Certification
Cyber Essentials, Cyber Essentials Plus and ISO 27001: which one do you actually need?
A practical comparison for UK organisations working out which certification answers the insurer, the client supplier audit, or the procurement requirement that has landed.
A specific certification ask has landed, from an insurer, a procurement team, or a client running a supplier audit. You need to answer it well, on time, without over-buying. This piece compares Cyber Essentials, Cyber Essentials Plus and ISO 27001 directly, with the question each one actually answers and what each one involves. The short version: pick the certification that matches the question, not the highest-rated one on the shelf.
What question is each certification actually answering?
Certifications are answers to specific procurement questions. Picking the wrong one is expensive and slow.
Cyber Essentials answers the question "do you have basic technical controls in place?" The five control areas, firewalls, secure configuration, user access control, malware protection, and patch management, are the minimum standards UK government considers reasonable for any organisation handling business data. It is a self-assessment, certified through the IASME scheme. The certificate is valid for twelve months and confirms a point-in-time state.
Cyber Essentials Plus answers the same question, with external verification. The control framework is identical to Cyber Essentials. What changes is that an assessor independently tests a sample of your devices, runs authenticated vulnerability scans, and verifies the email and web filtering controls actually behave as claimed when shown simulated malicious content.
ISO 27001 answers a different question: "do you actively manage information security risk over time?" It is a management system certification: the deliverable is not five controls in place but a functioning ISMS with documented policies, a risk register, internal audit programme, and external surveillance audits. ISO 27001 is a fundamentally different shape of evidence: not a snapshot, an ongoing process.
The trigger that brought you here usually tells you which question is being asked. Procurement teams in UK government and large UK corporates typically ask for Cyber Essentials or Plus. Major international clients running supplier audits, particularly anything DORA-adjacent, usually ask for ISO 27001 or equivalent. Insurance brokers ask for whichever their underwriter has named.
What is actually tested in each one?
Cyber Essentials. The five control areas, evidenced through a self-assessment questionnaire we work through with you. Typical evidence: device inventory, MDM configuration exports, account list, patch cadence documentation, malware protection settings, firewall rules. We submit through IASME and the certificate arrives within a few days of successful submission.
Cyber Essentials Plus. Same self-assessment plus a technical audit. The assessor samples a representative set of devices (usually 5–15% of the estate), runs authenticated vulnerability scans, conducts external scanning of internet-facing services, and tests email and web filtering with simulated malicious content. The audit can run remotely (devices accessed via secure remote management) or on-site for a half-day. Any failed checks need remediation and retest before the certificate issues.
ISO 27001. Conformance against the standard’s clauses 4–10 (the management system requirements) and Annex A (93 information security controls, of which most companies apply between 70 and 90). Evidence includes the policy set, the risk register, the statement of applicability, the internal audit programme, training records, supplier register, asset register, and incident records. A UKAS-accredited certification body runs Stage 1 (documentation review) and Stage 2 (operational audit) before issuing the certificate, which is valid for three years with annual surveillance audits.
The depth of evidence required for ISO 27001 is an order of magnitude greater than Cyber Essentials Plus. That depth is precisely what makes it valuable to clients who need to demonstrate downstream supplier management.
How long do they take, and what drives the cost?
We scope and quote every certification fixed before any work starts, since the right price depends on your estate, not a list. What moves it, and the typical timelines:
Cyber Essentials. Three to five weeks from kick-off. Cost is driven by headcount, number of sites, and complexity of the estate.
Cyber Essentials Plus. Four to six weeks. Cost is driven by the device sample size and whether the audit runs remotely or on-site.
ISO 27001 gap analysis. A focused four-week engagement. Output is a gap report and a 12-month implementation roadmap.
ISO 27001 full implementation. Six to nine months for companies with a reasonable starting position; up to twelve if starting from very little. Cost is driven by your starting position, the scope of the management system, and how much is delivered by us versus advised on.
The differences are real: ISO 27001 is months of structured work to build a management system; Cyber Essentials Plus is a focused technical assessment. The right answer is the cheapest credible answer to the question you have actually been asked. We will tell you which that is, and quote it fixed, on a call.
Which one do you actually need?
A short decision aid based on the trigger that brought you here.
Insurance renewal. Most underwriters accept Cyber Essentials. Plus is becoming the norm for limits above £5m or for companies with regulated data exposure. Bring us the renewal questionnaire, the wording usually tells us which.
UK government contract or procurement framework. Cyber Essentials is the baseline. Some frameworks require Plus. ISO 27001 is occasionally specified for the higher-risk lots but is usually optional.
Large UK corporate client supplier audit. Cyber Essentials Plus is the most common ask. The audit pack typically asks for evidence of the audit report itself, not just the certificate.
International client supplier audit, particularly DORA-adjacent. ISO 27001 or evidence of an equivalent control framework. For most companies, this is the trigger for a full ISO 27001 programme.
Regulator question (FCA, ICO). No single answer. The regulator does not require any specific certification but will accept ISO 27001 as strong evidence of mature security management.
Board-level "we should know" question. Start with a Cyber Essentials Plus audit. It produces a concrete gap report that informs whether ISO 27001 is the right next step.
If the trigger is not clear and the certification ask is generic, the cheapest mistake to avoid is over-buying. Starting with a Cyber Essentials Plus audit and an ISO 27001 gap analysis side by side gives you two credible pieces of evidence and tells you whether a full implementation is worth committing to, far cheaper than running a programme you did not need.
How do they renew, and what is the year-on-year load?
This matters more than most companies expect when comparing options.
Cyber Essentials renews annually. The renewal is a fresh self-assessment, usually faster than the first one because the evidence is in place.
Cyber Essentials Plus renews annually with another technical audit. The work for the company is lighter than year one, you have the evidence pattern down, but the audit itself is the same.
ISO 27001 runs on a three-year cycle. Year one is full Stage 1 and Stage 2 audits. Years two and three are annual surveillance audits, which are lighter than the full re-certification but still require evidence of the management system in operation: internal audits run, incidents managed, policies reviewed, risk register updated. Year four is full re-certification.
The ongoing cost shape is different. Cyber Essentials Plus has a high recurring audit cost but low maintenance overhead. ISO 27001 has a lower recurring audit cost but a higher and continuous maintenance load: the management system has to actually be operating, not just exist in a folder.
For companies that try to "park" ISO 27001 between audits, the year-three surveillance audit becomes painful. For companies that operate the system as intended, the year-three surveillance audit is uneventful.
What happens if you fail?
Failure is more common than the marketing implies, and how a provider handles it tells you a lot.
Cyber Essentials self-assessment failure is unusual but happens, typically because a control claim cannot be evidenced. Failure means re-submission once the gap is closed. Our standard practice is to flag likely failures during the engagement rather than at submission, so the company has time to fix in-flight.
Cyber Essentials Plus failure is more common. Roughly one in four Plus audits we run identifies findings that need remediation before the certificate issues. That is precisely what the audit is for. Failure does not invalidate the engagement: it triggers a remediation window (typically 30 days) and a retest, which is included in our standard scope at no additional cost.
ISO 27001 Stage 1 failure means the documentation is not ready. We flag this risk during the implementation engagement and would not put a company into Stage 1 unless we believed they would pass. Stage 2 failure is rarer but happens, usually a non-conformance in a specific area (often the internal audit programme or supplier risk management). Non-conformances have a 90-day window to close before they affect certification.
A provider who guarantees a pass on day one is not being honest. A provider who is honest about likely findings, and runs the engagement to fix them as they emerge, is what good looks like.
What should I do next?
If you have a specific certification ask, send us the questionnaire or audit pack. We will read the actual ask and tell you which certification answers it, what it involves, and how long it will take. A thirty-minute call will usually settle the path.
If you are exploring more broadly, board-level "we should know" rather than a specific external trigger, start with a Cyber Essentials Plus audit and an ISO 27001 gap analysis. Combined, these produce evidence you can take to the board, a concrete gap report for any future ISO 27001 implementation, and a defensible "yes, we have this" answer to any future client supplier audit, typically over six to eight weeks.
If you would like to talk through where to start, book a 30-minute call. We will read the situation and tell you the cheapest credible answer to the question you have been asked.
Frequently asked
Questions readers ask before getting in touch.
- Conceptually no, Plus covers the same five technical controls as Cyber Essentials. What changes is the assessment. Cyber Essentials is a self-assessment we work through with you and submit. Plus adds an external technical audit: sample devices are checked, authenticated vulnerability scans are run, and the malware and email filtering controls are tested against simulated malicious content. The work for the company is similar; the evidence bar is higher.
- Most UK underwriters accept Cyber Essentials for standard cover at the mid-market end. Plus is increasingly common for companies with regulated data, professional liability exposure or limits above £5m. The exact wording varies between Beazley, AIG, CFC and the Lloyd's syndicates, so bring us the renewal questionnaire and we will tell you which they actually need rather than guessing.
- Not for most UK procurement contexts. Cyber Essentials is a UK government scheme and many UK procurement teams ask for it by name. ISO 27001 is broader and stronger but does not satisfy a question that specifically asks for Cyber Essentials. Many companies end up with both: Cyber Essentials Plus for the technical control attestation and ISO 27001 for the management system.
- Cyber Essentials: three to five weeks from kick-off, of which two weeks is usually you gathering evidence. Cyber Essentials Plus: four to six weeks including the technical audit and any remediation. ISO 27001 gap analysis: four weeks. ISO 27001 full implementation: six to nine months for most companies, longer if starting from very little structured security work.
- We scope and quote every certification fixed before any work starts, so the price matches your estate rather than a list. What moves it: for Cyber Essentials, headcount and estate complexity; for Cyber Essentials Plus, the device sample size and remote vs on-site audit; for ISO 27001, the scope of the management system, your starting position, and how much we deliver versus advise on. Bring us the ask and we will quote it fixed on a call.
- Technically no, Plus is an extension of Cyber Essentials, and they are scored together. In practice the assessor will run both in a single engagement if you do not already hold Cyber Essentials. Most companies going straight to Plus pay a slightly higher Plus fee that covers both the self-assessment and the technical audit in one piece of work.
- No, they are separate standards. ISO 27001 covers information security management. ISO 42001 covers AI management systems and was published December 2023. They share structural conventions (Annex A controls, plan-do-check-act) so a company with a mature ISO 27001 implementation finds ISO 42001 quicker to adopt, but a 27001 certificate does not satisfy an ISO 42001 question on its own.
- It depends on what the client has asked for. If they have asked for Cyber Essentials Plus, the cheapest path is Cyber Essentials Plus. If they have asked for ISO 27001 or equivalent, the cheapest credible answer is usually the ISO 27001 gap analysis followed by a phased implementation, because most clients accept evidence of a documented programme with target dates rather than waiting for the certificate. The mistake to avoid is over-buying: running ISO 27001 implementation when the actual ask was Cyber Essentials Plus is an expensive miscalculation.
Talk to us
Want to talk through how this applies to your company?
A 30-minute call with a senior advisor. No pitch. We will read your situation against what is in this piece and tell you the smallest sensible next step.