ISO 27001 vs Cyber Essentials Plus: When You Need One, When You Need Both, and When the Question Itself Is Wrong

The most common compliance question we get from UK technology businesses is some variant of: "Do we need ISO 27001 or Cyber Essentials Plus? Which one is enough?" It is the wrong question. ISO 27001 and Cyber Essentials Plus are not alternatives. They answer different questions, satisfy different procurement gates, and operate at different depths. For most UK technology businesses selling into UK enterprise or government, the answer is both, in a specific order. For some businesses, the answer is one or the other. For a small minority, the answer is neither, yet. This guide cuts through the comparison by asking the question the way procurement teams actually ask it: not "which one is better?" but "which one does each specific buyer need to see?"

Cyber Essentials is a UK government-backed scheme administered by IASME. It assesses an organisation against five technical control areas: firewalls and internet gateways, secure configuration, user access control, malware protection, and patch management. Cyber Essentials (basic) is a self-assessed certification. Cyber Essentials Plus is the independently audited version with the same five control areas verified through technical testing on a sample of devices, internal vulnerability scanning, and external testing of internet-facing services. Re-certification is annual. Cyber Essentials Plus is a technical control audit. It is not a management system standard.

ISO/IEC 27001:2022 is an international management system standard covering 93 information security controls (Annex A) plus the management system clauses (4 to 10) that govern how the controls are operated, audited, reviewed, and improved. ISO 27001 is significantly broader than Cyber Essentials Plus. The 93 Annex A controls cover access control, cryptography, physical security, operations security, communications security, supplier relationships, incident management, business continuity, and compliance. Critically, ISO 27001 also requires a documented risk management process, a Statement of Applicability, internal audit, management review, and continual improvement. Cyber Essentials Plus has none of these.

The practical difference is what each one unlocks in terms of procurement access. Cyber Essentials Plus unlocks UK government supplier vetting (mandatory above certain contract values), NHS Data Processing Services contracts (mandatory), UK MOD Defence Cyber Protection Partnership (mandatory), some public sector frameworks (G-Cloud at certain risk levels), and cyber insurance underwriting at the lower premium tier. ISO 27001 unlocks UK enterprise procurement (financial services, healthcare, technology, professional services), EU procurement and EU enterprise vendor reviews, Middle East and Asia-Pacific enterprise and government procurement, investor due diligence at Series B and later, supplier panels for any regulated industry, and cyber insurance underwriting at the certified rate tier.

If your buyers are a mix of UK government and UK private sector, you need both. Cyber Essentials Plus is the gate for the public sector buyers; ISO 27001 is the gate for the private sector buyers. Holding only one excludes you from half your potential market. If your buyers are international, ISO 27001 alone is acceptable in most overseas markets. Cyber Essentials is not internationally recognised. If your buyers are exclusively UK public sector, Cyber Essentials Plus is mandatory and ISO 27001 is increasingly expected as evidence of broader maturity.

The order is Cyber Essentials Plus first, ISO 27001 second. Two reasons. First, Cyber Essentials Plus is faster (3 to 6 weeks) and cheaper (2,000 to 5,000 pounds), so it unblocks early procurement opportunities while the longer ISO 27001 programme runs. Second, the technical controls assessed in Cyber Essentials Plus are a subset of the ISO 27001 Annex A controls, so the work done for Cyber Essentials Plus directly contributes to the ISO 27001 implementation. For the combined programme, the total elapsed time is typically 12 to 14 weeks for both certifications at a total cost of 14,000 to 26,000 pounds, roughly 25 percent lower than running the two programmes sequentially because the Cyber Essentials Plus evidence is reused.