Is ISO 27001 a one-off cost or ongoing?

Ongoing. Annual surveillance audits and a full re-audit every 3 years. Plus internal time on the ISMS continuously.

Can I claim ISO 27001 readiness while pursuing certification?

Yes, but be specific. 'We're working towards ISO 27001 with target certification Q4 2026' is fair. 'We're ISO 27001 aligned' is meaningless and most procurement teams will see through it.

Does ISO 27001 cover GDPR compliance?

Partially. ISO 27001 controls cover the security half of GDPR (data protection by design, breach response, supplier due diligence). It doesn't cover the legal half (lawful basis, data subject rights, DPIAs). You need both.

Can I drop Cyber Essentials Plus once I have ISO 27001?

Generally no. UK government procurement still asks for CE+ specifically. Holding both costs around £2,000 a year extra and saves you the procurement headache.

What is the difference between ISO 27001 and Cyber Essentials Plus?

CE+ tests 5 specific technical controls and is UK-only. ISO 27001 covers 93 Annex A control areas plus a full management system and is recognised internationally. CE+ takes 4-8 weeks and costs £1,500-£3,000 per year. ISO 27001 takes 6-12 months on first pass and costs £8,000-£25,000 per year. Most MSPs who need both hold CE+ first.

ISO 27001 for MSPs: Do You Need It? | Assurix

What ISO 27001 certification involves for MSPs, realistic costs, how long it takes, and how it sits alongside Cyber Essentials and CAF.

Why enterprise clients and insurers are asking for ISO 27001

ISO 27001 is an internationally recognised information security management standard. For MSPs serving enterprise clients or operating in regulated sectors, it is increasingly a commercial requirement rather than a nice-to-have. Insurers also give meaningful weight to ISO 27001 certification when underwriting cyber and PI policies.

What ISO 27001 actually requires

A documented Information Security Management System (ISMS) covering risk assessment, controls, and continual improvement
114 controls across 14 domains mapped to your operational risk profile
An independent audit by an accredited certification body (initial and annual surveillance audits)
Evidence of management commitment and defined roles for information security

Realistic costs and timelines for MSPs

A typical MSP with 10-50 staff can expect 6-12 months to prepare for initial certification, with consultancy and audit fees typically ranging from £8,000 to £25,000 depending on scope and current maturity. Annual maintenance requires ongoing effort from an internal lead.

How ISO 27001 sits alongside Cyber Essentials and CAF

ISO 27001, Cyber Essentials Plus, and the NCSC CAF are complementary rather than competing frameworks. CE+ covers the five core technical controls. CAF covers operational and governance maturity. ISO 27001 provides the management system that ties them together and satisfies enterprise procurement requirements.

Visit https://assurix.com/resources/iso-27001-for-msps to view the full interactive page.