Cyber Essentials vs ISO 27001: which does your customer actually want?

Cyber Essentials vs ISO 27001: which does your customer actually want?

When a customer asks for "security certification", they usually do not know whether they want Cyber Essentials or ISO 27001. The wrong answer is expensive in two directions: over-deliver and you burn six months and £20,000+ on an ISO 27001 project you did not need; under-deliver and you miss the tender.

This guide is for UK suppliers who need to decide fast. It covers when Cyber Essentials is sufficient, when ISO 27001 is the real requirement, and how to get to ISO 27001 on the back of your existing Cyber Essentials evidence.

The short decision tree

If the request is for Cyber Essentials or Cyber Essentials Plus by name: that is the answer. Do not volunteer ISO 27001. Certification turnaround is measured in hours (with Fig) or days (with slower certification bodies). The price is £299.99–£549.99 + VAT for CE and £1,499–£4,499 for CE Plus.

If the request mentions a supplier-risk questionnaire or DDQ with 200+ questions: the customer probably wants ISO 27001 or SOC 2. CE will not satisfy the questionnaire.

If the request is "we need evidence you have basic cyber controls": CE is the NCSC-backed baseline and does this job. Do not start an ISO 27001 project.

If the request is from a regulated entity (financial services, NHS, MOD): ask what specifically the contract requires. Procurement frameworks frequently list CE or CE Plus as the minimum; higher-assurance work may require ISO 27001 or DCC. PPN 014/21 is the reference for central government.

When Cyber Essentials is sufficient

Cyber Essentials covers five technical control categories: firewalls, secure configuration, user access control, malware protection, and security update management. It is an NCSC-backed scheme and is explicitly listed in PPN 014/21 for UK central government contracts that handle sensitive data.

Cyber Essentials is the right answer when:

• The customer asks for "Cyber Essentials" by name.
• You are bidding on a public-sector tender where CE is the stated minimum.
• You are a supplier in a private-sector supply chain and the ask is for "baseline cyber hygiene evidence".
• You need to meet a cyber insurance underwriting requirement.
• You want to certify within 6 hours because a tender closes tomorrow. Fig guarantees 6-hour turnaround for compliant submissions.

When ISO 27001 is the real requirement

ISO 27001 is a management-system standard. It is heavier - you have to document a risk process, implement a full controls framework (Annex A has 93 controls in the 2022 revision), run internal audits, and pass a multi-day external audit by an accredited certification body.

ISO 27001 is the right answer when:

• The customer sends a DDQ with 150+ questions covering HR security, supplier management, business continuity, and legal compliance.
• You are selling SaaS into mid-market or enterprise buyers and being asked for "SOC 2 or ISO 27001".
• The customer is specifically asking for an Information Security Management System (ISMS), not just technical controls.
• You are a financial-services supplier subject to operational resilience requirements (DORA, FCA SYSC, CBEST scoping questions).

The overlap: using CE as a foundation for ISO 27001

The five CE control categories map directly to a subset of ISO 27001 Annex A controls - particularly A.8 (technological controls). If you already hold CE or CE Plus, you have already implemented the technical baseline for A.8.1, A.8.7, A.8.15, A.8.16, A.8.22 and others.

What ISO 27001 requires on top:

• An ISMS scope statement (sections 4.3 of the standard).
• A risk assessment methodology and risk register (section 6).
• Policies covering HR security, supplier management, physical security, business continuity, and incident response (A.5–A.7, A.15, A.17).
• Internal audits and management reviews.
• A Statement of Applicability (SoA) documenting which Annex A controls are in and out of scope, and why.

Practical sequence that works: get CE Plus certified first (fast, cheap, NCSC-backed, satisfies many tenders on its own), then pursue ISO 27001 with your CE Plus evidence as pre-prepared input. That sequence typically takes 6 months end-to-end, compared to 9–12 months for a cold-start ISO 27001 project.

What to say to the customer

If you are not sure what the customer wants, ask them this question: "Are you asking for Cyber Essentials, ISO 27001, or something equivalent?" That question gets you to a definitive answer faster than any framework comparison. If they do not know, default to Cyber Essentials Plus - it is the UK-aligned NCSC-backed scheme with third-party verification and is sufficient for most UK commercial procurement.

Bottom line

CE is the right answer for most UK commercial and public-sector supplier asks. ISO 27001 is the right answer for large DDQs, regulated-industry requirements, and ISMS-level procurement.

Start with CE, use it as a foundation, add ISO 27001 when a specific contract demands it - not before.

Get Cyber Essentials certified in 6 hours | See pricing | Read about the Fig governance-first platform