Which certification should a UK SME get first — Cyber Essentials, ISO 27001, or IASME Governance?

Start with Cyber Essentials. It takes one to four weeks, costs £300 to £500, and satisfies most government contract and insurance requirements. Cyber Essentials certified organisations are 92% less likely to claim on cyber insurance (IASME). Move to IASME Governance if you need GDPR coverage, or ISO 27001 when enterprise clients explicitly require it.

Does IASME Governance cover everything in Cyber Essentials?

Yes. IASME Governance includes Cyber Essentials as a subset and adds governance, risk management, and GDPR assessment. It bridges the gap between Cyber Essentials and ISO 27001 at a fraction of ISO's cost. For SMEs needing to demonstrate data protection compliance without the six-to-twelve month ISO 27001 journey, IASME is the practical middle ground.

Can I hold both Cyber Essentials and ISO 27001 at the same time?

Absolutely — and many UK businesses do. The certifications are complementary, not competing. Cyber Essentials covers five technical controls, whilst ISO 27001 encompasses your entire information security management system including policies, processes, and risk assessments. With 43% of UK businesses experiencing a breach or attack (DSIT 2025), having both provides layered assurance for different stakeholders.

How much does each certification cost compared to the others?

Cyber Essentials costs £300 to £500 for self-assessment. Cyber Essentials Plus adds independent testing for £1,500 to £5,000. IASME Governance sits around £1,000 to £3,000. ISO 27001 requires £10,000 to £50,000 or more for initial certification plus annual surveillance audits. The right investment depends on your client requirements and regulatory obligations.

Comparison

Cyber Essentials vs ISO 27001 vs IASME: Which Does Your Business Need?

A practical comparison for UK businesses — covering features, costs, and which option suits different requirements.

Key Facts

204%increase in AI-powered phishing emails in 2025

85%of breaches involved phishing as the attack vector (DSIT 2025)

241 daysaverage time to identify and contain a breach (IBM 2025)

82.6%of phishing emails now use AI-generated content (KnowBe4)

Last updated: March 2026

Cyber Essentials vs ISO 27001

Feature	Cyber Essentials	ISO 27001
Best For	Depends on requirements	Depends on requirements
UK Availability	Widely available	Widely available
Typical Cost	Varies	Varies
Complexity	Varies	Varies

When to Choose Each Option

Guidance based on your business requirements.

Choose Cyber Essentials When

Your business has specific requirements that favour this approach. Budget and resources align with this solution. Your existing infrastructure supports it

Choose ISO 27001 When

Your business needs a different approach. You have different budget considerations. Your team has relevant experience

Cost Considerations

Both Cyber Essentials and ISO 27001 have different cost profiles. The right choice depends on your business size, existing infrastructure, and specific requirements. AMVIA can help you evaluate which option delivers the best value for your situation.

The AMVIA Recommendation

Start with Cyber Essentials. It takes two to eight weeks, costs £300–£1,500 managed, and demonstrates security credibility to insurers and procurement teams. Once certified, use it as a foundation for ISO 27001 if your client base or data sensitivity demands it. AMVIA manages both pathways and can advise which fits your current risk profile.

Book a Cyber Essentials Readiness Call