This is the first of four parts. Over the next month I want to lay out a cyber security strategy a UK small or medium business can actually run in the second half of 2026 — not a shopping list, and not a set of slogans, but a sequence of decisions that leaves you measurably harder to hurt by Christmas.
I am going to build it around three reference points, because between them they cover the whole job: Cyber Essentials as the technical floor, Cyber Essentials Plus as the proof that floor is real, and ISO 27001 as the management system that keeps it true after the certificate is framed. Done together, in that order, they cost less and argue with each other less than doing them piecemeal.
A strategy is the sequence. This part is about the ground you are standing on before you start: why this is worth doing, how the three frameworks fit, and the two decisions — scope and ownership — that everything else hangs from.
Why bother, honestly
Not fear. Fear is a bad basis for a budget. Two plainer reasons.
The first is that the attacks that hit businesses your size are not targeted, and they are not clever. They are industrial. Someone runs a public exploit against a million addresses and takes whatever falls out — I wrote about one such crew recently who compromised 25,000 sites with no zero-day, just a long list and a scanner. You are not too small to be attacked. You are exactly the right size to be swept up, because you are the one without a patching discipline or multi-factor authentication turned on.
The second reason is commercial, and it is the one that usually moves the MD. Your customers are starting to ask. Cyber Essentials is already a hard requirement for most UK central-government contracts that touch personal or sensitive data, and it is spreading down supply chains — larger clients now ask their suppliers for it as a condition of doing business. Cyber insurers ask harder questions every renewal. The certificate has quietly become a licence to bid.
So the strategy is not a grudge purchase to make a threat go away. It is the security equivalent of having your accounts in order: partly protection, largely the price of being taken seriously.
Three frameworks, one spine
People treat Cyber Essentials, Cyber Essentials Plus and ISO 27001 as three separate projects with three separate bills. They are better understood as three layers of the same thing.
Cyber Essentials is the floor. It is five technical controls, run by the NCSC and delivered by IASME: firewalls, secure configuration, security update management, user access control, and malware protection. Get those five right across everything you own and you close the door on the overwhelming majority of commodity attacks. It is a self-assessment, signed off by a director, and reviewed by an assessor.
Cyber Essentials Plus is the proof. Same five controls, but instead of taking your word for it, a qualified assessor tests them hands-on — scanning your devices, trying to deliver test malware to your inboxes and browsers, checking your patches are actually current. It is the difference between telling a client you are secure and being able to show it.
ISO 27001 is the management system. This is the one people misunderstand. It is not a bigger pile of technical controls; it is the wrapper that makes the controls repeatable. It asks you to understand your risks, decide which controls apply and write that down, assign ownership, train people, manage suppliers, plan for incidents, and review the whole thing on a schedule. The current version, ISO 27001:2022, is built from seven management clauses (context, leadership, planning, support, operation, performance evaluation and improvement) plus an Annex A catalogue of 93 controls grouped into four themes — organisational, people, physical and technological.
The point is that they nest. The five Cyber Essentials controls sit inside ISO 27001's technological and organisational controls. A business that runs Cyber Essentials properly has already done a meaningful slice of ISO's technical work; ISO then supplies the governance around it that Cyber Essentials never asked for. Build the floor, prove the floor, then build the house on top of it.
What "align completely" means in practice
Aligning to all three does not mean doing three unrelated things. It means one control set, described once, satisfying all three audiences.
Take patching. Cyber Essentials (under the current Danzell requirements) demands that critical and high-risk updates go on within 14 days. ISO 27001 asks, more broadly, that you manage technical vulnerabilities — control A.8.8 — with a documented process, ownership and evidence. The 14-day rule is the sharp, testable version of the ISO requirement. Do the Cyber Essentials thing, write down how you do it, and you have satisfied the ISO control at the same time. The same is true across the board: Cyber Essentials gives you the concrete technical baseline, and ISO gives you the paperwork and the cadence that turn a baseline into a system.
Throughout this series I will keep pointing at where a Cyber Essentials control maps onto its ISO 27001 cousin, so you are building one thing, not three.
Decision one — scope, before anything else
Nothing derails these projects faster than a fuzzy scope, and the Danzell update (the question set in force since 27 April 2026) tightened the screws here deliberately.
Three things you can no longer wriggle out of:
- All your cloud services are in scope. Danzell added a formal definition of a cloud service and closed the exclusions. Microsoft 365, your accounting package, the CRM, the file-sharing tool, the project board the team stood up without telling anyone — if it holds or processes your data and is reached over the internet with your credentials, it is in.
- Every legal entity has to be declared. If you trade through more than one company, each in-scope entity is named on the certificate, with its company number, publicly. No quiet exclusions.
- The scope description has to be specific. Vague boundaries are challenged; any exclusion has to be justified with evidence that it is genuinely segregated from everything else.
My strong advice, for a firm of your size, is not to fight this — certify the whole organisation. Carving out a subset almost always costs more in argument and segregation evidence than it saves, and a partial certificate impresses no one who reads it carefully. Whole-org scope is also exactly what ISO 27001 wants you to define under clause 4, so you are doing that groundwork once.
Practically, the first artefact you produce is an inventory: every device, every operating system version, every cloud service, every location, every legal entity, and — because ISO will ask — what data each holds and how sensitive it is. Dull, and non-negotiable. You cannot secure or scope what you cannot see.
Decision two — someone has to own it
The second foundation is governance, and Danzell made this explicit too: a director now has to sign a declaration acknowledging responsibility for maintaining the controls throughout the certification period. That is not box-ticking. It is the scheme telling you, correctly, that security without an owner rots.
ISO 27001 says the same thing at more length in clause 5: leadership has to be visible, the scope defined, roles assigned, and a policy set from the top. For a business of ten to fifty people this does not mean a security department. It means:
- A named owner. One person accountable for the programme — often the MD or operations lead, working with whoever runs your IT, in-house or outsourced. Not "the IT company"; a person in your business who owns the outcome.
- A light rhythm. A short, minuted review each month while you are building, dropping to quarterly once you are steady. This becomes your ISO "management review" almost for free.
- A risk appetite stated in plain words. What must never happen (client data leaked, payroll stopped for a week), what you will tolerate, what you will spend to avoid it. Boards understand this framing; it is the language of every other risk they manage.
If you outsource IT — most firms your size do — the owner's real job is to hold that supplier to the standard, not to defer to them. Which supplier does what, and to what level, is itself an ISO control (A.5.19 to A.5.22), and we will come back to it.
Objectives for the second half of 2026
A strategy needs targets you can miss. Here is a realistic shape for H2 2026, assuming you start from a standing position in July:
- By end of Q3 (September): whole-organisation inventory complete, the five Cyber Essentials controls remediated, and Cyber Essentials (Danzell) certified.
- By end of Q4 (December): Cyber Essentials Plus passed, and the core of an ISO 27001 management system stood up — risk assessment, Statement of Applicability, the essential policies, incident and backup plans tested at least once.
- Into early 2027: ISO 27001 Stage 1 audit, with certification the following quarter.
ISO 27001 asks you to set measurable security objectives (clause 6.2); the three above are a perfectly good start. Write them down, put dates on them, and review them at your monthly meeting.
The honest cost, and the honest timeline
I will not insult you with the "from £320" figure. That is the assessment fee, and for an unprepared firm it is less than five per cent of the real first-year cost. I set out the full breakdown in a separate piece, but the short version, from watching around forty small firms go through it: an unprepared ten-person business should budget £13,000 to £30,000 in the first year and ten to fourteen weeks of elapsed time to reach Cyber Essentials — most of it remediation, hardware refresh, licensing, and documentation, not the fee.
Cyber Essentials Plus adds a testing engagement on top, typically a few thousand pounds depending on how many device types you run. ISO 27001 adds more again — mostly your own people's time to build and run the management system, plus a certification body's audit fees. None of it is the sticker price, and a strategy that pretends otherwise falls apart in week three when the invoices arrive.
Budget for the real number and the project survives contact with reality. Budget for £320 and it does not.
Where this is going
That is the foundation: three frameworks that nest into one spine, a whole-organisation scope, a named owner, dated objectives, and an honest budget.
Next week, part two goes down into the engine room — the five Cyber Essentials controls one by one, what the Danzell question set now demands of each, the mistakes that fail firms at assessment, and how each control maps onto its ISO 27001 counterpart so you build once and certify twice. It is the least glamorous part of the strategy, and it is the part that does most of the work.