Cyber Essentials Plus vs ISO 27001: What’s the Difference, and why we maintain both

This article is part of a series on how Pisys approaches data security . Read 'Pisys Security Approach' to learn more

We are often asked about the security standards we follow in our product development and delivery. Two that come up frequently are Cyber Essentials Plus and ISO/IEC 27001:2022. Both are respected, both provide assurance, and both address different parts of the security picture.

That difference is precisely why we maintain both

A straightforward distinction

Cyber Essentials Plus (CE+) demonstrates that key technical security controls are in place and have been independently tested.
ISO/IEC 27001:2022 demonstrates that we operate a formal Information Security Management System (ISMS), a risk-based framework for governing, maintaining and continually improving information security.

What Cyber Essentials Plus demonstrates

Cyber Essentials is a UK scheme designed to reduce exposure to common cyber attacks. It focuses on five essential control areas:

1. Firewalls and internet gateways
2. Secure configuration
3. Access control
4. Malware protection
5. Patch management

The “Plus” level is significant: it includes external assessment and practical testing to verify that controls are implemented effectively in practice, not only documented in policy.

Why it matters: Cyber Essentials Plus provides clear assurance that core protective controls are correctly deployed and working as intended.

What ISO/IEC 27001:2022 demonstrates

ISO/IEC 27001:2022 is an internationally recognised standard for establishing, implementing, maintaining and continually improving an ISMS. It goes beyond specific technical settings to cover governance and operational discipline across people, processes and technology, including:

Risk assessment and risk treatment planning
Policies, roles and accountability for information security
Asset and data classification/handling controls
Supplier and third-party risk management
Incident management and lessons learned
Internal audit and management review
Continuous improvement of security controls over time

Why it matters: ISO 27001:2022 demonstrates that security is managed systematically, with evidence of oversight, accountability and ongoing improvement.

(ISO/IEC 27001:2022 is an evolution of ISO/IEC 27001:2013, with only minor clause changes but a refreshed Annex A (93 controls across four themes, down from 114 across 14 domains) to better reflect modern risks such as cloud and threat intelligence)

Why one does not replace the other

Both certifications provide assurance, but they answer different questions:

Cyber Essentials Plus: Are the core technical protections in place and independently verified?
ISO/IEC 27001: Is there a mature, risk-based management system to govern security across the organisation and improve it continuously?

An organisation can have strong policies without robust technical implementation, or solid technical controls without consistent governance. Maintaining both addresses that gap.

Why we maintain both

We maintain Cyber Essentials Plus and ISO/IEC 27001:2022 because customers benefit from:

Independent validation of key technical controls (CE+)
Proven governance, risk management and continual improvement (ISO 27001:2022)

Together, they provide stronger assurance than either standard alone: the technical baseline is tested and verified, and the management system ensures security remains effective as our environment and threats evolve.

What this means for customers

Maintaining both standards supports practical outcomes, including:

Reduced exposure to common attack vectors (misconfiguration, unpatched systems, weak access controls)
Clear accountability and repeatable security processes
Stronger resilience as systems, suppliers and services change
Better alignment with procurement, audit and regulatory expectations

Summary

Cyber Essentials Plus demonstrates that essential technical controls are implemented and independently tested. ISO/IEC 27001 demonstrates that information security is governed through a formal, risk-based management system with continuous improvement.

We maintain both because security requires both strong foundations and disciplined management

Needed for Procurement?

If you want to find out more about how Pisys protect customer data our public domain security documents are listed below

Document Description
Anti Slavery policy
Anti-Corruption policy
ISO27001:2022 Recertification Report
Business Continuity plan
Data Backup policy
Data Protection policy for Hosted Services
Data Retention policy
Disaster Recovery policy summary
Pisys Information Security policy summary
Simplified Architecture diagram
Vulnerability Disclosure policy

Cyber Essentials Plus Certified

Cyber Essentials Plus helps us guard our organisation against cyber attacks. This is important because vulnerability to basic attacks can mark us out as a target for more in-depth unwanted attention from cyber criminals and others. Certification gives us and our customers peace of mind that our defences will protect against the vast majority of common cyber attacks simply because these attacks are exploiting targets which do not have the Cyber Essentials Plus technical controls in place.

ISO 27001 Certified

We strive to ensure the integrity, confidentiality and availability of all systems and data used by Pisys in their delivery of hosted applications to their worldwide client base, protecting these systems and data from all threats, internal and external, deliberate and accidental. To do this, we have deployed an information security management system (‘ISMS’) compliant with the ISO/IEC 27001 information security standard to meet our information security policy. The ISMS will allow compliance with customer contracts, and relevant laws of the UK and any company within which Pisys Ltd operates.

Peter Henderson