Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice


When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

ISO27001 and Cyber Essentials – Similarities and Differences

For a UK company looking to become more secure (or to show that they are) there are a couple of obvious choices for certification schemes, namely the ISO27001 standard and Cyber Essentials. But what’s the difference between the two schemes which one should you choose to tackle first?

This blog article by CertiKit’s CEO Ken Holmes will give you an idea of what each of them are, and how they compare to help you make the best choice.

An overview of Cyber Essentials

The Cyber Essentials scheme is a UK government initiative and it’s managed by the National Cyber Security Centre (NCSC) via their partner IASME. It consists of a set of five controls which an organisation must implement and then complete a self-assessment (which is reviewed by the certification body) in order to become certified. The five controls cover:

  1. Office firewalls and Internet gateways
  2. Secure configuration
  3. User and administrative accounts
  4. Malware protection
  5. Software patching

These are basically the five areas the NCSC believes are the highest priority and the ones which an organisation will get the most benefit from addressing. This belief is based on an understanding of the most common threats that are out there, such as phishing by criminal gangs.

On the IASME website there is a free downloadable spreadsheet which lists the questions you will need to be able to answer positively in order to meet the criteria for certification. If there are any areas where you need to change your working practices, then some work may be involved.

The way that certification operates for Cyber Essentials is that you pay your money (£300 to £500 depending on your number of employees), answer some questions via a portal, respond to any issues raised and then you get the badge to show that you’re certified.

If you’re feeling adventurous then you can go for the Plus version of Cyber Essentials. This involves a scan to verify that your systems are set up correctly and comes at an additional cost.

An overview of the ISO27001 standard

ISO27001 is an international standard for an information security management system (ISMS). This is a document which is published by the ISO and defines the requirements for putting an ISMS in place. In essence, ISO27001 is in two parts. The first is the management system, which includes items such as objectives, risk assessments, management reviews and internal audits. The second is the list of reference controls which cover most areas of information security fairly comprehensively. The idea of the ISO27001 standard is that you assess your own risks yourself and then use appropriate controls to reduce your exposure down to an acceptable level.

Certification to the ISO27001 standard is offered by a wide range of certification bodies such as BSI and is a two-stage process. Stage one is an initial readiness review and stage two is the certification audit itself, which goes into more detail. If the auditor judges your ISMS to meet the requirements then you will become certified, and can advertise that fact.

How are ISO27001 and Cyber Essentials similar?

There are a number of ways in which Cyber Essentials and ISO27001 are similar.

  1. They will both improve your information security and reduce your risk. Any time you spend thinking about how you can better protect your organisation is time well spent.
  2. They offer a recognised certification – both of these standards are worth having and mean that you take cyber security seriously.
  3. The 5 Cyber Essentials controls are also in ISO27001 – the two standards agree that the five areas covered by Cyber Essentials are important and need to be implemented.
  4. They can both open doors and help to win business – Cyber Essentials is required for some UK government contracts and in some industries ISO27001 certification is a must.
  5. Annual renewal is required – Once you are certified, both standards require that your compliance is revisited every year to make sure your controls are being maintained.

What are the main difference between ISO27001 and Cyber Essentials?

There are key differences between the two standards, including:

  1. What they cover – basically Cyber Essentials is a subset of ISO27001. The NCSC has done some risk-based thinking on your behalf and has recommended a few of the controls from ISO27001 which it feels will have the most immediate impact. ISO27001 covers many more controls and tailors the risk assessment to your specific organisation.
  2. Geographical validity – Cyber Essentials is UK only whereas ISO27001 is accepted worldwide.
  3. How comprehensive they are – ISO27001 is very much the “big brother” of Cyber Essentials and requires a lot more emphasis on information security within your organisation. It covers many more areas such as HR security, legislation and software development.
  4. Their credibility – Cyber Essentials is a good start, but certification to ISO27001 carries significantly more weight and provides increased assurance to your customers.
  5. Cost and effort to become certified – because of its wider scope, ISO27001 takes significantly longer to become certified to than Cyber Essentials. Certification costs for ISO27001 will be several times higher, depending on the size of your organisation.

So which should you choose?

If you’re trying to decide which standard to go for first, there are a number of factors to consider.

Go for Cyber Essentials initially if:

  • You’re only based in the UK
  • You need to improve your basic level of security quickly
  • Your budget is limited
  • You need a quick win
  • Your customers want or require you to have it

But ISO27001 may be your best bet if:

  • You operate internationally
  • You’re ready to make a long term commitment to information security
  • You have more budget and resources available
  • You need to take a wider view of information security
  • Your customers want or require you to have it

In summary

It’s worth emphasising that this is not an “either-or” situation. Many organisations (including CertiKit ourselves) are certified to both Cyber Essentials and ISO27001. It’s really a decision about whether you want to start small with Cyber Essentials first and then grow towards ISO27001, or whether you’re ready to go straight for the main event.

Either way, you’ll be improving your cyber security and that’s got to be a Good Thing.

How can CertiKit help?

Whether you’ve decided to opt for ISO27001 or Cyber Essentials, we can help.

For Cyber Essentials and Cyber Essentials Plus certification, our Cyber Essentials Toolkit includes all the guidance, policies, plans, forms and other documentation you need to put in place the five controls, and has recently been updated for the 2022 requirements.

If ISO27001 certification is the right choice, we have a number of ways we can assist. From our award-winning toolkit to consultancy and internal auditing services, whatever level of assistance you need we can help.

And of course, if you’re still undecided we can help there too, contact us today.

We’ve helped more than 4000 businesses with their compliance


The documents are super easy to follow. You give very clear instructions on how we can make it our own. Keep up the good work.

i2x GmbH

View all Testimonials