Select regional store:

ISO 27001and the Cyber Essentials Scheme

Cyber Essentials is a UK government assurance scheme that sets out five technical cybersecurity controls that all organizations can implement to achieve a baseline of cybersecurity. Organizations that implement the five security controls, without certification, can prevent around 80% of cyber attacks.

ISO/IEC 27001:2013 (ISO 27001) is the international standard that provides the specification for an ISMS (information security management system) – a systematic approach to managing information security risk.

ISO 27001 goes considerably further than Cyber Essentials, providing 114 security controls that encompass people, processes and technology. Although Cyber Essentials and ISO 27001 serve different needs, the two should be seen as complementary rather than competing.

Any US organizations that have put the Cyber Essentials scheme’s five controls in place (even without certification) should look to ISO 27001 to improve the maturity of their security practices, and take in information in all formats, across a wider scope.

Cyber Essentials vs ISO 27001


Cyber Essentials

ISO 27001

What is it?

The Cyber Essentials scheme identifies five fundamental technical security controls that organizations should implement to help defend against the vast majority of Internet-borne threats. It also provides a mechanism to demonstrate that these precautions have been taken.

The ISO/IEC 27000 set of standards have been developed to help keep information assets secure.

They help your organization manage the security of assets such as financial information, intellectual property, employee details or information entrusted to you by third parties.

ISO/IEC 27001 is the best-known of these standards, detailing the requirements for an ISMS.

What does it protect?

Data and programs on networks, computers, servers and other elements of an IT infrastructure. Information, regardless of where it is found (e.g. digital, hard copy, information systems).

Who can it help?

Organizations of all sizes that need to implement basic cybersecurity measures. Organizations of any size and in any sector that need to keep information assets secure.


The Cyber Essentials scheme has only five controls: secure configuration, boundary firewalls and Internet gateways, access control, patch management and malware protection. ISO 27001 has 10 clauses and 114 generic security controls grouped into 14 sections (called “Annex A”).

Implementation and certification

Cyber Essentials is a prerequisite for all suppliers bidding for UK government contracts that involve the handling of sensitive and/or personal information. Some organizations choose to implement the Standard to benefit from the best practice it contains. Others achieve certification to reassure customers and clients that the Standard’s recommendations have been followed.

Optimal approach to implementation

If you are new to the world of ISO 27001, certifying to both the Standard and Cyber Essentials at the same time is more resource- and time-effective. IT Governance can help you achieve this with an integrated approach. However, depending on your current resources, time commitment and budget, you may wish to start implementing the five Cyber Essentials secuity controls first. 

When you are ready to take the next step of implementing a robust ISMS, you will be well positioned to continue to ISO 27001 certification.

Speak to an expert

For more information about the Cyber Essentials Scheme, get in touch with one of our experts today.

This website uses cookies. View our cookie policy