Cyber Essentials vs ISO 27001: five technical controls vs a full ISMS
An entry-level baseline and a comprehensive risk-based management system — a progression, not a contest.
Depth, assessment and scope
| Feature | Cyber Essentials | ISO 27001 |
|---|---|---|
| Scope | Five core technical controls | Whole-organisation risk-based ISMS |
| Assessment | Self-assessment questionnaire (CE+ adds hands-on verification) | Accredited third-party certification audit |
| Risk management | Not a risk-based scheme — fixed control set | Mandatory risk assessment, treatment and SoA |
| Governance clauses | None — purely technical baseline | Management-system clauses 4-10 (leadership, planning, review) |
| Controls covered | Firewalls, secure configuration, access control, malware, patching | 93 Annex A controls across four themes |
| Effort | Low — typically days to weeks | Higher — typically months for first certification |
| Typical use | Baseline assurance; UK government contract entry requirement | Comprehensive, internationally recognised assurance |
Start with Cyber Essentials, grow into ISO 27001
These are not competing options; they sit at different points on a maturity path. Cyber Essentials is a deliberately narrow baseline — five technical controls covering firewalls, secure configuration, user access control, malware protection, and patch management — that an organisation can self-assess quickly, with Cyber Essentials Plus adding hands-on verification by an assessor. It is often the right first move, especially when a UK government contract requires it. ISO 27001 is a different category of thing: a risk-based management system with governance clauses 4 to 10 and 93 Annex A controls, certified by an accredited body. A sensible progression is to achieve Cyber Essentials first to lock down the technical fundamentals, then build the broader ISMS — risk assessment, policies, management review — toward ISO 27001 certification. Cyber Essentials does not certify you to ISO 27001, but it gives you a running start on the technical controls ISO 27001 also expects.
Plan the path from Cyber Essentials with the Cyber Essentials Copilot →Sequencing the two
- Use Cyber Essentials to fix firewall, patching and access fundamentals fast
- Add Cyber Essentials Plus when a contract needs verified evidence
- Build the risk assessment, policies and review cycle ISO 27001 requires
- Carry the technical controls forward — they map into Annex A
Frequently Asked Questions
Is Cyber Essentials the same as ISO 27001?
No. Cyber Essentials is a baseline of five technical controls, mostly self-assessed, with no governance or risk-management requirements. ISO 27001 is a full, risk-based, accredited management-system certification covering 93 Annex A controls plus management clauses 4-10.
Does Cyber Essentials count toward ISO 27001?
It does not certify you for ISO 27001, but the five technical controls overlap with several Annex A controls, so achieving Cyber Essentials gives you a head start on the technical side of an ISO 27001 implementation.
What is the difference between Cyber Essentials and Cyber Essentials Plus?
Cyber Essentials is a self-assessment questionnaire. Cyber Essentials Plus adds a hands-on technical verification of the same five controls performed by a certified assessor.
Ready to streamline your compliance work?
Built for speed, accuracy, and audit-ready output.