If you’ve ever been asked to prove your security credentials by a client or a procurement team, you’ve probably come across both of these. And if you’re not sure which one applies to you — or whether you need both — you’re not alone. It’s one of the most common questions we get from UK SMEs, and the answer matters more than most businesses realise.
They’re not the same thing
Cyber Essentials and ISO 27001 are both security certifications, but they solve different problems and carry different weight.
Cyber Essentials is a UK government-backed scheme that checks whether your business has the five basic technical controls in place to defend against the most common cyber attacks. Think of it as a baseline — a way of demonstrating that your organisation isn’t an easy target. It covers things like firewalls, secure configuration, access controls, malware protection, and patch management. The assessment is relatively straightforward, and certification can often be achieved in a matter of weeks.
ISO 27001 is a different proposition entirely. It’s an internationally recognised standard for information security management — and crucially, it’s not a one-time checklist. It requires you to build, implement, and continually maintain an Information Security Management System (ISMS). That means documented policies, risk assessments, internal audits, management reviews, and a genuine commitment to improving your security posture over time. Certification takes longer, costs more, and demands ongoing effort to maintain.
Both are increasingly important in today’s environment. Cyber threats are more prevalent, more targeted, and more damaging than ever before — and clients, insurers, and procurement teams are starting to ask harder questions about how you protect their data.
When does Cyber Essentials make sense?
For most SMEs, Cyber Essentials is the right starting point. The most common trigger is a client or contract requirement — particularly if you work with the public sector, handle government data, or supply into larger organisations that have tightened their supply chain requirements.
Cyber Essentials Plus — the higher level of the scheme, which involves hands-on technical verification — is increasingly being written into contracts as a minimum requirement. If you’re tendering for work and you don’t have it, you may simply be ruled out before anyone reads your proposal.
Even outside of contract requirements, Cyber Essentials is a sensible baseline for any business that holds customer data, processes payments, or relies on its IT systems to operate. It’s relatively affordable, quick to achieve, and provides genuine assurance that your fundamentals are covered.
When does ISO 27001 make sense?
ISO 27001 tends to come into the picture when the stakes are higher — or when a client’s procurement process demands it specifically.
One thing many businesses don’t realise when they first encounter ISO 27001 is that it’s not a box-ticking exercise. Achieving certification is one thing. Maintaining it is another. The standard requires you to operate and continually improve your ISMS over time, with regular internal audits, management reviews, and surveillance audits from your certification body. If your organisation treats it as a project with an end date rather than an ongoing commitment, you’ll struggle to hold onto it.
That ongoing rigour is also what makes it valuable. ISO 27001 certification tells clients that information security is embedded in how your organisation actually operates — not just something you addressed once and filed away.
The mistake that costs businesses the most
Here’s something that doesn’t get talked about enough: choosing the wrong certification body.
Not all ISO 27001 certifications carry the same weight. There are two broad categories of certification body in the UK — those accredited by UKAS (the United Kingdom Accreditation Service) and those that are not.
UKAS accreditation is the gold standard. It means the certification body itself has been independently assessed and meets rigorous international requirements. If you’re planning to use your ISO 27001 certification to win contracts, respond to tenders, or demonstrate compliance to enterprise clients, UKAS-accredited certification is almost always what they’re expecting.
We’ve seen this play out in practice. We were brought in to support a business that had already committed to achieving ISO 27001 through a QMS-accredited body — the decision had been made before we were involved, and the implementation was already underway. We guided them through the process and they achieved certification. But when a significant new client opportunity came up and they went to submit a tender, they hit a wall. The prospective client’s procurement requirements specifically required a UKAS-accredited ISO 27001 certification. The certificate they held didn’t qualify. Despite having done the work, invested the time, and genuinely improving their security posture, they couldn’t use their certification to win the business they were targeting.
It was an entirely avoidable situation — and one that’s more common than it should be. The difference between QMS-accredited and UKAS-accredited certification isn’t always made clear when businesses are choosing a certification route, particularly when the decision is made without specialist input.
When choosing a certification body, always confirm whether they are UKAS-accredited. If commercial credibility matters to you — and for most SMEs pursuing new contracts, it does — this isn’t optional.
Do you need both?
Often, yes — but in sequence rather than simultaneously.
For most SMEs, the practical path looks like this: start with Cyber Essentials to establish your baseline and meet immediate contract requirements. Then, if your business growth, client base, or risk profile demands it, build towards ISO 27001 as a more comprehensive framework.
The two standards are complementary. Cyber Essentials covers the technical basics. ISO 27001 provides the governance, risk management, and operational structure around them. Having both demonstrates a mature, credible approach to information security — and increasingly, that’s what larger clients want to see before they trust you with their data.
Not sure which applies to you?
The right answer depends on your clients, your contracts, and where your business is heading. If you’re not sure which certification makes sense for your situation — or you’ve been asked to demonstrate compliance and don’t know where to start — we’re happy to talk it through.
No jargon, no sales pitch. Just a straight answer based on your actual circumstances.