TL;DR: Three certifications, very different purposes — here’s what your business actually needs.
If you’ve been trying to get your head around cyber security certifications lately, you’d be forgiven for feeling like you need a decoder ring. ISO 27001, Cyber Essentials, Cyber Essentials Plus, DCC, Def Stan 05-138 — the acronyms stack up fast. But behind each one is a distinct purpose, a different audience, and a different level of commitment. Here’s what each actually means, who needs it, and how they fit together.
Cyber Essentials is a UK government-backed certification scheme designed to protect organisations against the most common internet-based cyber threats. It covers five core technical controls: firewalls, secure configuration, access control, malware protection, and patch management.
It comes in two flavours. Standard Cyber Essentials involves a self-assessed questionnaire verified by a certification body. Cyber Essentials Plus goes further — an independent technical audit confirms that the controls are actually in place, not just declared.
Any business that handles personal data, holds government contracts, or simply wants a credible baseline of cyber security hygiene. It is mandatory for any supplier bidding for UK government contracts that involve handling personal data or delivering certain technical services — and it is now a non-negotiable requirement at every level of the MOD’s new Defence Cyber Certification framework.
For smaller businesses in particular, Cyber Essentials is the most practical and cost-effective starting point. It won’t cover every risk, but it closes the door on the vast majority of opportunistic attacks.
ISO 27001 is the internationally recognised standard for Information Security Management Systems (ISMS). Where Cyber Essentials focuses on specific technical controls, ISO 27001 takes a whole-organisation approach — covering people, processes, and technology across every aspect of how your business handles information.
Achieving ISO 27001 certification requires a formal audit by an accredited certification body, documented policies and procedures, a risk assessment framework, and a commitment to ongoing continuous improvement. It is not a one-time exercise — it requires annual surveillance audits and full recertification every three years.
Businesses handling sensitive client data, operating in regulated industries, or looking to win enterprise and public sector contracts where security assurance is a procurement requirement. It signals to clients, partners, and insurers that your approach to information security is serious, structured, and independently verified.
At Knowall IT, we hold ISO 27001 certification ourselves — it underpins everything we do across our managed cyber security and managed IT support services. It’s not a badge we carry lightly.
Defence Cyber Certification (DCC) is the MOD’s own certification framework, introduced under Defence Standard 05-138 Issue 4. It applies to any organisation in the MOD supply chain — whether you’re a direct contractor or a supplier several steps removed — and it operates across four levels (L0 to L3) of increasing rigour.
DCC Level 0 is now mandatory for all MOD suppliers. Higher levels are assigned based on the assessed cyber risk associated with your specific contracted output. Unlike Cyber Essentials or ISO 27001, DCC isn’t something you choose to pursue for competitive advantage — if your Cyber Risk Profile requires it, it is a contractual obligation.
Any business that holds, or supports, an MOD contract. And — critically — any business in the supply chain of an MOD contractor, if that contractor’s risk assessment identifies downstream cyber risk. If you’re unsure whether this applies to you, the honest answer is that you should find out before your next contract renewal, not after.
The good news is that these certifications are complementary, not competing. Cyber Essentials is a prerequisite for DCC — you cannot achieve any level of Defence Cyber Certification without it. ISO 27001, meanwhile, covers much of the same ground as the higher DCC levels — if you hold ISO 27001, a significant portion of the evidence and documentation required for DCC Level 1 and above is already in place.
Think of it as a pyramid. Cyber Essentials sits at the base — quick to achieve, broadly applicable, and the entry point for everything above it. ISO 27001 builds the management framework around it. DCC sits alongside both, applying specifically to the defence context and referencing the controls established by the other two.
Not necessarily — but the overlap is significant enough that pursuing them together is often the most efficient route. A business that holds Cyber Essentials Plus and ISO 27001 is already well positioned for DCC Level 1 and beyond. Achieving them in isolation, on the other hand, means duplicating effort and evidence that could serve multiple frameworks at once.
The smartest approach is to start with a clear picture of where you stand today. A free security risk assessment will identify the gaps, map your current posture against each framework, and give you a practical roadmap — so you’re building towards all three with a single coherent effort, not chasing each one separately.
