NHS Supply Chain: Cyber Essentials Plus vs ISO 27001

The NHS Procurement Policy Note (PPN) 014 makes an important clarification: ISO 27001 certification cannot be used as an alternative to Cyber Essentials Plus. This may seem confusing at first glance; after all, both are well-recognised security standards. However, the distinction comes down to their underlying approach and what the NHS expects from suppliers handling sensitive health data.

Cyber Essentials Plus

Cyber Essentials Plus is designed as a practical, technical assurance scheme. It focuses on ensuring that a set of baseline security measures are in place, including:

• Firewalls and secure configuration

• Access control and privilege management

• Patch management and updates

• Malware protection

• Secure internet gateways

The “Plus” element means that an accredited third party, such as Periculo, has tested your systems to verify these controls. For the NHS, this baseline matters because it provides consistent, measurable protection against common cyber threats across all suppliers. It’s not about being aspirational; it’s about ensuring every organisation can prove they are resistant to the most frequent types of attack.

ISO 27001: A Risk-Based Approach

ISO 27001, on the other hand, is an international standard for information security management systems (ISMS). It takes a broader, more strategic approach by requiring organisations to:

• Identify information security risks

• Apply appropriate controls (from Annex A of the standard)

• Continuously monitor, improve, and adapt controls as threats evolve

• Embed information security into the organisation’s governance and culture

While ISO 27001 is highly valuable—especially for large organisations with complex risk landscapes—it does not guarantee that specific technical baseline controls are in place at all times. The standard allows organisations to apply different measures based on their risk assessment, which can vary widely between businesses.

Why ISO 27001 Isn't Enough

The NHS requires suppliers to demonstrate consistent baseline resilience. Cyber Essentials Plus does this by mandating and testing the same controls across all organisations.

ISO 27001, while comprehensive, could theoretically allow a supplier to decide that patching certain systems is a “low risk” and not apply timely updates. That flexibility is acceptable in ISO 27001’s risk-driven framework but not in the NHS’s context, where any supplier vulnerability could create a systemic weakness in the health service supply chain.

In short:

• Cyber Essentials Plus = Proves a supplier has baseline defences in place and tested.

• ISO 27001 = Proves a supplier manages risk effectively, but without guaranteeing specific baseline technical controls.

What This Means for Suppliers

If you are a supplier to the NHS, Cyber Essentials Plus is non-negotiable under PPN 014. Even if your business already holds ISO 27001 certification, you will still need to obtain Cyber Essentials Plus.

That said, ISO 27001 remains valuable:

• It demonstrates maturity in managing security risks.

• It supports broader compliance efforts (GDPR, DSPT, and international contracts).

• It strengthens trust with global partners and investors.

But for NHS procurement, ISO 27001 is supplementary, not a substitute.

The NHS Supply Chain stance is clear: Cyber Essentials Plus is the baseline requirement, and ISO 27001 is not an alternative. For healthtech firms, the smartest approach is often to pursue both. Cyber Essentials Plus ensures you can meet immediate NHS procurement requirements, while ISO 27001 gives you a robust framework for long-term, scalable information security.