The journey to a safer, more productive business

Ever since the Cyber Essentials scheme launched in 2014, companies have used it, and similar cybersecurity certifications, to showcase their trustworthiness and meet industry regulations. Conscientious companies that complete such schemes get listed on a searchable register of certified businesses and organisations.

But the truth is that the journey to cybersecurity compliance isn’t as simple as filling out an application.

The route can wind from the basics of Cyber Essentials to the independent auditing of Cyber Essentials Plus. Some organisations even choose to tackle the challenge of ISO 27001 compliance.

In this guide, we cut through the noise and outline the three most common UK cybersecurity certifications, how to choose the right one for you, and how to get certified.

Cyber Essentials

Good for: Any business

Key features: Self-assessment, accessible to all businesses

Certification requirements: Basic

Cyber Essentials Plus

Good for: Actively growing businesses, industries with higher security requirements

Key features: On-site technical audit

Certification requirements: Detailed

Cyber Essentials

ISO 27001

Good for: Highly-regulated industries

Key features: Processes and policies, internal and external audits

Certification requirements: In-depth

Cyber Essentials

The first port of call

The Cyber Essentials scheme is a UK cybersecurity certification that outlines the security procedures a company should have in place to secure their data. Cyber Essentials is highly recommended for SMEs because this certification protects you against 98.5% of the most common cyber threats.

The update includes new requirements and clarification for:


Internet gateways

Secure configuration

Access control

Malware protection

Patch Management

Cyber Essentials Plus

The next step

Cyber Essentials Plus has the same simple approach as Cyber Essentials but includes a technical audit of your systems.

The controls you need are the same – the audit just makes sure they’re in place.The audit element of the Cyber Essentials Plus certification requires some more effort, but it offers you the peace of mind that your new protections work effectively.


How Cyber Essentials Plus works

  • The online assessment is the same as the Cyber Essentials Plus certification
  • If you have Cyber Essentials already, you must make your Plus audits within 3 months of your last certification
  • New applicants can complete their online certification as part of Cyber Essentials Plus
  • Auditors typically review your head office and some of your other offices to carry out the tests on a random sample of your systems
  • Many auditors offer remote audits Accredited businesses are certified for 12 months

We recommend Cyber Essentials Plus if..

  • …you want a thorough assessment of your cybersecurity measures, plus a certification
  • …you work with (or want to work with) high-quality clients and want to show them that data protection is a top priority
  • …you work in an industry with higher-than-standard cybersecurity requirements

Businesses with a cybersecurity certification can win more business, making certification a valuable commodity in competitive markets. By showing your commitment to cybersecurity, you can build trust with new customers.For businesses with the budget and ambition to take their accreditations further, we recommend ISO 27001.

A new frontier

ISO 27001

ISO 27001 is the leading international standard for information security. Over 44,000 organisations all over the world use ISO 27001 to protect their data. The basic goal of the certification is to protect three aspects of information:

  • Confidentiality: Only authorised people have the right to access information
  • Integrity:  Only authorised people can change the information
  • Availability: The information must be accessible to authorised people whenever it’s needed

How ISO 27001 works

Gap analysis

Before inviting an auditor, perform a gap analysis to identify the status of information security, and an initial expectation of required effort


Produce the relevant documents and processes


Invite the auditor to assess your efforts.


Accredited businesses are certified for 3 years. During this time, the certification body performs surveillance audits to check in on your activity

We recommend

ISO 27001 if…

  • Your business specifically needs an ISO 27001 certification
  • Your customers and competitors also have ISO 27001
  • You work in the health or public sectors

Compliance made easy

How to take your cybersecurity certifications further

The best option is the 360˚ protection route, first choose one certification to implement and then transition to the other. Don’t make the mistake of trying to do everything at once! If you want to cover all bases, you can work towards both the ISO 27001 and Cyber Essentials. Just because you’re ISO 27001 certified, it doesn’t mean that you’re Cyber Essentials compliant or vice versa.

Being certified in both is an excellent way to ensure 360˚ protection, but it requires considerable investment. For most businesses, we recommend starting with Cyber Essentials because it’s a self-serve option, making it a simple way to start your cybersecurity journey. ISO 27001 requires a bigger up-front investment because you must move from general security management procedures to documented and audited cybersecurity processes.

Adapting to ever-changing cybersecurity standards is both a challenge and an opportunity. The Cyber Essentials scheme is a chance to highlight your company’s commitment to protecting client data. At CyberSmart, we’ve helped many clients achieve Cyber Essentials and Cyber Essentials Plus certifications. We offer all the guidance you need to pass your certification – with tips and live support that mean you’ll answer the questions correct first time. If your business is a bit more complex and you need to supply additional info, there’s no charge for resubmissions.

“CyberSmart really helped us on our journey to achieving Cyber Essentials certification. “

The device compliance is a real help, and their support team was always on hand to offer advice relating to both the product and Cyber Essentials. Once we submitted the completed application we were certified within a few hours – having this all in one place was useful.

IT Manager