ISO 27001 and the Cyber Essentials Scheme

Embarking on certification to Cyber Essentials and ISO 27001

Cyber Essentials is a UK government assurance scheme that sets out five technical cyber security controls that all organisations can implement to achieve a baseline of cyber security.

ISO/IEC 27001:2013 (ISO 27001) is the international standard that provides the specification for an ISMS (information security management system) – a systematic approach to managing information security risk.

ISO 27001 goes considerably further than Cyber Essentials, providing 114 security controls that encompass people, processes and technology.

Although Cyber Essentials and ISO 27001 serve different needs, the two should be seen as complementary rather than competing.

Organisations that have put the Cyber Essentials scheme’s five controls in place should look to ISO 27001 to improve the maturity of their security practices, and take in information in all formats, across a wider scope.

Cyber Essentials vs ISO 27001


Cyber Essentials

ISO 27001

What is it?

The Cyber Essentials scheme identifies five fundamental technical security controls that organisations should implement to help defend against the vast majority of Internet-borne threats. It also provides a mechanism to demonstrate that these precautions have been taken.

The ISO/IEC 27000 set of standards have been developed to help keep information assets secure.

They help your organisation manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties.

ISO/IEC 27001 is the best-known of these standards, detailing the requirements for an ISMS.

What does it protect?

Data and programs on networks, computers, servers and other elements of an IT infrastructure.

Information, regardless of where it is found (e.g. digital, hard copy, information systems).

Who can it help?

Organisations of all sizes that need to implement basic cyber security measures.

Organisations of any size and in any sector that need to keep information assets secure.


The Cyber Essentials scheme has only five controls: secure configuration, boundary firewalls and Internet gateways, access control, patch management and malware protection.

ISO 27001 has 10 clauses and 114 generic security controls grouped into 14 sections (called “Annex A”).

Implementation and certification

Cyber Essentials is a prerequisite for all suppliers bidding for UK government contracts that involve the handling of sensitive and/or personal information.

Some organisations choose to implement the Standard to benefit from the best practice it contains. Others achieve certification to reassure customers and clients that the Standard’s recommendations have been followed.

Optimal approach to implementation

If you are new to the world of ISO 27001, certifying to both the Standard and Cyber Essentials at the same time is more resource and time-effective.

IT Governance can help you achieve this with an integrated approach. However, depending on your current resources, time commitment and budget, you may wish to start with certification to Cyber Essentials. This will give you an introduction to the world of certification and information security.

When you are ready to take the next step of implementing a robust ISMS, you will be well positioned to continue to ISO 27001 certification.

SAVE 25%