ISO 27001 vs SOC 2 vs Cyber Essentials: which certification do UK businesses actually need in 2026?

If you sell B2B in the UK in 2026, sooner or later a procurement team asks for a security certification. The market keeps acting as if these four certifications are interchangeable. They are not. Picking the wrong one costs months of effort and tens of thousands of pounds you do not need to spend.

This is a senior-CIO view of which certification to chase, when, and what each actually buys you in the real world.

Quick comparison at a glance

Cyber Essentials: the UK starting point

What it is: a UK government-backed scheme run by the National Cyber Security Centre (NCSC) and administered by IASME. It certifies you have basic technical controls in place against the most common cyber attacks.

What you actually do: complete a self-assessment questionnaire covering five technical control areas: firewalls, secure configuration, access control, malware protection and patch management. Submit it. Pass. Get the badge. It really is that simple.

Realistic cost: £300 for micro businesses (up to 9 staff), rising to around £600 for organisations of 100+. Annual renewal required.

Realistic time: 1 to 5 days once you start, assuming your controls are already in place. If they are not, budget 2 to 4 weeks for remediation first.

Who needs it:

• Any UK business bidding for public sector contracts.
• Companies handling government data or supplying the NHS.
• SMEs that want a credible "yes we take security seriously" answer to RFP questions.
• Anyone who needs to demonstrate basic cyber hygiene without spending a fortune.

Cyber Essentials Plus: the same thing, externally verified

What it is: Cyber Essentials with an independent technical audit. A certified assessor remotely tests a sample of your devices and confirms the controls are actually in place, not just claimed.

What you actually do: after passing Cyber Essentials, an assessor schedules vulnerability scans and authenticated tests of your laptops, servers and cloud configurations. They check patch levels, browser security, malware detection and account separation.

Realistic cost: £1,500 to £3,500 depending on size and number of devices. Annual renewal.

Realistic time: 2 to 4 weeks from kickoff. Most of that is scheduling and remediating findings.

Who needs it:

• Mandatory for UK MoD contracts handling MoD Identifiable Information.
• Strongly recommended for any Tier 1 government supplier.
• Companies whose enterprise clients ask for "verified" cyber posture without going to full ISO 27001.
• Anyone whose insurance broker is now requiring it for cyber cover (increasingly common in 2026).

Cyber Essentials Plus is the highest cost-to-credibility ratio in UK security certification. If you are doing one thing this quarter, do this.

ISO 27001: the international gold standard

What it is: the global standard for information security management systems (ISMS) published by the International Organization for Standardization. Updated in 2022 to ISO/IEC 27001:2022 with 93 controls (down from 114 in the 2013 version) across four themes: organisational, people, physical and technological.

What you actually do: build, document and operate an Information Security Management System covering policies, risk assessment, control implementation, internal audit, management review and continuous improvement. Then an external UKAS-accredited certification body (BSI, BSI, LRQA, DNV, NQA and others) runs a Stage 1 (documentation review) and Stage 2 (operational audit). If you pass, you get certified for three years with annual surveillance audits.

Realistic cost:

• Small business (10 to 50 staff): £15,000 to £30,000 all-in (consulting + certification body fees).
• Mid-market (50 to 250 staff): £30,000 to £60,000.
• Enterprise (250+): £60,000 to £150,000.
• Annual ongoing: £5,000 to £20,000 in maintenance plus surveillance audit fees.

Realistic time: 6 to 12 months from kickoff to certificate, depending on maturity. If you already have most controls and just need to formalise them: 4 months. From a near-zero starting point: 9 to 12 months.

Who needs it:

• UK companies selling into enterprise where procurement asks for it (financial services, healthcare, government).
• Anyone selling internationally, particularly into EU enterprise.
• Companies handling large volumes of sensitive personal data.
• Regulated industries (FCA, NHS, MoD) where ISO 27001 reduces the burden of regulator audits.

SOC 2: the US enterprise gatekeeper

What it is: a US auditing standard from the American Institute of Certified Public Accountants (AICPA). Not actually a certification, technically: it is an attestation report produced by a licensed CPA firm. There are two flavours: Type 1 (controls in place at a point in time) and Type 2 (controls operated effectively over a 3 to 12 month observation window). Most US enterprise buyers will accept Type 1 to unblock a deal but want Type 2 for renewal.

What you actually do: select the relevant Trust Services Criteria (Security is mandatory; Availability, Confidentiality, Processing Integrity and Privacy are optional). Build and document controls. Engage a CPA firm (Schellman, A-LIGN, BARR, Dansa D'Arata, Prescient Assurance and others) to conduct the audit. Get the report.

Realistic cost:

• SOC 2 Type 1: £20,000 to £40,000 for first-year readiness and audit.
• SOC 2 Type 2: £35,000 to £100,000 in year one (Type 1 typically rolled in), £25,000 to £60,000 annual renewal.
• Add: compliance automation platform (Vanta, Drata, Secureframe, Thoropass) at £8,000 to £25,000 per year. Worth it.

Realistic time: Type 1 in 3 to 4 months from kickoff. Type 2 is dictated by the observation window: 3 months minimum for first-time, 12 months for mature reports. Total elapsed from start to Type 2 report: 6 to 12 months.

Who needs it:

• UK SaaS companies selling into US enterprise. Almost universally required above £50k ACV.
• Companies processing customer data on behalf of US clients.
• Anyone whose US prospects keep saying "do you have SOC 2?" on the second call.

The decision tree

What procurement teams actually look for

Having a certificate is necessary but not sufficient. Mature procurement teams are looking for three things behind the badge:

1. Scope: is the certificate's scope statement actually relevant to what you sell to them? An ISO 27001 certificate scoped to "our London office" is worthless if the system serving the client runs in AWS Frankfurt. Read the scope carefully.
2. Currency: when was the certificate issued and when does it expire? Surveillance audits passed? SOC 2 reports older than 12 months are stale.
3. Evidence: can you produce the supporting documents on request? Risk assessments, incident response runbooks, vendor risk policies, penetration test reports. Increasingly, procurement asks for these in addition to the cert.

Three traps to avoid

Trap 1: starting with ISO 27001 because it sounds best. Many UK companies waste 9 months and £40,000 on ISO 27001 when their actual UK buyers would have been happy with Cyber Essentials Plus and a clean penetration test. Match the cert to who is actually buying.

Trap 2: thinking SOC 2 Type 1 is "good enough". US enterprise will accept Type 1 to start a conversation. They will renew the contract conditional on Type 2 within 12 months. Plan for Type 2 from day one.

Trap 3: outsourcing the certification without owning the ISMS. Some consultants will write your policies for you, get you certified, then vanish. A year later you cannot answer surveillance audit questions because nobody internally understands the system. You need an internal owner from day one, even if the heavy lifting is outsourced.

How long until you can credibly say "we have it"?

For a 25-person UK SaaS business starting from a near-zero baseline today and aiming for both ISO 27001 and SOC 2 Type 2:

• Week 4: Cyber Essentials Plus achieved.
• Month 4: SOC 2 Type 1 report issued.
• Month 9: ISO 27001 Stage 2 audit complete, certificate issued.
• Month 12 to 15: SOC 2 Type 2 report issued (after 12-month observation window).

Total programme cost over 12 to 15 months: £60,000 to £120,000 depending on tooling, consultants and audit firms. Most UK SaaS companies that win enterprise contracts above £100k ACV consider this money very well spent.