ISO 27001 vs Cyber Essentials UK — Complete Guide 2025

🔒 ISO 27001✅ CE Plus🇬🇧 NCSC📋 NHS DTAC🆓 Free Assessment
July 202511 min readClickMasters Security Team

Direct Answer

Cyber Essentials is the UK baseline — mandatory for government contracts and NHS procurement, achievable in 2–4 weeks for £300–£500. ISO 27001 is the enterprise standard — required for large B2B deals, FCA operational resilience, and international markets, taking 6–18 months and £10,000–£50,000+. ClickMasters holds both: Cyber Essentials Plus and ISO 27001. Most UK software companies should aim for Cyber Essentials first, ISO 27001 when enterprise procurement requires it.

Cyber Essentials — The UK Government Baseline

ControlWhat It RequiresHow ClickMasters Implements
FirewallsNetwork boundary firewalls configured to block unnecessary connectionsAWS Security Groups + VPC NACLs — no unnecessary inbound ports open
Secure configurationSystems and software configured securely — no default passwordsHardened AMIs, no default credentials, SSM Parameter Store for secrets
User access controlMFA for admin accounts, least privilege, unique accounts per userAWS IAM with MFA enforced, RBAC in all applications
Malware protectionAnti-malware on all endpoints and serversAWS GuardDuty, AWS Inspector, endpoint AV on developer machines
Patch managementSecurity patches applied within 14 daysDependabot for dependencies, AWS Patch Manager for OS patches — automated

ISO 27001 — The International Standard

ISO 27001 DomainKey ControlsUK Relevance
A.5 — Information Security PoliciesSecurity policy documentation, management reviewFCA SYSC 13: documented IT security policy required
A.6 — Organisation of Information SecurityRoles and responsibilities, segregation of dutiesSM&CR: named individuals responsible for security
A.8 — Asset ManagementAsset inventory, data classificationUK GDPR Article 30: ROPA includes data classification
A.9 — Access ControlAccess control policy, user provisioning, MFACyber Essentials overlap — audited in ISO 27001
A.12 — Operations SecurityChange management, vulnerability managementFCA PS21/3: change management evidence required
A.13 — Communications SecurityNetwork security, data-in-transit encryptionCyber Essentials overlap + TLS requirements
A.16 — Incident ManagementIncident response, breach notificationUK GDPR: 72hr ICO notification + FCA incident reporting
A.17 — Business ContinuityDR planning, BCP testing, RTO/RPOFCA PS21/3: operational resilience testing
A.18 — ComplianceLegal compliance, security reviewsUK GDPR, FCA, NHS DTAC compliance evidence

When Each Certification Is Required

ScenarioCyber EssentialsCyber Essentials PlusISO 27001
UK Government contract handling personal data✅ RequiredOften specifiedOften required alongside
NHS App Library listing (DTAC Domain 3)✅ Minimum✅ PreferredAccepted — accelerates procurement
FCA operational resilience evidence (PS21/3)SupportingSupporting✅ Strong — ISMS addresses all PS21/3 domains
Large enterprise (FTSE 250+) SaaS procurementExpectedBetter✅ Often required — security questionnaire standard
International market (EU, US)UK-specific — less relevantUK-specific✅ Globally recognised
VC-backed startup Series B due diligenceExpectedBetter✅ Increasingly required at Series B+
Lloyd's of London coverholderExpectedBetter✅ Lloyd's security requirements

Frequently Asked Questions

Common questions about iso 27001 vs cyber essentials uk — complete guide 2025.

Cyber Essentials: approximately £300–£500 per year (certification body fee — IASME, Assured IT Services, etc.). Preparation cost: 2–4 days of internal work (reviewing 5 controls, fixing any gaps). Cyber Essentials Plus: £2,000–£5,000 per year (includes independent technical assessment — vulnerability scan and some manual testing). ClickMasters achieves Cyber Essentials Plus in under 4 weeks for new software projects because controls are built in from Sprint 1.

Not automatically. Many UK government contracts specifically require Cyber Essentials or Cyber Essentials Plus by name — ISO 27001 is not always accepted as an alternative. The NCSC recommends achieving Cyber Essentials first. For NHS procurement: NHS DSP Toolkit Standard requires Cyber Essentials evidence specifically. ISO 27001 is additional — not a substitute for Cyber Essentials in UK government and NHS procurement.

Yes — ClickMasters builds Cyber Essentials-ready infrastructure on all projects: AWS Security Groups, hardened configuration, automated patching (Dependabot + AWS Patch Manager), and MFA enforcement. Client organisations need to achieve their own Cyber Essentials certification for their organisation — but the software infrastructure ClickMasters builds will not be the barrier to certification.

About the Author

ClickMasters Security Team ISO 27001 and Cyber Essentials Plus certified ClickMasters holds ISO 27001 certification and Cyber Essentials Plus. All projects built to Cyber Essentials Plus standard by default.

Free Security Certification Assessment ClickMasters will...

Free Security Certification Assessment ClickMasters will assess your current security posture against Cyber Essentials and ISO 27001 requirements. Free 30-minute call. → clickmasterssoftwaredevelopmentcompany.co.uk/contact/

Book a Free Consultation