Cyber Essentials to ISO 27001: Building Your Compliance Journey

Cyber Essentials and ISO 27001 aren't competing standards. They're complementary steps on a maturity journey. This guide explains the relationship between them, helps you decide when to progress, and provides practical steps to move from Cyber Essentials (foundation) to ISO 27001 (comprehensive).

The Compliance Maturity Pyramid

Think of information security compliance as a pyramid:

Level 5: ISO 27001 Certification (Gold Standard - Comprehensive)

Level 4: ISO 27001 Preparation (In-Flight - Most coverage)

Level 3: Cyber Essentials+ Advanced (Intermediate - Technical validation)

Level 2: Cyber Essentials (Foundation - Five controls)

Level 1: No formal Certification (Foundational - Ad-hoc security)

Most organisations start at Cyber Essentials (basic, five controls). As they mature and face increased regulatory or customer pressure, they progress toward ISO 27001 (comprehensive, 93 controls across 14 domains).

This progression isn't mandatory, but it reflects increasing maturity in how organisations approach security.

Cyber Essentials vs ISO 27001: Key Differences

| Aspect | Cyber Essentials | ISO 27001 |

|--------|------------------|-----------|

| Scope | Five core controls | 93 controls across 14 domains |

| Framework | UK-specific | International (ISO standard) |

| Depth | "Do the basics" | "Do everything well" |

| Governance | Implicit | Explicit documentation and accountability |

| Risk Management | Not required | Mandatory foundation |

| Cost | £500-£5,000 | £20,000-£100,000 |

| Time to certification | 2-4 months | 6-12 months |

| Renewal | Annual | Annual with ongoing audits |

| Who needs it | Anyone | Organisations handling sensitive data, regulated industries, or large enterprises |

The Five Cyber Essentials Controls

Cyber Essentials focuses on five foundational controls:

1. Boundary firewalls and internet gateways

2. Secure configuration

3. User access control

4. Malware protection and patch management

5. Security monitoring and incident response

These five controls prevent 80-90% of common cyberattacks. They're essentials.

The 14 ISO 27001 Domains

ISO 27001 expands security across 14 domains:

1. Information Security Policies: Documented security direction and accountability

2. Organisation of Information Security: Roles, responsibilities, and governance

3. Human Resource Security: Security awareness, background checks, termination procedures

4. Asset Management: Inventory, classification, and handling of assets

5. Access Control: Authentication, authorisation, and privilege management

6. Cryptography: Encryption, key management, and secure communication

7. Physical and Environmental Security: Facilities, equipment protection, and disposal

8. Operations Security: Change management, backups, and logging

9. Communications Security: Network segmentation and secure protocols

10. Systems Acquisition, Development, and Maintenance: Secure development, testing, and deployment

11. Supplier Relationships: Third-party security and contract management

12. Information Security Incident Management: Incident detection, response, and learning

13. Business Continuity Management: Disaster recovery and resilience

14. Compliance: Legal, regulatory, and contractual requirements

ISO 27001 covers everything from incident management to secure development to supplier contracts - areas Cyber Essentials doesn't address.

When to Progress from Cyber Essentials to ISO 27001

You don't need ISO 27001 just because it exists. Progression should be driven by business need:

Progress if...

• Your customers require it: Large enterprises increasingly demand ISO 27001 certification from suppliers
• You handle sensitive data: Financial records, health information, personal data - ISO 27001 shows comprehensive protection
• You're regulated: Healthcare, financial services, and government contractors often face ISO 27001 requirements
• You want to scale: ISO 27001 is increasingly table stakes for mid-market and enterprise sales
• You operate globally: ISO 27001 is recognised internationally, unlike Cyber Essentials (UK-centric)
• You've mastered Cyber Essentials: You have the five controls running smoothly and want deeper security maturity

Skip or defer if...

• Your customers don't require it: If your market doesn't demand it, the investment isn't justified
• You're not handling sensitive data: Small businesses with no regulatory pressure or customer data may not need it
• You're resource-constrained: ISO 27001 requires significant time and expertise (6-12 months)
• You're pre-product-market-fit: Early-stage companies should focus on product before formal security posture

The Progression Path: Step by Step

Phase 1: Stabilise Cyber Essentials (Months 1-3)

Before considering ISO 27001, ensure Cyber Essentials is embedded as ongoing practice, not a point-in-time audit:

• Continuous monitoring: Your five controls are monitored continuously (not just at renewal)
• Evidence collection: Evidence of compliance is collected automatically (logs, configs, scans), not manually compiled
• Regular review: Monthly or quarterly reviews of compliance status
• Issue remediation: Gaps are tracked and remediated systematically, not ignored

By month three, your Cyber Essentials controls should be operational, not ceremonial.

Phase 2: Gap Analysis and Planning (Month 3-4)

Conduct a gap analysis comparing your current state to ISO 27001:

Self-assessment method:

• Review the ISO 27001 standard (ISO/IEC 27001:2022 is the current version)
• For each of the 14 domains, assess whether you have policies, procedures, and controls
• Document gaps and priority remediation areas

Common gaps when moving from Cyber Essentials to ISO 27001:

• No formal information security policies (ISO domain 1)
• No documented risk management framework (foundational to ISO 27001)
• No asset management or classification (ISO domain 4)
• No cryptography or data protection standards (ISO domain 6)
• Weak supplier/third-party security assessment (ISO domain 12)
• No formal incident management procedures (ISO domain 12)
• No documented business continuity plans (ISO domain 13)

Create a remediation roadmap prioritising:

1. Foundational items that other controls depend on (policies, risk management, roles)

2. High-risk gaps that expose the organisation significantly

3. Effort-light wins that you can tackle quickly to build momentum

Phase 3: Build the Foundation (Months 4-8)

Focus on establishing the three foundational elements of ISO 27001:

1. Information Security Policies

Document your approach to information security at a high level. ISO 27001 expects:

• Board-approved information security policy
• Supporting policies covering data protection, access control, incident management, etc.
• Regular policy review and update cycles

Typical effort: 60-80 hours (drafting, review, approval)

2. Information Security Management System (ISMS)

ISO 27001 requires a documented ISMS - essentially, how your organisation manages information security:

• Clear roles and responsibilities
• Decision-making processes
• Integration with business processes
• Regular review and improvement

Typical effort: 40-60 hours (documentation, process definition)

3. Risk Management Framework

Unlike Cyber Essentials, ISO 27001 requires systematic risk management:

• Identify assets and threats
• Assess likelihood and impact
• Define risk tolerance
• Map controls to mitigate identified risks
• Document risk assessment process

Typical effort: 80-120 hours (first risk assessment is significant; subsequent ones are faster)

Phase 4: Implement Missing Controls (Months 8-12)

With foundations in place, implement controls for the 14 domains:

Quick wins (2-4 weeks each):

• Cryptography policy (data encryption standards)
• Access control policy (privilege management, MFA)
• Incident management procedures (incident response workflow)
• Change management policy (software release process)

Medium effort (4-8 weeks each):

• Asset management and classification
• Physical and environmental security assessment
• Supplier/third-party security assessment
• Business continuity plan

Significant effort (8+ weeks each):

• Secure development standards (if you develop software)
• Comprehensive training and awareness programme
• Legacy system remediation (bringing old systems into compliance)

Phase 5: Engage an Auditor and Formal Assessment (Months 12-14)

Once you believe you meet ISO 27001 requirements, engage an accredited auditor for formal certification:

Choose an auditor:

• Select a certification body accredited by UKAS (UK Accreditation Service) or equivalent
• Get quotes from 2-3 auditors (pricing varies £15,000-£50,000 depending on organisation size)
• Ask for references from similar-sized organisations

Two-stage audit:

Stage 1 (preliminary audit - 1-2 weeks)

• Auditor reviews your documentation and ISMS
• Identifies any obvious gaps before Stage 2
• Allows you to remediate without affecting certification

Stage 2 (formal audit - 2-3 weeks)

• Auditor conducts detailed control assessment
• Interviews staff across the organisation
• Validates evidence of control implementation
• Identifies non-conformities (failures to meet the standard)

Outcomes:

• Pass: Certification awarded (valid three years)
• Non-conformities: Failures that must be remediated before certification
• Observations: Minor gaps or areas for improvement (not blocking certification)

Phase 6: Maintain Certification (Year 2+)

ISO 27001 certification is valid for three years, but maintaining it requires:

Annual surveillance audits (1-2 weeks/year)

• Auditor reviews ongoing compliance
• Samples controls to verify they're still operational
• Identifies any new risks or changes

Continual improvement cycle

• Regular internal audits (quarterly or semi-annually)
• Management reviews (at least annually)
• Risk assessments (at least annually)
• Control effectiveness reviews

Typical annual effort: 120-200 hours (across the organisation, not just security team)

Cost and Resource Requirements

One-Time Costs

| Item | Cost |

|------|------|

| Remediation (tools, staff time) | £20,000-£100,000 |

| External consulting (optional) | £10,000-£50,000 |

| Auditor engagement (Stage 1 + Stage 2) | £15,000-£50,000 |

| Total | £45,000-£200,000 |

Annual Costs

| Item | Cost |

|------|------|

| Surveillance audits | £5,000-£15,000 |

| Compliance platform subscriptions | £5,000-£20,000 |

| Staff time (governance, reviews) | £20,000-£40,000 |

| Total | £30,000-£75,000/year |

Resource Effort

• Implementation: 400-800 hours (0.2-0.4 FTE for 12 months)
• Ongoing maintenance: 150-300 hours annually (0.08-0.15 FTE)

Real-World Example: Moving from CE to ISO 27001

Company: SaaS fintech startup, 50 employees, handling customer financial data

Starting point:

• Cyber Essentials certified
• Basic security controls (firewall, EDR, MFA)
• No formal security policies or risk management

Timeline:

Months 1-3: Gap analysis and planning

• Conducted ISO 27001 gap assessment (40 hours)
• Identified 25 controls requiring remediation
• Prioritised: data protection (high priority), incident management, access control

Months 4-8: Foundation and quick wins

• Drafted information security policies (80 hours)
• Implemented ISMS and defined roles (60 hours)
• First risk assessment (100 hours)
• Implemented cryptography and data protection policy (40 hours)
• Implemented incident management procedures (30 hours)

Months 8-12: Comprehensive control implementation

• Asset management and classification (60 hours)
• Access control enhancements (40 hours)
• Business continuity plan (50 hours)
• Third-party security assessment (30 hours)
• Training and awareness (20 hours)

Months 12-14: Audit and certification

• Stage 1 audit (15 hours internal prep)
• Stage 2 audit (20 hours internal prep)
• Remediation of non-conformities (10 hours)
• Certification awarded

Total effort: ~600 hours over 14 months

Equivalent internal staff: 0.4 FTE + external consulting (100 hours)

Cost: ~£80,000 (auditor + external consulting + tools)

Outcome: ISO 27001 certified; enabled sales to enterprise customers who required it

How Fig Supports ISO 27001

Fig Group's platform reduces the work in ISO 27001 compliance through:

• Gap assessment: Automated comparison of your controls to ISO 27001 requirements
• Evidence collection: Continuous gathering of control evidence across your IT systems
• Risk management: Systematic risk identification, assessment, and documentation
• Control monitoring: Ongoing verification that controls remain effective
• Audit readiness: Pre-audit scans and evidence compilation for your auditor
• Multi-framework support: Evidence collected for ISO 27001 simultaneously supports NIS2, Cyber Essentials, and other frameworks

With Fig, you move from compliance as an annual event (audit) to compliance as an ongoing practice (continuous monitoring).

The Bottom Line

The progression from Cyber Essentials to ISO 27001 is not mandatory, but increasingly common for organisations handling sensitive data, serving enterprise customers, or operating in regulated industries.

The journey typically takes 12-18 months and costs £45,000-£200,000, but results in:

• Internationally recognised certification
• Documented, comprehensive security programme
• Enterprise-ready compliance posture
• Potential for premium pricing to compliance-sensitive customers

Start when customer demand or regulatory pressure justifies the investment. Build the foundation systematically. Engage expert auditors. Maintain rigour in ongoing compliance.

The organisations that will dominate 2026 and beyond are those that embed compliance not as a passing audit, but as a core operational practice. This guide provides the roadmap to get there.