Cyber Essentials to ISO 27001: Building Your Compliance Journey

Cyber Essentials and ISO 27001 aren't competing standards. They're complementary steps on a maturity journey. This guide explains the relationship between them, helps you decide when to progress, and provides practical steps to move from Cyber Essentials (foundation) to ISO 27001 (comprehensive).

The Compliance Maturity Pyramid

Think of information security compliance as a pyramid:

Level 5: ISO 27001 Certification (Gold Standard - Comprehensive)

Level 4: ISO 27001 Preparation (In-Flight - Most coverage)

Level 3: Cyber Essentials+ Advanced (Intermediate - Technical validation)

Level 2: Cyber Essentials (Foundation - Five controls)

Level 1: No formal Certification (Baseline - Ad-hoc security)

Most organisations start at Cyber Essentials (basic, five controls). As they mature and face increased regulatory or customer pressure, they progress toward ISO 27001 (comprehensive, 93 controls across 14 domains).

This progression isn't mandatory, but it reflects increasing maturity in how organisations approach security.

Cyber Essentials vs ISO 27001: Key Differences

AspectCyber EssentialsISO 27001-------------------------------------**Scope**Five core controls93 controls across 14 domains**Framework**UK-specificInternational (ISO standard)**Depth**"Do the basics""Do everything well"**Governance**ImplicitExplicit documentation and accountability**Risk Management**Not requiredMandatory foundation**Cost**£500-£5,000£20,000-£100,000**Time to certification**2-4 months6-12 months**Renewal**AnnualAnnual with ongoing audits**Who needs it**AnyoneOrganisations handling sensitive data, regulated industries, or large enterprises

The Five Cyber Essentials Controls

Cyber Essentials focuses on five foundational controls:

1. Boundary firewalls and internet gateways

2. Secure configuration

3. User access control

4. Malware protection and patch management

5. Security monitoring and incident response

These five controls prevent 80-90% of common cyberattacks. They're essentials.

The 14 ISO 27001 Domains

ISO 27001 expands security across 14 domains:

1. Information Security Policies: Documented security direction and accountability

2. Organisation of Information Security: Roles, responsibilities, and governance

3. Human Resource Security: Security awareness, background checks, termination procedures

4. Asset Management: Inventory, classification, and handling of assets

5. Access Control: Authentication, authorisation, and privilege management

6. Cryptography: Encryption, key management, and secure communication

7. Physical and Environmental Security: Facilities, equipment protection, and disposal

8. Operations Security: Change management, backups, and logging

9. Communications Security: Network segmentation and secure protocols

10. Systems Acquisition, Development, and Maintenance: Secure development, testing, and deployment

11. Supplier Relationships: Third-party security and contract management

12. Information Security Incident Management: Incident detection, response, and learning

13. Business Continuity Management: Disaster recovery and resilience

14. Compliance: Legal, regulatory, and contractual requirements

ISO 27001 covers everything from incident management to secure development to supplier contracts - areas Cyber Essentials doesn't address.

When to Progress from Cyber Essentials to ISO 27001

You don't need ISO 27001 just because it exists. Progression should be driven by business need:

Progress if...

Your customers require it: Large enterprises increasingly demand ISO 27001 certification from suppliers

You handle sensitive data: Financial records, health information, personal data - ISO 27001 shows comprehensive protection

You're regulated: Healthcare, financial services, and government contractors often face ISO 27001 requirements

You want to scale: ISO 27001 is increasingly table stakes for mid-market and enterprise sales

You operate globally: ISO 27001 is recognised internationally, unlike Cyber Essentials (UK-centric)

You've mastered Cyber Essentials: You have the five controls running smoothly and want deeper security maturity

Skip or defer if...

Your customers don't require it: If your market doesn't demand it, the investment isn't justified

You're not handling sensitive data: Small businesses with no regulatory pressure or customer data may not need it

You're resource-constrained: ISO 27001 requires significant time and expertise (6-12 months)

You're pre-product-market-fit: Early-stage companies should focus on product before formal security posture

The Progression Path: Step by Step

Phase 1: Stabilise Cyber Essentials (Months 1-3)

Before considering ISO 27001, ensure Cyber Essentials is embedded as ongoing practice, not a point-in-time audit:

Continuous monitoring: Your five controls are monitored continuously (not just at renewal)

Evidence collection: Evidence of compliance is collected automatically (logs, configs, scans), not manually compiled

Regular review: Monthly or quarterly reviews of compliance status

Issue remediation: Gaps are tracked and remediated systematically, not ignored

By month three, your Cyber Essentials controls should be operational, not ceremonial.

Phase 2: Gap Analysis and Planning (Month 3-4)

Conduct a gap analysis comparing your current state to ISO 27001:

Self-assessment method:

Review the ISO 27001 standard (ISO/IEC 27001:2022 is the current version)

For each of the 14 domains, assess whether you have policies, procedures, and controls

Document gaps and priority remediation areas

Common gaps when moving from Cyber Essentials to ISO 27001:

No formal information security policies (ISO domain 1)

No documented risk management framework (foundational to ISO 27001)

No asset management or classification (ISO domain 4)

No cryptography or data protection standards (ISO domain 6)

Weak supplier/third-party security assessment (ISO domain 12)

No formal incident management procedures (ISO domain 12)

No documented business continuity plans (ISO domain 13)

Create a remediation roadmap prioritising:

1. Foundational items that other controls depend on (policies, risk management, roles)

2. High-risk gaps that expose the organisation significantly

3. Effort-light wins that you can tackle quickly to build momentum

Phase 3: Build the Foundation (Months 4-8)

Focus on establishing the three foundational elements of ISO 27001:

1. Information Security Policies

Document your approach to information security at a high level. ISO 27001 expects:

Board-approved information security policy

Supporting policies covering data protection, access control, incident management, etc.

Regular policy review and update cycles

Typical effort: 60-80 hours (drafting, review, approval)

2. Information Security Management System (ISMS)

ISO 27001 requires a documented ISMS - essentially, how your organisation manages information security:

Clear roles and responsibilities

Decision-making processes

Integration with business processes

Regular review and improvement

Typical effort: 40-60 hours (documentation, process definition)

3. Risk Management Framework

Unlike Cyber Essentials, ISO 27001 requires systematic risk management:

Identify assets and threats

Assess likelihood and impact

Define risk tolerance

Map controls to mitigate identified risks

Document risk assessment process

Typical effort: 80-120 hours (first risk assessment is significant; subsequent ones are faster)

Phase 4: Implement Missing Controls (Months 8-12)

With foundations in place, implement controls for the 14 domains:

Quick wins (2-4 weeks each):

Cryptography policy (data encryption standards)

Access control policy (privilege management, MFA)

Incident management procedures (incident response workflow)

Change management policy (software release process)

Medium effort (4-8 weeks each):

Asset management and classification

Physical and environmental security assessment

Supplier/third-party security assessment

Business continuity plan

Significant effort (8+ weeks each):

Secure development standards (if you develop software)

Comprehensive training and awareness programme

Legacy system remediation (bringing old systems into compliance)

Phase 5: Engage an Auditor and Formal Assessment (Months 12-14)

Once you believe you meet ISO 27001 requirements, engage an accredited auditor for formal certification:

Choose an auditor:

Select a certification body accredited by UKAS (UK Accreditation Service) or equivalent

Get quotes from 2-3 auditors (pricing varies £15,000-£50,000 depending on organisation size)

Ask for references from similar-sized organisations

Two-stage audit:

Stage 1 (preliminary audit - 1-2 weeks)

Auditor reviews your documentation and ISMS

Identifies any obvious gaps before Stage 2

Allows you to remediate without affecting certification

Stage 2 (formal audit - 2-3 weeks)

Auditor conducts detailed control assessment

Interviews staff across the organisation

Validates evidence of control implementation

Identifies non-conformities (failures to meet the standard)

Outcomes:

Pass: Certification awarded (valid three years)

Non-conformities: Failures that must be remediated before certification

Observations: Minor gaps or areas for improvement (not blocking certification)

Phase 6: Maintain Certification (Year 2+)

ISO 27001 certification is valid for three years, but maintaining it requires:

Annual surveillance audits (1-2 weeks/year)

Auditor reviews ongoing compliance

Samples controls to verify they're still operational

Identifies any new risks or changes

Continual improvement cycle

Regular internal audits (quarterly or semi-annually)

Management reviews (at least annually)

Risk assessments (at least annually)

Control effectiveness reviews

Typical annual effort: 120-200 hours (across the organisation, not just security team)

Cost and Resource Requirements

One-Time Costs

ItemCost------------**Remediation (tools, staff time)**£20,000-£100,000**External consulting** (optional)£10,000-£50,000**Auditor engagement (Stage 1 + Stage 2)**£15,000-£50,000**Total**£45,000-£200,000

Annual Costs

ItemCost------------**Surveillance audits**£5,000-£15,000**Compliance platform subscriptions**£5,000-£20,000**Staff time** (governance, reviews)£20,000-£40,000**Total**£30,000-£75,000/year

Resource Effort

Implementation: 400-800 hours (0.2-0.4 FTE for 12 months)

Ongoing maintenance: 150-300 hours annually (0.08-0.15 FTE)

Real-World Example: Moving from CE to ISO 27001

Company: SaaS fintech startup, 50 employees, handling customer financial data

Starting point:

Cyber Essentials certified

Basic security controls (firewall, EDR, MFA)

No formal security policies or risk management

Timeline:

Months 1-3: Gap analysis and planning

Conducted ISO 27001 gap assessment (40 hours)

Identified 25 controls requiring remediation

Prioritised: data protection (high priority), incident management, access control

Months 4-8: Foundation and quick wins

Drafted information security policies (80 hours)

Implemented ISMS and defined roles (60 hours)

First risk assessment (100 hours)

Implemented cryptography and data protection policy (40 hours)

Implemented incident management procedures (30 hours)

Months 8-12: Comprehensive control implementation

Asset management and classification (60 hours)

Access control enhancements (40 hours)

Business continuity plan (50 hours)

Third-party security assessment (30 hours)

Training and awareness (20 hours)

Months 12-14: Audit and certification

Stage 1 audit (15 hours internal prep)

Stage 2 audit (20 hours internal prep)

Remediation of non-conformities (10 hours)

Certification awarded

Total effort: ~600 hours over 14 months

Equivalent internal staff: 0.4 FTE + external consulting (100 hours)

Cost: ~£80,000 (auditor + external consulting + tools)

Outcome: ISO 27001 certified; enabled sales to enterprise customers who required it

How Fig Supports ISO 27001

Fig Group's platform reduces the work in ISO 27001 compliance through:

Gap assessment: Automated comparison of your controls to ISO 27001 requirements

Evidence collection: Continuous gathering of control evidence across your IT systems

Risk management: Systematic risk identification, assessment, and documentation

Control monitoring: Ongoing verification that controls remain effective

Audit readiness: Pre-audit scans and evidence compilation for your auditor

Multi-framework support: Evidence collected for ISO 27001 simultaneously supports NIS2, Cyber Essentials, and other frameworks

With Fig, you move from compliance as an annual event (audit) to compliance as an ongoing practice (continuous monitoring).

The Bottom Line

The progression from Cyber Essentials to ISO 27001 is not mandatory, but increasingly common for organisations handling sensitive data, serving enterprise customers, or operating in regulated industries.

The journey typically takes 12-18 months and costs £45,000-£200,000, but results in:

Internationally recognised certification

Documented, comprehensive security programme

Enterprise-ready compliance posture

Potential for premium pricing to compliance-sensitive customers

Start when customer demand or regulatory pressure justifies the investment. Build the foundation systematically. Engage expert auditors. Maintain rigour in ongoing compliance.

The organisations that will dominate 2026 and beyond are those that embed compliance not as a passing audit, but as a core operational practice. This guide provides the roadmap to get there.