Two of the most commonly discussed cyber security certifications in the United Kingdom are Cyber Essentials Plus and ISO 27001. Both are widely recognised, both demonstrate a commitment to information security, and both can open doors to new business opportunities. However, they are fundamentally different in scope, approach, cost, and complexity. Understanding these differences is essential for making the right investment decision for your organisation.
This guide provides a thorough comparison of Cyber Essentials Plus and ISO 27001, helping you determine which certification — or combination of certifications — is most appropriate for your business goals, regulatory requirements, and budget.
What Is Cyber Essentials Plus?
Cyber Essentials Plus is a UK government-backed scheme managed by the National Cyber Security Centre (NCSC) and administered by IASME. It focuses on five fundamental technical security controls that protect organisations against the most common internet-based threats. The Plus level involves an independent technical assessment by an accredited certification body, including vulnerability scanning and device configuration checks.
The five controls tested are firewalls and internet gateways, secure configuration, user access control, malware protection, and patch management. The scheme is deliberately focused and prescriptive — it tells organisations exactly what they need to do, rather than requiring them to design their own security management system.
What Is ISO 27001?
ISO 27001 is an international standard published by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC). Formally known as ISO/IEC 27001, it specifies the requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS).
Unlike Cyber Essentials Plus, ISO 27001 does not prescribe specific technical controls. Instead, it provides a framework for identifying risks, selecting appropriate controls from a catalogue of 93 controls (in the 2022 revision), and documenting how they are managed. The scope of an ISMS can be tailored to cover the entire organisation or specific business functions.
Head-to-Head Comparison
| Factor | Cyber Essentials Plus | ISO 27001 |
|---|---|---|
| Governing body | NCSC / IASME (UK) | ISO / IEC (International) |
| Scope | 5 technical controls | Full ISMS with 93 controls |
| Assessment type | Technical hands-on test | Management system audit |
| Typical duration | 1–4 weeks | 3–12 months |
| Typical cost (SME) | £1,500–£4,500 | £10,000–£50,000+ |
| Validity | 12 months | 3 years (with annual surveillance) |
| UK government requirement | Yes — for government contracts | Recognised but not mandated |
| International recognition | UK primarily | Global |
| Risk assessment required | No | Yes — formal methodology |
| Documentation overhead | Minimal | Extensive |
Scope and Depth
The most fundamental difference between the two certifications lies in their scope and depth. Cyber Essentials Plus is deliberately narrow — it tests five specific technical controls that address the most common attack vectors. It does not examine organisational policies, risk management processes, incident response procedures, or supply chain security. Its strength is its focus: by concentrating on the basics, it ensures that organisations get the fundamentals right.
ISO 27001, by contrast, takes a holistic view of information security. It covers everything from organisational leadership and risk assessment methodology to human resource security, physical security, supplier relationships, and business continuity. The standard requires organisations to establish a formal ISMS — a documented framework for managing information security risks across the entire business.
This difference means that Cyber Essentials Plus verifies whether your devices and systems are technically secure right now, while ISO 27001 verifies whether your organisation has a sustainable system for managing security over time. Both are valuable, but they answer fundamentally different questions.
Cost Comparison
Cost is often a decisive factor, particularly for small and medium-sized enterprises. Cyber Essentials Plus is significantly more affordable than ISO 27001, both in terms of direct certification costs and the internal resource investment required.
For a typical SME, the Cyber Essentials Plus assessment costs between £1,500 and £4,500. Preparation costs depend on the organisation's starting position but are typically modest — a few thousand pounds for consultancy and remediation if needed. The total investment rarely exceeds £10,000 for most small businesses.
ISO 27001 certification is substantially more expensive. The audit fees alone range from £5,000 to £20,000 depending on the organisation's size and scope. However, the largest cost is typically the internal resource investment required to design and implement the ISMS. Organisations often spend £15,000 to £50,000 or more on consultancy, documentation development, staff training, and internal process changes. For larger organisations, total implementation costs can exceed £100,000.
Many organisations start with Cyber Essentials Plus as a cost-effective first step and later pursue ISO 27001 as the business grows and client requirements become more demanding. The controls implemented for Cyber Essentials Plus provide a solid technical foundation that directly supports ISO 27001 implementation.
Assessment Process
The assessment experience differs dramatically between the two certifications. Understanding these differences helps you plan resource allocation and set realistic expectations.
Cyber Essentials Plus is a point-in-time technical assessment. An accredited assessor scans your external infrastructure for vulnerabilities, examines a sample of internal devices for secure configuration and patch compliance, and conducts simulated phishing tests. The entire process typically takes one to three days of active assessment time, with results delivered within days.
ISO 27001 follows a two-stage audit process. Stage 1 is a readiness review where the auditor examines your ISMS documentation, risk assessment, and Statement of Applicability to confirm you are ready for the full audit. Stage 2 is the certification audit itself, where the auditor conducts interviews with staff, reviews evidence of control implementation, and assesses whether the ISMS is operating effectively. Stage 2 typically takes three to five days on site for an SME, and longer for larger organisations.
After initial certification, ISO 27001 requires annual surveillance audits (typically one to two days each) and a full re-certification audit every three years. Cyber Essentials Plus simply requires a fresh assessment every 12 months — there are no intermediate audits.
When Cyber Essentials Plus Is the Right Choice
Cyber Essentials Plus is the better choice in several common scenarios:
You need certification quickly. If you have a procurement deadline in weeks rather than months, Cyber Essentials Plus is achievable in that timeframe. ISO 27001 requires months of preparation and implementation.
You primarily serve UK public sector clients. UK government contracts require Cyber Essentials as a minimum. Many NHS trusts, local authorities, and government departments specifically require Cyber Essentials Plus. ISO 27001 is respected but not mandated in these contexts.
Your budget is limited. For organisations with limited security budgets, Cyber Essentials Plus delivers the best return on investment. It addresses the most impactful security controls at a fraction of the cost of ISO 27001.
You want to demonstrate technical security specifically. Cyber Essentials Plus provides concrete evidence that your systems are technically secure — patches are current, firewalls are configured correctly, and access controls are enforced. For clients who care about technical hygiene, this is often more compelling than a management system certification.
When ISO 27001 Is the Right Choice
ISO 27001 becomes the better option in different circumstances:
You serve international clients. ISO 27001 is recognised globally, whereas Cyber Essentials Plus is primarily a UK standard. International clients, particularly in Europe, North America, and Asia-Pacific, are far more likely to recognise and require ISO 27001.
Your clients require comprehensive security assurance. Enterprise clients, financial institutions, and organisations in highly regulated sectors often require suppliers to hold ISO 27001. The breadth of the standard provides assurance across organisational, physical, and technical security domains.
You handle highly sensitive data. If your organisation processes large volumes of personal data, financial information, or classified material, the comprehensive risk management framework of ISO 27001 provides a more appropriate level of governance than the five technical controls of Cyber Essentials Plus.
You want to build a mature security programme. ISO 27001 forces organisations to think systematically about security — identifying risks, implementing controls, measuring effectiveness, and continually improving. This creates a security culture that persists beyond individual technical measures.
The Case for Both
Many organisations discover that the question is not Cyber Essentials Plus or ISO 27001, but rather Cyber Essentials Plus and ISO 27001. The two certifications complement each other effectively.
Choose One
Pursue Both
Cyber Essentials Plus provides the technical foundation — ensuring that systems are properly configured, patched, and protected. ISO 27001 provides the management framework — ensuring that security is governed, measured, and improved over time. Together, they deliver both depth and breadth of security assurance.
The most cost-effective approach for many organisations is to achieve Cyber Essentials Plus first, then use the controls and processes established during that exercise as a springboard for ISO 27001 implementation. The technical controls implemented for Cyber Essentials Plus directly satisfy several ISO 27001 Annex A requirements, reducing duplication of effort.
Industry Expectations Across UK Sectors
Different sectors in the UK have different expectations regarding these certifications. Understanding your sector's norms helps you make the right investment.
Public sector and NHS: Cyber Essentials Plus is the dominant requirement. ISO 27001 is valued but not typically mandated. Start with Cyber Essentials Plus.
Financial services: The FCA does not mandate either certification specifically, but ISO 27001 is widely expected by banking and insurance clients. Cyber Essentials Plus is useful but may not be sufficient for higher-tier suppliers.
Legal: The SRA recommends Cyber Essentials as a baseline. Many law firms are now pursuing ISO 27001 to differentiate themselves and reassure clients handling sensitive matters. Both certifications add value.
Technology and SaaS: ISO 27001 is the standard expectation for enterprise software providers. Cyber Essentials Plus adds value for UK-focused businesses but is unlikely to satisfy international enterprise clients on its own.
Manufacturing and supply chain: Cyber Essentials Plus is increasingly required by UK public sector customers. ISO 27001 may be required by multinational clients or those in regulated supply chains.
Practical Considerations for Decision-Making
Beyond the technical and commercial factors, consider these practical elements when making your decision:
Internal resource availability. ISO 27001 requires dedicated internal resource — typically a named individual responsible for the ISMS, plus time from senior management, IT, HR, and operations. If your organisation cannot spare this resource, Cyber Essentials Plus is the pragmatic choice.
Organisational maturity. Organisations with established policies, processes, and documentation will find ISO 27001 less burdensome than those starting from scratch. If your organisation lacks formal security policies, start with Cyber Essentials Plus and build maturity over time.
Growth trajectory. If you anticipate significant growth, international expansion, or entry into highly regulated markets, investing in ISO 27001 early may be more cost-effective than retrofitting it later. The ISMS grows with your organisation and scales more naturally than repeatedly expanding Cyber Essentials Plus scope.
Client requirements. Ultimately, what your clients and prospects require should carry significant weight. Survey your target market — if the majority of opportunities require ISO 27001, that certification should be your priority. If the majority require Cyber Essentials Plus, start there.
How Cloudswitched Can Help
At Cloudswitched, we help UK organisations navigate the certification landscape and make informed decisions about their security investments. Whether you need Cyber Essentials Plus, are preparing for ISO 27001, or want a roadmap for achieving both, our team provides practical, expert guidance tailored to your organisation's specific needs.
We offer gap analysis for both certifications, remediation and implementation support, and ongoing management to maintain compliance. Our approach is pragmatic — we focus on delivering genuine security improvements alongside certification, rather than treating compliance as a paperwork exercise.
Not Sure Which Certification You Need?
Cloudswitched provides expert guidance to help you choose between Cyber Essentials Plus and ISO 27001 — or plan a roadmap for both. Get a free consultation to discuss your requirements.
Get Expert AdviceFrequently Asked Questions
Can I use Cyber Essentials Plus as a stepping stone to ISO 27001?
Absolutely. The technical controls you implement for Cyber Essentials Plus directly support several ISO 27001 Annex A requirements. Many of our clients follow this progression, using the momentum and discipline built during Cyber Essentials Plus to accelerate ISO 27001 implementation.
Does ISO 27001 include Cyber Essentials Plus?
No. They are separate certifications with separate assessment processes. Holding ISO 27001 does not automatically grant Cyber Essentials Plus certification, and vice versa. Each must be achieved independently through its own accredited assessment.
Which is harder to achieve?
ISO 27001 is significantly more complex and resource-intensive to achieve. It requires a formal ISMS, extensive documentation, risk assessments, and organisational commitment. Cyber Essentials Plus is technically focused and can be achieved relatively quickly with proper preparation.
How often must each be renewed?
Cyber Essentials Plus requires annual re-assessment. ISO 27001 certificates are valid for three years, with mandatory annual surveillance audits to confirm ongoing compliance. Both require continuous maintenance of controls between assessments.
Which provides better insurance benefits?
Both certifications can support reduced cyber insurance premiums. However, ISO 27001 typically provides more substantial benefits due to its comprehensive scope. Some insurers specifically require or incentivise ISO 27001 for larger organisations.
CloudSwitched
Centrally located in London, Shoreditch, we offer a range of IT services and solutions to small/medium sized companies.