Quick answer: Cyber essentials vs iso 27001 compared for UK businesses 2026: cost, scope, time, audit, recognition. Which UK / EU contracts actually need each — and the smart sequence to certify in.
Last updated: April 2026 | Reviewed by: Connection Technologies team
Cyber Essentials vs ISO 27001 UK 2026: Which Does Your Business Need?
The cyber essentials vs iso 27001 question is the one we hear most often from UK businesses bidding for enterprise or public-sector contracts. The short answer: they’re complementary, not competitors. Cyber Essentials proves you have the five technical controls in place; ISO 27001 proves you have a complete information-security management system around them.
For most UK SMEs, Cyber Essentials (or Cyber Essentials Plus) is the right starting point — it’s mandatory for many central-government contracts, takes weeks rather than months and costs hundreds rather than tens of thousands of pounds. ISO 27001 makes sense once you’re winning enterprise contracts, handling sensitive personal data at scale or selling internationally. This guide breaks down the differences across cost, scope, time, audit and which one your specific procurement context actually requires.
Cyber Essentials vs ISO 27001 — at a glance
| Cyber Essentials | Cyber Essentials Plus | ISO 27001 | |
|---|---|---|---|
| Type | Certification | Audited certification | Internationally recognised standard + certification |
| Owner | UK NCSC, administered by IASME | UK NCSC, administered by IASME | International Organization for Standardization (ISO) + International Electrotechnical Commission (IEC) |
| Scope | 5 technical controls (firewalls, configuration, access, malware, patching) | Same 5 + audit verification | ~93 controls in Annex A across 4 themes (people, organisational, technological, physical) |
| Verification | Self-assessment, IASME-reviewed | External scans + authenticated device sample + phishing test | Internal audit + external Stage 1 + Stage 2 audit by accredited certification body |
| Time to certify | 2-4 weeks | 6-12 weeks | 6-18 months |
| Cost | £300-£500 + VAT (IASME) + remediation | £1,500-£8,000 + VAT (audit) + remediation | £10,000-£60,000+ depending on org size |
| Validity | 12 months | 12 months | 3 years (with annual surveillance audits) |
| Recognition | UK only | UK only | International — recognised globally |
| Best for | UK SMEs starting cyber compliance, UK gov contracts | Higher-assurance UK gov contracts, MoD subcontracts, enterprise procurement | Enterprise-grade ISMS, international contracts, regulated industries |
What Cyber Essentials covers (and what it doesn’t)
Cyber Essentials is deliberately narrow. It covers the five technical controls that, according to NCSC, would have prevented around 80% of common cyber attacks against UK SMEs. That makes it brilliant value for a small business — and limited if you need to demonstrate broader information governance.
What’s in scope for Cyber Essentials:
- Boundary firewalls and internet gateways
- Secure configuration of devices and software
- User access control (including MFA on cloud accounts)
- Malware protection (EDR / AV)
- Security update management (patching within 14 days)
What’s out of scope for Cyber Essentials:
- Information security policies and management framework
- Risk assessment methodology
- Asset classification and handling
- Supplier security management
- Business continuity and disaster recovery
- Incident response process and post-incident review
- Physical security (door access, CCTV, secure disposal)
- HR security (background checks, security training, leaver process)
- Legal & regulatory compliance management
- Cryptography policy and key management
All of those are in scope for ISO 27001. That’s the fundamental difference.
What ISO 27001 adds on top
ISO 27001 (the 2022 edition is current) is a standard for an Information Security Management System (ISMS). It’s a framework for how you manage information security across the whole organisation — not just your laptops and firewalls.
The standard contains 10 mandatory clauses (4-10) that describe the management system itself, plus an Annex A with 93 controls grouped into 4 themes:
- People controls (8) — screening, awareness training, NDAs, leaver process, remote working policies.
- Organisational controls (37) — policies, roles, segregation of duties, contact with authorities, supplier relationships, incident management, business continuity, legal and regulatory compliance.
- Technological controls (34) — access management, cryptography, secure development, monitoring, vulnerability management, network security, capacity management.
- Physical controls (14) — secure areas, equipment siting, cabling, secure disposal, clear desk policy.
Cyber Essentials’ five controls map roughly to a handful of ISO 27001’s 93 — so passing CE gets you a head start on ISO 27001, but it’s nowhere near the full picture.
Cost comparison — real numbers from UK SMEs in 2026
| Org size | Cyber Essentials (1st year) | Cyber Essentials Plus (1st year) | ISO 27001 (1st year) | ISO 27001 (annual ongoing) |
|---|---|---|---|---|
| 5-10 staff | £500-£1,500 | £2,000-£4,000 | £10,000-£20,000 | £3,000-£6,000 |
| 25 staff | £1,500-£3,500 | £3,500-£7,000 | £20,000-£35,000 | £5,000-£10,000 |
| 50-100 staff | £2,500-£5,000 | £5,000-£10,000 | £35,000-£60,000 | £10,000-£20,000 |
| 250+ staff | £3,500-£7,000 | £8,000-£15,000 | £60,000+ | £20,000+ |
The headline gap is roughly 10x: ISO 27001 typically costs ten times what Cyber Essentials does for the same business — and that’s before you factor in the consultant time. ISO 27001 also requires ongoing surveillance audits annually plus a full re-certification every 3 years. See the UK IT compliance guide for full ongoing-cost breakdowns.
Which one do UK contracts actually require?
- Most central-government contracts under £100k — Cyber Essentials.
- UK central government contracts handling personal / sensitive data — Cyber Essentials Plus.
- MoD subcontracts (Defence Cyber Protection Partnership) — Cyber Essentials Plus + DEF STAN 05-138 (which maps closely to ISO 27001 controls).
- NHS supplier frameworks — Cyber Essentials at minimum, often Cyber Essentials Plus, plus DSP Toolkit (which overlaps with ISO 27001).
- Local government procurement — usually Cyber Essentials.
- Financial services supplier RFPs — increasingly require ISO 27001, often plus Cyber Essentials Plus.
- Enterprise procurement (FTSE 100, US Fortune 500) — usually require ISO 27001 or SOC 2.
- EU public sector / GDPR demonstrations — ISO 27001 carries more weight than Cyber Essentials.
Should I do Cyber Essentials, ISO 27001, or both?
Most UK SMEs should start with Cyber Essentials. It’s quick, affordable, gets you in front of UK government contracts and forces the technical hygiene that prevents 80% of attacks. Move to Cyber Essentials Plus when a contract demands it — typically within the first 12 months of needing CE.
Add ISO 27001 when:
- An enterprise customer puts ISO 27001 as a hard requirement in their RFP and the contract is worth more than £100k/year.
- You handle sensitive personal data at scale (healthcare records, financial data, legal case data).
- You’re selling internationally and customers want a globally-recognised standard.
- You’re in a regulated industry (financial services, healthcare, legal) and your regulator effectively requires an ISMS.
- You’re scaling toward 100+ employees and need a formal information-governance framework.
The good news: doing Cyber Essentials Plus first removes about 30% of the technical work for ISO 27001 down the line. Many of our managed-IT customers go CE → CE+ → ISO 27001 over a 2-3 year window.
Get Cyber Essentials & Cyber Essentials Plus — fully managed
Connection Technologies runs Cyber Essentials and Cyber Essentials Plus for UK businesses end-to-end. Our compliance agent automates the five technical controls across every Windows, macOS, iOS and Android device — we submit, audit and renew so you stay certified without the paperwork. RRP from £103/month with free £25,000 cyber-liability insurance for eligible UK businesses.
Skip the Cyber Essentials paperwork
We handle the five controls, the questionnaire, the audit and the renewal — RRP from £103/month.
Frequently asked questions about cyber essentials vs iso 27001
Cyber Essentials is a UK-only certification covering five technical controls (firewalls, configuration, access, malware, patching) and takes 2-4 weeks to achieve. ISO 27001 is an internationally-recognised standard for an Information Security Management System covering ~93 controls across people, organisational, technological and physical themes — typically 6-18 months to certify and 10x the cost.
Yes — significantly. Cyber Essentials costs £300-£500 + VAT in IASME fees plus remediation (typical first-year total £1,500-£3,500 for a 25-person SME). ISO 27001 typically costs £20,000-£35,000 first-year for the same business, with ongoing surveillance audits of £5,000-£10,000 every year and a full re-certification every 3 years.
Not for most UK SMEs. Start with Cyber Essentials — it covers UK government contracts and forces good technical hygiene. Add ISO 27001 only when an enterprise customer mandates it, you handle sensitive personal data at scale, you sell internationally, or you operate in a regulated industry. Cyber Essentials Plus first removes about 30% of the technical work for ISO 27001 later.
Roughly — most of Cyber Essentials’ five controls map to a handful of ISO 27001 Annex A controls (particularly the technological controls). Achieving ISO 27001 implies you almost certainly meet Cyber Essentials, but UK procurement teams will still ask to see the IASME Cyber Essentials certificate explicitly because the verification model is different.
ISO 27001 is internationally recognised and carries more weight in enterprise and overseas procurement. Cyber Essentials is UK-only but is the de-facto baseline for UK central-government contracts and is gaining traction with UK cyber-insurance underwriters and enterprise supply-chain teams. Pick based on the contracts you’re actually bidding for.
Yes — there’s no minimum size. Smaller scopes (a single SaaS product team, for example) can achieve ISO 27001 in 6 months for £15,000-£25,000. But for most UK SMEs under 50 staff, Cyber Essentials Plus delivers most of the procurement benefit at a tenth of the cost and time.
Related Reading
More from the Connection Technologies blog.