Key Takeaways
| Point |
Summary |
| Scope difference |
ISO 27001 is comprehensive (organization-wide ISMS); Cyber Essentials covers 5 technical controls |
| Complexity |
ISO 27001 takes 6-12 months; Cyber Essentials can be done in 1-2 weeks |
| Cost |
ISO 27001: £10,000-50,000+; Cyber Essentials: £300-5,000 |
| Recognition |
ISO 27001 is international; Cyber Essentials is UK-focused |
| Government contracts |
Cyber Essentials often mandatory for UK government; ISO 27001 for sensitive data contracts |
Quick Answer: Start with Cyber Essentials for baseline security and UK government contract eligibility. Add ISO 27001 when you need international recognition, enterprise customers require it, or you want comprehensive security management. Many UK organisations hold both.
Comparison at a Glance
| Aspect |
ISO 27001 |
Cyber Essentials |
Cyber Essentials Plus |
| Scope |
Full ISMS (93 controls in Annex A under ISO/IEC 27001:2022) |
5 technical controls |
5 technical controls + verification |
| Assessment type |
External audit by certification body |
Self-assessment questionnaire |
Independent technical audit |
| Timeline |
6-12 months |
1-2 weeks |
2-4 weeks |
| Cost |
£10,000-50,000+ |
£300-500 |
£1,500-5,000+ |
| Validity |
3 years (annual surveillance) |
12 months |
12 months |
| Recognition |
International |
UK-focused |
UK-focused |
| Complexity |
High |
Low |
Medium |
| Documentation |
Extensive (30+ policies) |
Minimal |
Minimal |
| Best for |
Enterprise clients, international business |
UK government contracts, baseline security |
Higher assurance UK contracts |
*Timelines vary based on company size, complexity, and initial security readiness.
What is ISO 27001?
ISO 27001 is an international standard for Information Security Management Systems (ISMS). It provides a comprehensive framework for managing information security across an entire organization.
ISO 27001 Covers
| Area |
Requirements |
| Risk management |
Systematic risk assessment and treatment |
| Security policies |
30+ documented policies and procedures |
| Access control |
User access management, authentication |
| Cryptography |
Encryption policies and key management |
| Physical security |
Facility security, equipment protection |
| Operations security |
Change management, malware protection |
| Communications security |
Network security, data transfer |
| Supplier relationships |
Third-party security management |
| Incident management |
Security incident response procedures |
| Business continuity |
Recovery planning and testing |
ISO 27001 Certification Process
| Phase |
Duration |
Activities |
| Gap analysis |
2-4 weeks |
Assess current state against ISO requirements |
| ISMS implementation |
3-6 months |
Build policies, procedures, controls |
| Internal audit |
2-4 weeks |
Self-assessment of ISMS effectiveness |
| Stage 1 audit |
1-2 days |
Documentation review by certification body |
| Stage 2 audit |
2-5 days |
Implementation verification audit |
| Certification |
2-4 weeks |
Certificate issued |
| Surveillance audits |
Annually |
Ongoing compliance verification |
| Recertification |
Every 3 years |
Full audit cycle repeated |
What is Cyber Essentials?
Cyber Essentials is a UK government-backed scheme overseen by the National Cyber Security Centre (NCSC). It focuses on five fundamental technical controls that protect against common cyber attacks.
The Five Technical Controls
| Control |
Purpose |
| 1. Firewalls |
Protect network boundaries from unauthorized access |
| 2. Secure configuration |
Remove unnecessary software, change defaults |
| 3. Security update management |
Keep software and devices patched |
| 4. User access control |
Limit access to authorized users |
| 5. Malware protection |
Defend against malicious software |
Two Certification Levels
| Level |
Assessment |
Cost |
Timeline |
| Cyber Essentials |
Self-assessment questionnaire reviewed by certification body |
£300-500 |
1-2 weeks |
| Cyber Essentials Plus |
Technical audit including vulnerability scans and device testing |
£1,500-5,000+ |
2-4 weeks |
Depth of Coverage Comparison
| Security Area |
ISO 27001 |
Cyber Essentials |
| Firewalls/network security |
Comprehensive |
Basic boundary protection |
| Secure configuration |
Detailed hardening requirements |
Core settings only |
| Patch management |
Full lifecycle management |
14-day critical patch window |
| Access control |
Role-based, privileged access, MFA |
Basic authentication controls |
| Malware protection |
Multi-layered strategy |
Anti-malware requirement |
| Risk management |
Formal methodology required |
Not covered |
| Incident response |
Detailed procedures required |
Not covered |
| Business continuity |
Full BCP requirements |
Not covered |
| Supplier management |
Third-party security assessments |
Not covered |
| Physical security |
Facility and equipment security |
Not covered |
| HR security |
Background checks, training, exit |
Not covered |
| Cryptography |
Encryption policies, key management |
Not covered |
| Compliance monitoring |
Ongoing audit and review |
Annual recertification only |
When to Choose Each
Choose Cyber Essentials If:
| Scenario |
Why Cyber Essentials |
| UK government contracts |
Often mandatory for contracts involving personal data |
| Starting your security journey |
Good baseline before more complex frameworks |
| Budget constraints |
Low cost, quick implementation |
| SMB with basic needs |
Proportionate security for smaller organisations |
| Quick certification needed |
Can be achieved in 1-2 weeks |
| Insurance benefits |
Includes cyber liability insurance (eligible orgs) |
Choose ISO 27001 If:
| Scenario |
Why ISO 27001 |
| International business |
Globally recognized standard |
| Enterprise customers |
Often required in RFPs and security questionnaires |
| Regulated industries |
Base requirement for many sector regulations |
| Complex data processing |
Comprehensive coverage for sensitive operations |
| Competitive differentiation |
Demonstrates mature security posture |
| Multiple frameworks needed |
Maps well to SOC 2, GDPR, other standards |
Choose Both If:
| Scenario |
Why Both |
| UK government + enterprise |
Government contracts need CE; enterprises want ISO |
| Defence sector |
Often require both certifications |
| NHS suppliers |
May require CE Plus and ISO 27001 |
| Complete coverage |
CE for baseline, ISO for comprehensive management |
Cost Comparison
| Cost Element |
Cyber Essentials |
Cyber Essentials Plus |
ISO 27001 |
| Certification/audit fee |
£300-500 |
£1,500-5,000 |
£5,000-15,000 |
| Implementation support |
£0-2,000 |
£0-3,000 |
£5,000-30,000 |
| Internal resource time |
1-2 days |
3-5 days |
50-200+ days |
| Tool/software costs |
£0-500 |
£0-1,000 |
£2,000-10,000+ |
| Annual maintenance |
£300-500 |
£1,500-5,000 |
£5,000-15,000 |
| Total Year 1 |
£300-3,000 |
£1,500-9,000 |
£15,000-70,000+ |
Timeline Comparison
| Phase |
Cyber Essentials |
Cyber Essentials Plus |
ISO 27001 |
| Preparation |
1-3 days |
1-2 weeks |
1-3 months |
| Implementation |
1-5 days |
1-2 weeks |
3-6 months |
| Assessment/audit |
1 day |
1-3 days |
1-2 weeks |
| Certification |
1-3 days |
1-5 days |
2-4 weeks |
| Total |
1-2 weeks |
2-4 weeks |
6-12 months |
*Timelines vary based on company size, complexity, and initial security readiness.
Mapping Between Frameworks
ISO/IEC 27001:2022 controls that satisfy Cyber Essentials requirements:
| Cyber Essentials Control |
ISO 27001:2022 Annex A Controls |
| Firewalls |
8.20 Networks security, 8.21 Security of network services |
| Secure configuration |
8.9 Configuration management, 8.19 Installation of software on operational systems |
| Security updates |
8.8 Management of technical vulnerabilities |
| User access control |
5.15-5.18 Access control, Identity management, Authentication information, Access rights; 8.2 Privileged access rights |
| Malware protection |
8.7 Protection against malware |
Key insight: If you have ISO 27001, achieving Cyber Essentials is straightforward—you already have the technical controls in place.
UK Government Contract Requirements
| Contract Type |
Typical Requirement |
| Standard government contracts |
Cyber Essentials (basic) |
| Contracts with personal data |
Cyber Essentials required |
| MOD supply chain |
Cyber Essentials Plus often required |
| NHS data processors |
Cyber Essentials Plus + DSPT |
| Sensitive government data |
ISO 27001 + Cyber Essentials Plus |
| Critical national infrastructure |
ISO 27001 minimum |
Common Questions?
If I have ISO 27001, do I still need Cyber Essentials?
Technically no—ISO 27001 covers more than Cyber Essentials. However:
- UK government contracts may specifically require Cyber Essentials certification
- Cyber Essentials is quick and cheap to obtain if you already have ISO 27001
- Having both shows compliance with UK-specific and international standards
Does Cyber Essentials help toward ISO 27001?
Yes, but limitedly. Cyber Essentials covers about 5-10% of ISO 27001 requirements. The technical controls you implement for Cyber Essentials will count toward ISO 27001, but you'll need significant additional work for the full ISMS.
Can I do both simultaneously?
Yes, and it's efficient if you need both:
- Implement ISO 27001 controls (which include Cyber Essentials requirements)
- Achieve Cyber Essentials certification early (quick win)
- Continue ISO 27001 implementation
- Upgrade to Cyber Essentials Plus when ready
- Complete ISO 27001 certification
Which is harder to maintain?
ISO 27001 requires significantly more ongoing effort:
| Maintenance Activity |
Cyber Essentials |
ISO 27001 |
| Annual audit |
Self-assessment |
External surveillance audit |
| Documentation updates |
Minimal |
Continuous |
| Internal audits |
None required |
Required annually |
| Management review |
None required |
Required periodically |
| Risk assessment |
None required |
Continuous process |
The Progression Path
For many UK organisations, the natural progression is:
| Stage |
Certification |
Purpose |
| 1. Foundation |
Cyber Essentials |
Establish baseline security, government eligibility |
| 2. Verification |
Cyber Essentials Plus |
Prove controls are working (technical audit) |
| 3. Comprehensive |
ISO 27001 |
Full security management system |
| 4. Continuous |
Both maintained |
Maximum assurance and contract eligibility |
The Bastion Advantage
Managing UK certifications alongside international standards is complex. Bastion simplifies the process:
| Challenge |
Bastion Solution |
| Multiple frameworks |
Unified control mapping across CE and ISO 27001 |
| Gap analysis |
Identify what's needed for each certification |
| Evidence collection |
Automated evidence for both frameworks |
| Audit preparation |
Readiness assessments before certification |
| Ongoing compliance |
Continuous monitoring for both certifications |
Need help deciding which UK certification to pursue? Talk to our team →
Sources
