
Most UK SMEs do not strictly need both to start, and many still hold both because ISO 27001 and Cyber Essentials answer different buyer questions. Cyber Essentials is the UK government-backed baseline that proves five core technical controls, and it is the faster, cheaper on-ramp. ISO 27001 is the international information security management standard that larger, regulated and overseas buyers ask for by name. The good news for a small team facing a security questionnaire: the five CyberEssentials controls all map into ISO 27001’s technological controls, so the work you do for one feeds the other. In practice, most software and IT firms start with Cyber Essentials, then add ISO 27001 when a specific buyer or market demands it.
That decision usually arrives at a bad moment. A prospect drops a security questionnaire into the middle of a live deal, or a public-sector tender lists a certification requirement that your bid has to satisfy before it scores. The rest of this guide covers what each one proves, where they overlap, which to pursue first, and how to avoid collecting the same evidence twice.
Cyber Essentials is a UK government-backed scheme, run by IASME on behalf of the National Cyber Security Centre. It certifies that an organisation has five technical controls in place: firewalls, secure configuration, user access control, malware protection, and security update management. These are the controls that stop the most common internet-based attacks, and the certification is a self-assessment reviewed by a certifying body.
The current assessment is IASME’s Danzell question set, Requirements for IT Infrastructure v3.3, published on 13 February2026 and applied to applications registered from late April 2026. It tightened several rules. Multi-factor authentication is now mandatory for cloud services, with a missing MFA configuration treated as an automatic fail, and critical or high-severity security updates must be applied within 14 days.
For a small firm, the appeal is speed and cost. Cyber Essentials is achievable in days to weeks, it satisfies many UK commercial and public-sector tenders on its own, and it is mandated on many relevant central-government contracts through Procurement Policy Notes. It is the credential a buyer expects to see before a conversation goes any further.
In practice, you complete a structured self-assessment covering how your systems are configured and patched and who holds administrative access. There is no site visit for the base level. The certifying body then reviews and marks that submission against a fixed pass mark.
ISO/IEC 27001:2022 certifies an Information Security Management System. Where Cyber Essentials confirms that five specific controls exist today, ISO 27001 confirms that an organisation runs a governed, repeatable system for managing information security risk overtime. That is a larger claim, and it is why regulated and enterprise buyers weight it heavily.
The standard’s Annex A lists 93 controls across four themes: organisational, people, physical and technological. Certification means building the management system, running a risk assessment and treatment plan, producing a Statement of Applicability that records which controls apply and why, implementing them, then passing an internal audit and a two-stage external audit. Stage 1 reviews the documentation; Stage 2 tests whether the system works in practice. A certificate is valid for three years with annual surveillance audits.
One point matters commercially and legally. An ISO 27001 certificate can only be issued by a certification body accredited by UKAS, the United Kingdom Accreditation Service. No software platform or consultancy issues the certificate itself. What technology can do is prepare the organisation and organise the evidence so the path to a clean audit is shorter.
The 2013 version of the standard reachedits transition deadline of 31 October 2025, so new and renewing certificationsnow run against the 2022 revision.
The two standards overlap heavily on the technical side, and that overlap is where a small team saves the most work. The five Cyber Essentials controls all sit within ISO 27001:2022’s Annex A technological theme, control set A.8. Firewalls align with the network security controls at A.8.20 to A.8.22. Secure configuration aligns with A.8.9. User access control maps across A.8.2, A.8.3 and A.8.5, plus the access-management policy at A.5.15. Malware protection sits at A.8.7, and security update management at A.8.8.
This answers a common search: do Cyber Essentials controls count towards ISO 27001? They do. The evidence you produce for Cyber Essentials, such as firewall configurations, patch records and access reviews, directly supports the technological control set inside the ISO 27001Statement of Applicability. Holding Cyber Essentials first gives you a running start on that part of the ISMS.
The overlap has a limit worth stating plainly. ISO 27001 asks for a great deal that Cyber Essentials does not touch: the management system itself, a documented risk assessment, organisational and people controls, physical security, supplier management, and internal audit. Cyber Essentials does not include or replace ISO 27001, and ISO 27001 does not automatically grant you Cyber Essentials. They cover shared technical groundand then diverge. You can read the full detail on each on our Cyber Essentials and ISO 27001 framework pages.
For most UK SMEs, Cyber Essentials comes first. It is quicker and cheaper to achieve, and it clears many UK and public-sector tenders on its own. The technical work then carries directly into an ISO 27001 project later. Starting here gets a credential in front of buyers within weeks and builds the evidence base you will reuse.
ISO 27001 becomes the priority when a specific commercial trigger appears. Enterprise buyers, financial services and healthcare customers, and international prospects frequently gate contracts on it, and a stalled deal is often the reason a founder starts the project. For a small business, first certification typically takes six to twelve months, and often six to eight with focused effort and automation to compress the evidence collection. We cover the deal-driven case in more detail in do you need ISO27001 to win enterprise deals.
A rough decision guide. If your buyers are UK-based, mostly SME or public sector, and asking for a recognised security baseline, Cyber Essentials is usually enough to start. If you are selling to large enterprises, regulated sectors or overseas, or a contract explicitly names it, plan for ISO 27001 and hold Cyber Essentials alongside it. Many firms end up with both because their buyer mix spans both worlds. If Cyber Essentials is your focus, the next question is often whether you need the audited tier, which we cover in Cyber Essentials vs Cyber Essentials Plus.
The expensive mistake is treating each standard as a separate project and collecting the same evidence twice. An access-control policy, a patch record, a firewall configuration and a risk assessment can each satisfy requirements in more than one standard at the same time. Managed as one shared control set, a single piece of evidence supports both Cyber Essentials and ISO 27001, and often other frameworks you hold as well.
This is where Naq fits. Naq is an automated compliance platform that runs frameworks including ISO 27001, Cyber Essentials, UK GDPR, ISO 9001 and NHS DSPT from a single dashboard, so you map a control once and reuse the evidence everywhere it applies. As an IASME Certifying Body, Naq handles the Cyber Essentials self-assessment route directly; Cyber Essentials Plus and penetration testing are delivered through an external partner network. For ISO 27001, the platform automates evidence gathering and keeps you audit-ready for the UKAS-accredited body that issues your certificate. Naq does not issue the certificate itself.
A read-only AI assistant surfaces gaps and drafts documentation for your review, and in-house Clinical Safety Officers and virtual DPOs back it up where specialist judgement is needed. The result is a small team producing enterprise-grade evidence without hiring a compliance function. If you are stacking several standards at once, how to run multiple compliance frameworks without duplicating the work walks through the shared-evidence method in full.
What is the difference between ISO 27001 and Cyber Essentials? Cyber Essentials certifies five specific technical controls through a government-backed self-assessment. ISO 27001 certifies a full information security management system, including risk governance and organisational, people, physical and technological controls, verified by a two-stage external audit. Cyber Essentials proves a baseline; ISO 27001 proves an ongoing, governed system.
Should I get Cyber Essentials or ISO 27001 first? Usually Cyber Essentials first. It is cheaper and faster, satisfies many UK and public-sector tenders, and its technical evidence feeds directly into ISO 27001 later. Pursue ISO 27001 when enterprise, regulated or international buyers ask for it.
Do Cyber Essentials controls count towards ISO 27001? Yes. The five Cyber Essentials controls map into ISO 27001:2022 Annex A’s technological control set, so Cyber Essentials evidence supports that part of the management system. ISO 27001 then adds management-system, risk, organisational, people and physical requirements that Cyber Essentials does not cover.
How long does ISO 27001 take for a small business? First certification typically takes six to twelve months, covering preparation and the Stage 1 and Stage 2 audits, and often six to eight months with automation compressing the evidence work. The certificate is valid for three years with annual surveillance audits.
If a questionnaire or tender has put ISO 27001 and Cyber Essentials on your roadmap, the fastest way to scope the work is to see how much of the evidence overlaps for your organisation. Book a 15-minute demo on your own data and we will show you where a single control set covers both.