What is the difference between ISO 27001 and Cyber Essentials? We are frequently asked this question by existing and potential customers, along with, if I have one, do I need the other?  So how do we answer?   

It very much depends on why you are looking for certification in the first place, and what risks to your business are you looking to mitigate by being certified.   

Both certifications have merit in their own right and also co-exist very nicely together.  But fundamentally, they are very different.  Think of Cyber Essentials as having an MOT done on your car – there are a list of criteria that you must comply with to gain certification. ISO 27001 is a little different.  More like when you go to buy a new car; there are certain things the car must have, (such as lights, brakes and a steering wheel) and then there are options that you get to choose which you have (heated seats, sunroof, colour etc). 

Below we describe some of the main features of each. 

Cyber Essentials 

Cyber Essentials is a government backed certification scheme offering two levels of certification which protect your business against the most common types of Cyber Attacks. It focuses on 5 technical mandatory controls. Cyber Essentials is a verified self-assessment certification that demonstrates an organisation has the required cyber security controls in place. Cyber Essentials Plus is based on the same technical requirements as Cyber Essentials, but it also includes a technical audit of your IT systems to verify the controls are in place. This gives a higher level of assurance that an organisation has correctly implemented the controls. 

This scheme was designed to be affordable for small and medium businesses.  

Benefits of Cyber Essentials Certification 

  • It is an affordable scheme to help small and medium businesses implement essential controls.  
  • Cyber Essentials is actively used as part of supply chain assurance to demonstrate basic cyber hygiene.  
  • Cyber Essentials certification includes automatic cyber liability insurance for any UK organisation who certifies their whole organisation and has less than £20m annual turnover. 
  • Cyber Essentials provides an extra layer of defence to organisations even when they have other schemes and standards such as ISO 27001 in place. 

ISO 27001:2022  

ISO 27001 is an international standard that takes a risk-based approach to implementing an information security management system. Unlike Cyber Essentials it applies across people, process and technology. It consists of mandatory management clauses and is supported by 93 optional controls. These controls do not all have to be implemented, and their selection will be determined and driven by risk assessments. 

ISO 27001 can be implemented into organisations of any size, ranging from micro businesses to global enterprises. The standard is flexible to allow for the controls to be applied in a way that is relevant to your business. 

Certification is carried out in 2 stages: Stage 1 ensures you have all the necessary requirements and documents in place and Stage 2 is an in-depth audit carried out by a UKAS approved certification body. Certification is valid for 3 years with annual surveillance visits to evidence ongoing compliance to the standard. 

Benefits of ISO 27001 certification 

  • It reduces cost to the business: taking a risk-based approach means only the appropriate controls are put in place  
  • It enables security to be embedded across an organisation’s people, processes, and technology 
  • It provides a centrally managed framework to identify and manage information security risk  
  • It promotes continual monitoring and improvement. As your business matures, so does your Information Security Management System 

Summary 

So, in conclusion, Cyber Essentials and ISO 27001 are very different certifications with different benefits. But it should be noted, having one or both certifications does not guarantee that you are secure. It means that you have implemented a set of controls that form a part of your security program. Both help you to manage your security practices and to embed robust processes within your business, and to assist with managing the overall risks that you face on a daily basis. You can find out more about Shift Key Cyber’s Cyber Essentials Certification Services, and ISO 27001 Implementation Service. Book a free consultation to discuss your specific needs.  

 

Author

Dawn O'Connor

Dawn O’Connor

Dawn is a Co-Founder of Shift Key Cyber. She has 25 years’ experience in risk advisory. She is an ISO 27001 Lead Implementer, ISO 22301 Lead implementer she is also an IASME Certified Assessor. She is a member of the Chartered Institute of Information Security and British Computer Society.

Read more >

Related Posts

Moving Beyond Compliance
Moving Beyond Compliance
Gallery

Moving Beyond Compliance

May 13, 2025
Don’t Sell, Serve
Don’t Sell, Serve
Gallery

Don’t Sell, Serve

March 27, 2025
Do Not Build Your Security On A Foundation Of Sand
Do Not Build Your Security On A Foundation Of Sand
Gallery

Do Not Build Your Security On A Foundation Of Sand

March 6, 2025
Cyber Security: Back To Basics
Cyber Security: Back To Basics
Gallery

Cyber Security: Back To Basics

February 13, 2025