Cyber Essentials Plus vs ISO 27001 for Public Sector Bids

Cyber Essentials Plus vs ISO 27001 for Public Sector Bids

Most SMEs bidding into public sector frameworks hit the same question within their first few opportunities: do we need Cyber Essentials Plus, ISO 27001, or both? The answer matters because one costs around £1,500 and takes a week, while the other typically runs £15,000 to £40,000 and takes three to six months.

The difference isn't just price and time. These certifications cover different ground, satisfy different framework requirements, and signal different things to buyers. Getting this wrong means either leaving money on the table or wasting budget on certification you don't need yet.

What each certification actually covers

Cyber Essentials Plus is a UK government scheme testing five technical controls: firewalls, secure configuration, user access control, malware protection, and patch management. An external assessor conducts vulnerability scans and sample checks on a representative set of devices. You're demonstrating baseline hygiene across your IT estate. The focus is technical and specific.

ISO 27001 is an international standard for information security management systems. You're building policies, conducting risk assessments, defining controls across physical security, HR practices, incident response, business continuity, supplier management, and dozens of other areas. An auditor assesses your documentation, interviews staff, and checks that you're following your own processes. The scope is organisational rather than purely technical.

Think of Cyber Essentials Plus as proving your locks work. ISO 27001 is proving you have a complete security strategy, documented processes, and management oversight of risk. There's some overlap in the technical controls, but they're fundamentally different exercises.

Cost and resource implications

Cyber Essentials Plus typically costs between £1,200 and £2,500 including certification body fees. Most SMEs complete it in five to ten working days spread over two to three weeks. The main effort goes into configuration reviews, patching outstanding vulnerabilities, and documenting your setup. If your IT is already well managed, this is straightforward. If it's been neglected, you'll spend time fixing issues before assessment.

ISO 27001 changes scale entirely. Certification costs range from £8,000 to £25,000 for most SMEs, depending on company size, complexity, and how much external consultancy you use. Implementation takes three to six months minimum if you're starting from scratch. You're writing an information security policy, risk assessment methodology, statement of applicability, and typically 20 to 50 supporting procedures and work instructions.

The ongoing difference matters too. Cyber Essentials Plus renews annually with a fresh assessment. Budget one to three days of internal effort each year. ISO 27001 requires continuous operation of your management system, quarterly internal audits, annual management review, and surveillance audits every 12 months between your three-yearly recertification. Plan for one person spending 10 to 20 per cent of their time maintaining the system.

For a 15-person consultancy, Cyber Essentials Plus is usually manageable in-house. ISO 27001 typically needs external help unless you have dedicated compliance resource.

Framework requirements across CCS

Framework requirements vary significantly. Some mandate specific certifications, others accept equivalents, and many tier their requirements by lot value.

Crown Commercial Service frameworks increasingly require Cyber Essentials as a minimum entry standard. G-Cloud 14 made it mandatory for all suppliers. The Digital Marketplace requires it across most frameworks. Technology Services 3 requires Cyber Essentials as standard, with Cyber Essentials Plus becoming relevant at higher contract values.

ISO 27001 appears as a requirement primarily on higher-value lots or where you're handling particularly sensitive data. On RM6320 (CWAS3), for example, Cyber Essentials Plus satisfies the security requirement for many lots under certain thresholds. Above those thresholds or in specific security-focused lots, ISO 27001 becomes necessary. We covered the lot structure and requirements in more detail in our RM6320 CWAS3 complete SME guide.

Other frameworks use a scoring approach. They might award full security marks for ISO 27001, partial marks for Cyber Essentials Plus, and zero for Cyber Essentials basic. This doesn't prevent you bidding, but it affects your competitive position.

The pattern across frameworks: Cyber Essentials Plus keeps you in the game for most opportunities. ISO 27001 becomes necessary either when frameworks explicitly require it or when you're repeatedly losing bids to competitors who have it.

When buyers actually care

Framework requirements are one thing. Buyer behaviour at call-off stage is another. This matters to SMEs because our revenue model is tied to call-off wins, not framework awards. Being on the framework means nothing if you can't convert opportunities.

In technology and cyber security categories, buyers increasingly expect ISO 27001 from shortlisted suppliers even when it's not mandated. If three competitors have it and you don't, you're immediately disadvantaged regardless of technical capability. The certification has become table stakes in certain markets.

For professional services, digital, and consultancy work that doesn't directly involve security, Cyber Essentials Plus is usually sufficient unless you're handling sensitive data. We see clients winning £200,000 to £500,000 call-offs comfortably with Cyber Essentials Plus alone, provided they can demonstrate appropriate security practices in their written responses.

For managed services, outsourced IT, and anything involving access to client systems or data, ISO 27001 substantially improves win rates once you're pursuing contracts above £100,000 annual value. Below that threshold, the investment often doesn't pay back quickly enough unless you're bidding high volumes.

Local government and NHS trusts tend to be more pragmatic than central departments. They'll often accept Cyber Essentials Plus with strong security narratives where a central department would expect ISO 27001. But this is shifting. The direction of travel across the whole public sector is towards higher baseline expectations.

Building a decision framework

Start with your target contract values. If you're pursuing opportunities under £100,000 annually and not in cyber security or high-security categories, Cyber Essentials Plus is probably sufficient for the next 12 to 18 months. Get that in place first. It's quick, relatively cheap, and removes an immediate barrier.

Look at your specific target frameworks. Pull the security requirements for the lots you'll actually bid. If ISO 27001 is mandated, you have a clear answer. If it's not mandated but scores higher in quality assessments, model out how many bids you expect to submit and what win rate improvement would justify the investment.

Consider your pipeline maturity. If you're only just getting onto frameworks and haven't established consistent bid flow yet, investing £20,000 in ISO 27001 is premature. Get Cyber Essentials Plus, start bidding, learn what buyers actually ask for in your categories, then upgrade certification when you have evidence it's limiting you.

The exception is if you're in security-adjacent categories or managed services. There, ISO 27001 is effectively mandatory for serious pursuit. You'll waste time bidding without it.

Factor in buyer perception beyond just formal requirements. If you're selling into technically sophisticated buyers or competing against larger suppliers, ISO 27001 signals organisational maturity that's hard to demonstrate otherwise. This matters more as contract values increase.

The sequential approach

Most successful SMEs we work with take a staged approach. They implement Cyber Essentials Plus immediately when targeting public sector work. This gets them through the door on most frameworks and lets them start bidding.

They track feedback from buyers over six to 12 months of active bidding. If they're not hearing concerns about security certification, they hold. If security certification comes up repeatedly in evaluation feedback or debrief calls, or if they're targeting higher-value opportunities where competitors have ISO 27001, they move forward with implementation.

This avoids both false economy and premature optimisation. You're not handicapping yourself on early bids, but you're not investing major resource before you understand your actual market position.

The timing matters for cash flow too. ISO 27001 is a significant cost for a small business. Staging it six to nine months after your first framework awards means you're potentially funding it from early contract revenue rather than pure speculation.

One practical consideration: if you're pursuing multiple frameworks with different timelines, get Cyber Essentials Plus before your first framework application. You can add ISO 27001 to existing framework positions later through variation processes on most CCS frameworks, but you can't usually get on the framework at all without meeting minimum security requirements up front.

The question isn't really whether ISO 27001 is better. It is. The question is whether it's better enough, soon enough, to justify the investment before you've proven your ability to win work with the simpler certification.

Book a call at bookings.glaxtons.co.uk

Glaxtons, 3 More London Place, London SE1 2RE

Professional Bid Writing Services UK. 93% Success Rate.

Expert bid consultancy and tender writing for government, NHS and CCS frameworks. £500M+ contracts won. Same-day response. 24/7 urgent support.

Get a Free Quote. Same Day Response. ☎ 020 3668 5488
✓ 93% Success Rate ✓ £500M+ Won ✓ 500+ Tenders ✓ 2-Hour Response

Recent Wins

✓ Won £45M NHS FM contract for healthcare provider

✓ Secured £12M MoD framework for defence SME

✓ Won £8M G-Cloud lot for SaaS company

Compare bid consultancies: UK comparison guide 2026  ·  Glaxtons vs Thornton & Lowe  ·  Glaxtons vs Executive Compass  ·  Thornton & Lowe alternatives