Insights

Cyber Essentials vs ISO 27001 is the most common security certification question I hear from UK startups and SMEs. Both improve your security posture. Both open commercial doors. But they are not the same thing, and getting the sequence right saves you time and money.

Receiving notice of an upcoming ISO audit often triggers a wave of anxiety for organisations that haven't been through the process before. Quite commonly, ISO audit preparation involves a last-minute scramble to update documentation and review procedures, prompting an all-hands-on-deck approach.

In my experience as a Lead Auditor, I’ve seen many organisations approach ISO 27001 risk assessment as a creative writing exercise. They’ll start by building a massive spreadsheet, filling it with ‘low, medium, high’ labels and hope I don't look too closely at the underlying detail. But in 2026, with cyber threats evolving at machine speed, auditors have had to change their approach to adjust to a much more threatening landscape. What we’re not looking for is a perfect list

In my experience as a Lead Auditor, I’ve seen many organisations approach ISO 27001 risk assessment as a creative writing exercise. They’ll start by building a massive spreadsheet, filling it with ‘low, medium, high’ labels and hope I don't look too closely at the underlying detail. But in 2026, with cyber threats evolving at machine speed, auditors have had to change their approach to adjust to a much more threatening landscape. What we’re not looking for is a perfect list