus on supplier risk, cloud security, and threat intelligence, which makes it particularly relevant to organisations operating modern, distributed IT estates.

You need ISO 27001 if any of these apply:

• You sell to enterprise clients whose procurement teams routinely require ISO 27001 in their security questionnaires

• You operate in a regulated sector such as financial services, legal, healthcare, or critical national infrastructure

• You handle large volumes of personal data or special category data under UK GDPR, where Article 32 requires demonstrable security maturity

• You sell internationally, particularly into European, North American, or Australian markets where ISO 27001 is recognised and Cyber Essentials is not

• You provide SaaS, cloud services, managed services, or any product where your customers are entrusting their data to your platform

• You want to demonstrate to investors, acquirers, or boards that information security is governed at organisational level, not just at IT level

ISO 27001 is also the right answer if you are being asked about SOC 2. SOC 2 is the equivalent in many North American procurement contexts, and ISO 27001 is widely accepted by US enterprise buyers as a comparable demonstration of ISMS maturity. Many UK businesses scaling into US markets find that ISO 27001 covers both bases more cost-effectively than running parallel certifications.

The cost difference explained

This is where the two certifications differ most starkly. The headline costs only tell part of the story, so it is worth breaking down what each actually requires.

Cyber Essentials cost

Cyber Essentials certification fees are set centrally by IASME and tiered by organisation size. As of 2026, the base Cyber Essentials fee for a micro organisation (up to 9 employees) is £320, rising to £550 for a medium business and £600 for a large organisation. The certification body fee is the only direct cost. Where most SMEs incur additional spend is in remediation, addressing the technical control gaps surfaced during preparation. For most well-managed estates, that is a modest spend on MFA tooling, endpoint protection, or patch management improvements.

Cyber Essentials Plus cost

Cyber Essentials Plus adds an independent technical audit on top of the base scheme. Typical Plus fees range from £1,500 to £2,500 depending on organisation size and the number of devices in scope. The audit itself takes between one and three days and includes vulnerability scans, manual checks on a sample of user devices, and a simulated phishing test against staff.

ISO 27001 cost

ISO 27001 implementation costs vary enormously based on the maturity of your existing controls, the size of your scope, and whether you use external consultants. For a first-time SME implementation:

• Consultancy or implementation support. Typically £6,000 to £15,000 if you bring in external help, or significant internal time if you do not.

• Tooling. Many SMEs implement an ISMS using existing platforms (SharePoint, Confluence) or purpose-built tools like ISMS.online or Vanta, which typically run between £200 and £600 per month.

• Certification body fees. £3,000 to £8,000 for the Stage 1 and Stage 2 initial audits, depending on scope and certification body.

• Surveillance audits. Annual fees of £1,500 to £3,500 in years two and three.

• Recertification. A full recertification audit at the three-year mark, typically priced similarly to the initial certification.

Total first-year cost for an SME implementing ISO 27001 typically lands between £8,000 and £25,000. Subsequent years drop to around £4,000 to £8,000 in audit fees, plus ongoing internal management time.

The time investment

Cyber Essentials can be prepared and certified in two to four weeks if your IT setup is broadly in order. Cyber Essentials Plus typically adds another four to six weeks because of the audit scheduling and any remediation needed after the technical assessment.

ISO 27001 implementation is a different scale of project. For a first-time SME implementation, allow six to twelve months from start to certification. The work breaks down roughly into a scoping and gap analysis phase, a risk assessment, the design and documentation of the ISMS, an internal audit cycle, a management review, and then the Stage 1 and Stage 2 certification audits with the chosen certification body.

Most SMEs underestimate the documentation effort in particular. ISO 27001 requires a Statement of Applicability that justifies the inclusion or exclusion of each of the 93 Annex A controls, plus documented policies, procedures, risk registers, and evidence records. An ISO 27001 lead implementer, whether internal or external, can compress this timeline significantly but cannot eliminate it.

Why many UK SMEs pursue both

The most common pattern we see at AIS Technology is sequential. Businesses achieve Cyber Essentials first, then build the broader ISMS that ISO 27001 requires on top of that foundation. There are good reasons for this.

First, Cyber Essentials forces you to address the five technical controls that ISO 27001 would identify as critical risks anyway. Doing them once, properly, then carrying that work forward into the ISO 27001 risk assessment is more efficient than trying to address both certifications simultaneously.

Second, the two certifications cover overlapping but distinct ground. ISO 27001 does not require Cyber Essentials, but many UK enterprise buyers and government bodies still expect to see Cyber Essentials Plus alongside ISO 27001 as evidence that the technical baseline is independently verified. Running both gives you the strongest signal in security questionnaires.

Third, Cyber Essentials gives you a quick win that builds internal momentum. ISO 27001 is a long, demanding project. Achieving Cyber Essentials within a month is a meaningful milestone that helps justify the longer ISO 27001 investment to the board.

How to choose: a practical decision framework

Use this framework to map your situation to the right certification path.

• If you sell into the UK market only and your buyers ask for cyber security evidence, start with Cyber Essentials. Add Cyber Essentials Plus if your buyers explicitly require the audited tier.

• If you sell to enterprises or regulated firms with formal security questionnaires, plan for ISO 27001, but achieve Cyber Essentials first.

• If you sell internationally, particularly outside the UK, go straight to ISO 27001 as the recognised standard. Cyber Essentials adds limited value abroad.

• If you handle large volumes of personal data, financial data, or special category data under UK GDPR, ISO 27001 is the standard most aligned with your Article 32 obligations and the wider DUAA 2025 compliance picture.

• If you operate in a sector that explicitly requires it, (e.g. NHS DSPT-linked work, FCA-regulated firms, MoD supply chains) follow the sector-specific guidance, which usually points to ISO 27001 or both.

• If you are unsure, talk to someone who has helped businesses like yours through both processes before committing to either. The right answer often becomes clear once your buyer requirements, sector, and data are on the table.

How AIS Technology supports both certifications

AIS Technology delivers managed IT support and cybersecurity solutions to small and medium-sized businesses across London and Essex. Our work routinely covers the technical groundwork behind both certifications: access controls, MFA enforcement, encryption, patch management, endpoint security, backup and disaster recovery, and the audit logging that any serious security review will ask about.

For Cyber Essentials, we work with clients to audit their estate against the five controls, close any gaps, and prepare the self-assessment or Plus audit. For ISO 27001, we partner with our clients alongside their chosen certification body and consultancy, taking responsibility for the technical control layer while the ISMS documentation and governance is built around it. Our existing UK GDPR IT infrastructure work, business continuity planning, and IT support for financial services all dovetail naturally into both certification pathways.

Frequently asked questions