ISO 27001, NIS2, and Cyber Essentials: Why You Don't Need Three Compliance Projects
ISO 27001, NIS2, and Cyber Essentials: Why You Don't Need Three Compliance Projects
Your board wants ISO 27001. Your supply chain partners require Cyber Essentials. And NIS2 just expanded its scope to cover your sector. Three frameworks, three sets of consultants, three piles of evidence - and your IT budget hasn't tripled to match.
Here's what nobody selling you compliance services wants you to hear: over 80% of the controls across these three frameworks overlap. You don't need three compliance projects. You need one strategy that produces the right evidence once and maps it to all three.
If you've ever wondered whether your business already falls under NIS2 without realising it, you're not alone. With 43% of UK businesses reporting a breach in 2025 according to the Cyber Security Breaches Survey, the pressure to get compliant - fast - is real. But doing it the wrong way will cost you more than doing nothing at all.
What happens when you treat each framework as a separate project?
Most consultancies will happily sell you three separate compliance engagements. ISO 27001 readiness: £15,000–£40,000. Cyber Essentials certification support: £3,000–£8,000. NIS2 gap analysis: another £10,000–£25,000. Each with its own timeline, its own documentation requirements, and its own evidence collection process. Your IT administrator - already stretched thin - now juggles three sets of auditor requests.
The result? Duplicated work everywhere. Your access control policy gets written three times with slightly different wording. Your incident response procedures exist in three separate documents. Your risk assessments use three different templates. And when something changes - a new system, a departed employee, a policy update - you update it in one place and forget the other two. That's not compliance. That's a documentation debt spiral.
Meanwhile, 67% of vendors lost contracts in 2024 simply because they couldn't produce compliance proof when asked (Marsh McLennan). Not because they were insecure - because their evidence was scattered across frameworks.
Photo by Ann H on Pexels
Where exactly do ISO 27001, NIS2, and Cyber Essentials overlap?
The overlap is not vague. It's concrete, documented, and mappable. All three frameworks require the same foundational controls - they just use different language to describe them. Here's how the core requirement areas stack up:
| Control Area | ISO 27001 (Annex A) | NIS2 (Article 21) | Cyber Essentials |
|---|---|---|---|
| Access control & authentication | A.5.15–A.5.18 | Art. 21(2)(i) | Requirement 2 |
| Incident response | A.5.24–A.5.28 | Art. 21(2)(b), Art. 23 | - (Plus only) |
| Risk assessment | A.5.1, A.8.8 | Art. 21(2)(a) | Implicit |
| Patch management | A.8.8, A.8.19 | Art. 21(2)(a) | Requirement 4 |
| Network security / firewalls | A.8.20–A.8.22 | Art. 21(2)(a) | Requirement 1 |
| Malware protection | A.8.7 | Art. 21(2)(a) | Requirement 5 |
| Supply chain security | A.5.19–A.5.22 | Art. 21(2)(d) | - |
| Business continuity / backups | A.5.29–A.5.30 | Art. 21(2)(c) | - |
| Security awareness training | A.6.3 | Art. 21(2)(g) | - |
When you implement proper access control for ISO 27001, you've simultaneously satisfied the NIS2 access management requirement and Cyber Essentials Requirement 2. One control. One piece of evidence. Three frameworks ticked.
Why do 97% of UK businesses still skip Cyber Essentials?
The statistic is striking: 97% of UK businesses are not Cyber Essentials certified. It's not because certification is hard - the technical controls are baseline security hygiene. It's because businesses see compliance as a separate activity from running their IT, rather than a natural byproduct of it. They think they need to stop what they're doing, hire a consultant, fill in forms, and hope for the best.
This mindset multiplies when you add ISO 27001 and NIS2 to the stack. Three frameworks feel like three mountains. So businesses delay all of them - and remain exposed. The average cyber claim cost sits at $345,000 according to Atlantic Digital. One in three SMBs was hit by a cyberattack in 2024 (BizTech Magazine). These aren't abstract numbers. They're the reason your cyber insurer demands specific controls before approving your policy. Speaking of which - 41% of cyber insurance applications get denied on first submission (MoneyGeek). The overlap between what insurers require and what these three frameworks demand is no coincidence.
What does a single-evidence-base strategy actually look like?
Instead of three parallel projects, you build one compliance foundation. Start with the shared controls - access management, patch management, firewalls, malware protection, incident response, and security awareness. These six areas cover roughly 80% of all requirements across the three frameworks. Document each control once, collect evidence once, and map that evidence to the corresponding clause in each framework.
For example, your multi-factor authentication policy satisfies ISO 27001 A.5.17, NIS2 Article 21(2)(i), and Cyber Essentials Requirement 2 - simultaneously. Your patch management process covers ISO 27001 A.8.8, NIS2 Article 21(2)(a), and Cyber Essentials Requirement 4. One process, one evidence trail, three compliance checkboxes. The remaining 20% of controls are framework-specific: ISO 27001 requires a formal Information Security Management System (ISMS), NIS2 demands specific incident reporting timelines, and Cyber Essentials Plus requires hands-on technical verification. But the foundation is shared.
If you're not sure where your security posture stands today, the ISO 27001 readiness quiz takes five minutes and shows you exactly which controls you already have in place.
Photo by Leeloo The First on Pexels
How much does multi-framework compliance actually cost with the traditional approach?
Let's add up the traditional route. A managed service provider charges 100–250 EUR per user per month. For a 50-person company, that's 60,000–150,000 EUR annually - and most MSPs don't include compliance documentation. Standalone compliance platforms like Vanta or Drata run 7,500–50,000 EUR per year, but they're evidence collectors, not IT operators. You still need someone to actually implement the controls they track.
So you're paying the MSP for IT management, plus a compliance platform for documentation, plus consultants for gap analysis and audit prep. Three separate cost centres for something that should be one workflow. And when the M&S, Co-op, and Harrods breaches demonstrated a combined impact of over £300 million in 2025, the boardroom suddenly wants proof that your compliance isn't just paperwork. It needs to reflect your actual, real-time security posture.
| Traditional MSP + Consultants | Compliance Platform Only | Fusion AI | |
|---|---|---|---|
| IT operations management | ✅ (100–250 EUR/user/mo) | ❌ | ✅ |
| Compliance evidence collection | ❌ (extra cost) | ✅ (7,500–50,000 EUR/yr) | ✅ |
| Multi-framework mapping | ❌ (consultant fees) | Partial | ✅ (ISO 27001, NIS2, CE) |
| Real-time control monitoring | ❌ | ❌ | ✅ |
| Time to first compliance report | 3–6 months | 2–4 weeks | 48 hours |
| Annual cost (50 users) | 75,000–180,000 EUR | 7,500–50,000 EUR + MSP | See pricing |
What makes compliance a byproduct instead of a project?
The shift is conceptual before it's technical. When your IT management platform is already monitoring access controls, tracking patch status, verifying firewall configurations, and logging incidents - compliance evidence generates itself. You don't schedule a quarterly evidence collection sprint. The evidence exists because the controls are operating.
This is the core idea behind Fusion AI: your compliance is the natural byproduct of good IT management. Connect your systems in 45 minutes. See your first compliance posture report in 48 hours. Reach full multi-framework compliance readiness within 30 days. Not because we cut corners - because when the operational controls are genuinely in place, the evidence already exists.
The cost of not having compliance isn't just regulatory fines - it's lost contracts, denied insurance claims, and the £345,000 average cost of a cyber incident that proper controls would have prevented. ICO fines jumped sevenfold in 2025, from £2.7 million to £19.6 million. The regulatory environment isn't waiting for your compliance project to finish.
How do you start without disrupting your current operations?
You don't need to rip anything out. The overlap strategy works precisely because it layers on top of what you already have. Step one: take the free security scan to map your current controls against all three frameworks simultaneously. You'll see exactly which controls you already satisfy, which ones need attention, and where a single fix closes gaps across multiple frameworks.
Step two: prioritise the shared controls - the ones that count three times. Implementing MFA across your organisation satisfies requirements in all three frameworks at once. Automating your patch management closes gaps in all three. Each action has triple the compliance impact. Step three: address the framework-specific requirements. ISO 27001's ISMS documentation, NIS2's 24-hour incident reporting obligations, Cyber Essentials Plus technical verification. These are the 20% that need targeted attention. But with 80% already handled, you're spending your energy where it actually matters - not duplicating work you've already done. Use the cybersecurity checklist for SMBs to track your progress as you go.
The bottom line
Three frameworks don't mean three times the work. ISO 27001, NIS2, and Cyber Essentials share the same security DNA. Build once, evidence once, certify across all three. That's not a shortcut - it's the only strategy that makes sense for an SMB that needs to be compliant without a six-figure budget.
With cyberattacks up 49% in the first half of 2025 (Identity Week) and 82.6% of phishing emails now containing AI-generated content, the threat landscape isn't slowing down for your compliance timeline. You need a strategy that gets you ISO 27001-ready, NIS2-ready, and Cyber Essentials certified from a single platform, a single evidence base, and a single monthly cost.
Run the free security scan now - it maps your current posture against all three frameworks in minutes. No consultants, no forms, no commitment. Just a clear picture of where you stand and what it takes to close the gaps.
Or if you'd rather explore at your own pace, start a free trial and see how compliance becomes the thing that happens while you're managing your IT - not instead of it. Peace of mind isn't a luxury. For an SMB in 2026, it's a business requirement.