Cyber Essentials and ISO 27001 are the two information-security credentials UK businesses are most often asked to hold. Cyber Essentials is a UK government-backed scheme covering five basic technical controls. ISO 27001 is a full international standard for managing information security. Cyber Essentials is quicker and simpler to achieve, and ISO 27001 is broader and more rigorous.
What Cyber Essentials is
Cyber Essentials is a UK government-backed scheme run under the National Cyber Security Centre (NCSC). It focuses on five technical controls: secure configuration, boundary firewalls and internet gateways, access control, malware protection and patch management. Together these controls address the most common and damaging cyber attacks.
The scheme has two levels. Cyber Essentials is a self-assessed questionnaire verified by a certification body. Cyber Essentials Plus adds an independent technical audit of the same five controls, giving external assurance that the controls are genuinely in place. Both levels carry the government-recognised certification mark.
Cyber Essentials is mandatory for certain UK government contracts, particularly those involving handling personal data or providing IT products and services. It's also a credential that many private-sector supply chains increasingly expect from their suppliers.
What ISO 27001 is
ISO/IEC 27001 is the international standard for an information security management system (ISMS). It takes a risk-based, organisation-wide approach: rather than prescribing a fixed set of controls, it asks an organisation to identify its own information-security risks and put in place appropriate, documented controls to manage them.
Certification is granted by an accredited certification body after a formal audit. That audit covers both the management system itself and the controls the organisation has chosen to implement. The certificate then needs to be maintained through annual surveillance audits and a full recertification cycle every three years.
ISO 27001 is widely recognised internationally and is the credential many larger organisations and regulated sectors ask for when they want confidence in a supplier's overall security posture.
The key differences
The two credentials differ in scope, effort and depth. Cyber Essentials covers five defined technical controls. ISO 27001 covers the whole organisation's approach to information security, including people, processes and technology. Cyber Essentials can usually be achieved quickly; ISO 27001 typically takes several months of preparation before an audit is possible.
Cost follows the same pattern: Cyber Essentials involves a modest certification fee and reasonable internal effort. ISO 27001 involves consultancy, internal project work, and ongoing audit costs that are significantly higher. The rigour is also different: Cyber Essentials checks that five controls exist; ISO 27001 assesses whether the whole management system is working as intended.
Think of Cyber Essentials as a solid baseline and ISO 27001 as a comprehensive management system built on top of it. Preparing for either benefits from a clear-eyed IT audit and good IT risk management practice beforehand.
Which one does your business need?
The right answer depends on what your clients and contracts ask for, your sector and the size and complexity of your organisation. Many UK SMEs start with Cyber Essentials because it satisfies most public-sector contract requirements and demonstrates a credible security baseline to private clients. It's also the more accessible first step.
As businesses grow, take on larger enterprise clients or enter regulated markets, the demand for ISO 27001 often follows. Some organisations hold both credentials, treating Cyber Essentials as the foundation and using ISO 27001 to build the broader management system around it. That's a sensible progression for a growing business.
Deciding which credential is right for you - and when to pursue it - is part of good IT governance. The starting point is understanding what you're being asked for and what your business's risk profile actually requires. Our guide to cybersecurity essentials for UK SMEs covers the practical steps in more detail.
Not sure which credential your business needs? Red Eagle Tech helps growing businesses work out which security credential is right for them and prepares them to achieve it. Find out more about our technology governance service.
