Cyber Essentials vs CIS v Zero Trust: Where Should UK SMEs Start with Cyber Security?

As a Modern Workplace Architect and Microsoft MVP, working directly with SMEs across the UK, one truth comes up again and again:

Most organisations know their security isn’t where it should be, but they don’t actually have a clear way forward or even know where to start.

YES there’s awareness for additional security.
YES there’s concern from the IT and CTO.
AND Sometimes even urgency.

But having clarity is important – Because digging into environments, the challenge isn’t always a lack of tools, it’s more about a lack of understanding. By this I mean:

  • What “secure” actually looks like in a modern Microsoft estate
  • Which risks genuinely matter versus noise
  • How far current configurations are from an acceptable baseline

Cyber security is no longer just an enterprise problem.

Smaller organisations are not exempt and in some ways are now the main targets. Why? Because attackers don’t need to go after the hardest target. They go after the easiest one and more often than not, that comes down to:

  • Misconfigured devices
  • Weak access controls
  • Outdated systems
  • Or simply a lack of a defined, managed security baseline or
  • Unaddressed security fundamentals

The real issue: security maturity, not awareness

What I consistently see across SME environments is this:

Microsoft tooling is deployed (M365, Intune, Defender)
Baselines have not been fully implemented
Controls have been configured inconsistently
No ongoing validation or governance is followed

The result: This can create a dangerous position:

SME Cyber Reality (UK)

Cyber Attacks Experienced (UK SMEs)
-----------------------------------
Yes      ████████████████  43–67%
No       ██████           33–57%

Most Common Attack Type
-----------------------------------
Phishing ████████████████████████  85%
Other    ████                     15%

Security Control Impact
-----------------------------------
With Cyber Essentials    ████████  Much lower risk
Without baseline         ████████████████████████  High risk

In other words to phrase this differently, 2 in 3 SMEs will be attacked, but most breaches still come down to basic security gaps.

So now I’ve hopefully defined where the issue is, in this blog I want to walk you through a practical way to understand what you need to know and how to build a structured plan to address the issue – With multiple frameworks, certifications, and conflicting advice, It’s important to know where to start. The good news is that you don’t need a large internal team or a huge budget to make a plan and move forward. When it comes to your data and device management exposure, that’s where Cyber Essentials / CIS and Zero Trust compliance can help.

Understanding Cyber Essentials (and why it exists)

Cyber Essentials is a UK Government-backed certification designed to help organisations implement a core set of security controls. Put simply, It’s purpose is to provide a baseline framework focused on protecting businesses from the most common types of cyber attack. Rather than being theoretical, it gives you a practical checklist of controls to implement across your environment.

Important – While UK Government based, CE still applies to any non-UK company when looking to shore up a company’s security posture.

https://www.ncsc.gov.uk/cyberessentials/overview

The five key areas covered by CE:

  • Boundary protection (firewalls and secure access points)
  • Secure configuration of devices and systems
  • Control over user access and privileges
  • Malware protection
  • Keeping systems updated with patches

You might want to think of Cyber Essentials as:

“The minimum standard every UK business should meet to operate securely.”

It establishes a foundational level of protection meaning it doesn’t define the strictest policies but it is just enough to reduce exposure to everyday threats. So definitely your starting point.

Why Cyber Essentials matters (especially now)

For me an important point to get across if you are looking at this is that Cyber Essentials isn’t just about compliance as it also materially lowers your risk.

Most attacks facing SMEs today are:

  • Opportunistic
  • Automated
  • Designed to exploit basic weaknesses

By addressing these weaknesses, I see organisations dramatically reducing the likelihood of compromise. Looking at the wider picture, it also plays an increasing role commercially to your company:

OutcomeBusiness Impact
Achieve baseline certificationOpens doors to public sector and regulated contracts
Align to industry expectationsReduces friction in supplier and partner due diligence
Demonstrate security maturityBuilds trust with customers and stakeholders
Define “secure by default”Removes ambiguity around what good looks like
Assess and measure riskEnables consistent, repeatable security reviews
Validate your environmentProvides evidence of your security posture externally

For many SMEs, this clarity alone is one of the biggest benefits.

Where CIS fits

While Cyber Essentials provides a baseline, the CIS Critical Security Controls (from the Center for Internet Security) take a broader and more detailed approach.

https://www.cisecurity.org

CIS is:

  • More technical
  • More granular
  • Designed to scale into mature security programmes

It expands beyond the Cyber Essentials scope and introduces controls around:

  • Continuous monitoring
  • Asset inventory and classification
  • Incident detection and response
  • Security logging and analysis
  • Advanced user and privilege management

Cyber Essentials vs CIS

AreaCyber EssentialsCIS Controls
PurposeBaseline certification (UK-focused)Comprehensive security framework
ComplexityLow to moderateModerate to high
Target audienceSMEs, public sector supply chainsSMEs → enterprise (scalable)
ApproachChecklist-basedMaturity-based (phased controls)
CertificationYes (Cyber Essential Plus)No formal certification model
DepthFoundationalOperational + advanced

CIS vs Zero Trust – Alternative approach or natural progression?

With CIS security established if you choose to follow this route that is, the next natural question worth asking is – Where does Zero Trust fit alongside CIS.

As a simple rule of thumb this is where confusion can happen – CIS and Zero Trust are actually not competing options in fact they operate at different layers of your security strategy. CIS Controls provide a structured, prioritised set of actions that help you secure your environment. They define what controls should exist across areas like device management, access control, monitoring, and data protection.

They both however do manage the security posture of your environment so from that perspective there is an overlap but Zero Trust does not follow a checklist or provide a certification.

Zero-Trust is essentially a security model and operating philosophy built around the idea that nothing should be implicitly trusted and everything must be verified continuously.

The key difference being:

  • CIS focuses on implementing security based controls
  • Zero Trust focuses on how those controls are enforced and validated in real time.

So is Zero Trust an alternative to CIS?

This is where most organisations get it wrong as Zero Trust is not an alternative to CIS but you could see it is a natural progression from it.

CIS gives you the foundation with:

  • Visibility of assets
  • Defined access controls
  • Security baselines

Zero Trust on the other hand builds on that foundation by introducing:

  • Continuous verification of users and devices
  • Dynamic, risk-based access decisions
  • A mindset of “assume breach” rather than “trust by default”

One way to think about it is:

For most SMEs, this isn’t a choice, instead it’s a planned journey following a progressive path:

Use Cyber Essentials → Establish a baseline
Move to CIS Controls → To add structure and maturity
And adopt the Zero Trust philosophy → Enforce, validate and continuously secure

When should SMEs choose one over the other?

As a high-level guide use the following as a starting point to build upon.

Start with Cyber Essentials if:

  • You don’t currently have a structured security framework
  • You need a recognised certification for customers or tenders
  • You want to reduce immediate risk quickly
  • You lack internal security expertise

Cyber Essentials will provide your organisation with a fast, accessible way to stabilise your environment.

Then move towards CIS if:

  • You’ve already implemented the basics
  • You need deeper visibility and control
  • You’re scaling or handling more sensitive data
  • You want a more proactive, operational security model

CIS can help you move from:

“We are protected” → “We are continuously improving and detecting threats.”

Honestly: frameworks alone don’t solve the problem

A common mistake organisations make is focusing on frameworks without understanding their actual environment.

Frameworks don’t show you:

  • What devices are truly exposed
  • Where permissions are excessive
  • Whether controls are consistently applied
  • How identity, data and devices interact

In modern environments and especially with Microsoft 365 and Intune estates the risk often comes from configuration, not absence of tools.

Why Zero Trust changes the approach

Zero Trust moves beyond checklist compliance and reframes security around a simple principle:

“Never trust, always verify.”

https://www.microsoft.com/en-us/security/business/zero-trust

Instead of assuming anything inside your network is safe, Zero Trust focuses on:

  • Verifying every identity
  • Validating device health before access
  • Protecting data wherever it lives
  • Monitoring continuously for abnormal behaviour

For most SMEs, this doesn’t require building out new platforms it just takes utilising your existing Microsoft capabilities correctly.

The missing step: assessing your environment properly

As with most improvements knowing where you are currently helps you measure your progress. Before deciding between Cyber Essentials, CIS, or Zero Trust, having clarity on these goes a long way:

  • What assets exist
  • How devices are configured
  • Where risks and gaps actually sit
  • What maturity level they’re currently operating at

Without this visibility, you could risk:

  • Over-investing in unnecessary tools
  • Missing critical misconfigurations
  • Failing audits despite having “coverage”

A practical approach then

A structured path for most UK SMEs looks like this:

Step 1 — Establish visibility

Understand your environment through an assessment:

  • Devices
  • Identities
  • Data access
  • Security controls

Step 2 — Apply baseline controls

Use Cyber Essentials as your foundation:

  • Fix basic hygiene issues
  • Align to a recognised minimum standard

Step 3 — Mature with CIS principles

Introduce:

  • Monitoring
  • Logging
  • Detection
  • Risk-based controls

Step 4 — Evolve into Zero Trust

Align security across:

  • Devices
  • Identity
  • Applications
  • Data

Final thoughts

Cyber security doesn’t need to start with complexity.

For most SMEs, Cyber Essentials gives you clarity and a strong starting point. By building on top of this with CIS controls you will get more depth and structure but also more policy configuration. First assessing then following the Zero-Trust philosophy can introduce the required consistency across your entire environment. It’s important to know that there is no prescribed order here, you need to decide where you are and which option to follow. I would recommend using a skilled resource or company to help you understand where your business stands today, make the right decisions and always start with a pilot configuration. I’d always recommend too to adopt a Zero-Trust approach regardless and use the different controls of the other two to decide the level of security best for you.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.