The UK cyber assurance landscape is an alphabet soup — Cyber Essentials, CE Plus, IASME, ISO 27001, the CAF — and it's easy to either over-buy or freeze. Here's a plain-English map: what each one is, who actually needs it, and the order that usually makes sense.
Start here: Cyber Essentials
Cyber Essentials is the UK government-backed baseline, run by the NCSC and delivered through IASME. It covers five technical controls that stop the most common internet-borne attacks:
- Firewalls
- Secure configuration
- User access control
- Malware protection
- Security update management (patching)
It's a self-assessment, verified against a questionnaire, renewed annually. For most organisations it's the right first step — and it's frequently a hard requirement for UK public-sector contracts and many supply chains. If you do nothing else this year, do this.
Cyber Essentials Plus is the same five controls, but independently tested rather than self-declared — a hands-on technical audit that checks the controls actually work, not just that you said they do. You go for CE Plus when someone needs proof: a procurement requirement, an insurer, a client's due-diligence team, or simply your own assurance that the self-assessment matched reality.
A step up: IASME Cyber Assurance
IASME Cyber Assurance (formerly IASME Governance) is broader than Cyber Essentials. It wraps the CE technical controls in a wider governance and data-protection standard — risk management, policies, backup, incident response, staff awareness, and GDPR-aware data handling. It comes at two levels: Level 1 (self-assessed) and Level 2 (independently audited).
It's often described as a proportionate, UK-grown alternative to ISO 27001 for small and mid-sized organisations — more than the five controls, less heavyweight than a full management system. A sensible target when you've outgrown Cyber Essentials but ISO 27001 would be using a sledgehammer.
The international standard: ISO 27001
ISO 27001 is the international standard for an Information Security Management System (ISMS). It's not a checklist of controls — it's a management system: you define your risks, decide your controls, document the lot, and demonstrate you operate and improve it over time, verified by external audit.
You go for ISO 27001 when the full management system is genuinely warranted — enterprise scale, regulated obligations, or because large clients won't sign without it. It's the most demanding of these to achieve and maintain, and the most widely recognised internationally.
The outcome-based one: the NCSC CAF
The Cyber Assessment Framework (CAF) is a different animal. It isn't a certificate you pass — it's an outcome-based framework for assessing how well an organisation manages cyber risk, built around four objectives:
- A — Managing security risk
- B — Protecting against cyber attack
- C — Detecting cyber security events
- D — Minimising the impact of incidents
Under those sit fourteen principles, each assessed on whether you're achieving the outcome, not whether you've ticked a box. The CAF is aimed at organisations important to national resilience — operators of essential services under the UK NIS Regulations, and increasingly the wider public sector. If you're in scope, you'll usually know because a regulator or framework has told you so.
(For completeness: NIS2 is the EU directive — it doesn't apply to UK organisations directly, though it can matter if you operate in the EU. The UK has its own NIS regime and is reforming it separately. Don't let the "NIS2" headlines panic a purely-UK organisation.)
So which do you actually need?
A rough, honest decision guide:
- Almost everyone: Cyber Essentials. Cheap, fast, often mandatory, genuinely useful.
- Need to prove it (procurement, insurance, client due diligence): Cyber Essentials Plus.
- Want governance and data protection too, proportionate to a small or mid-sized organisation: IASME Cyber Assurance.
- Need the full, internationally-recognised management system — usually enterprise scale or large-client demand: ISO 27001.
- In scope for NIS / national resilience / a public-sector mandate: the CAF — and you'll typically be told you need it.
These aren't mutually exclusive. A common, sensible path is Cyber Essentials → CE Plus → IASME or ISO 27001 as obligations grow, with the CAF layered on if and when you fall into its scope. The mistake at both ends is the same: doing nothing because it's confusing, or buying ISO 27001 when Cyber Essentials was what the contract actually asked for.
This is general guidance, not formal compliance advice — your exact obligations depend on your sector, contracts and regulators.
Not sure which baseline you actually need — or how far off it you are? Talk to us. We hold Cyber Essentials Plus, IASME Cyber Assurance and ISO 27001 ourselves, and we'll map your real obligations before anyone spends money chasing a certificate you don't need.