What is a cyber security certification?
A cyber security certification is an independent confirmation that an organisation meets a defined set of information security controls. In the UK, certifications fall into three groups: government-backed schemes like Cyber Essentials and Cyber Essentials Plus, international management-system standards like ISO 27001, and assurance reports such as SOC 2. NIS 2 sits alongside these as a regulatory mandate rather than a voluntary certification.
Buyers, regulators, insurers and supply-chain partners increasingly require evidence that the suppliers they work with meet a recognised standard. The right certification depends on who is asking for it, where you sell, and how mature your security operations need to be. This guide breaks down the five schemes UK organisations encounter most often, what each one covers, what it costs and who it suits.
ISMS.online is the platform UK organisations use to run every cyber security certification in one place, mapping evidence and controls once across Cyber Essentials, ISO 27001, SOC 2 and NIS 2 instead of rebuilding the work for each scheme.
Why do UK organisations get cyber security certifications?
Five drivers account for almost every certification project we see:
- Procurement requirements — UK central government contracts require Cyber Essentials for suppliers handling personal information or certain ICT services (Procurement Policy Note 09/14). The Ministry of Defence requires Cyber Essentials or Cyber Essentials Plus for relevant suppliers under DEFCON 658. Many private-sector buyers replicate the same requirement in their supplier qualification processes.
- Customer demand — B2B customers increasingly send security questionnaires before signing. A current ISO 27001 or SOC 2 certificate often replaces a 200-question questionnaire with a single attachment.
- Sector regulation — NIS 2 (in the EU) and the UK’s equivalent regime require essential and important entities in critical sectors to demonstrate cyber security controls and incident reporting.
- Cyber insurance — Underwriters routinely ask for evidence of basic controls before binding a policy. Cyber Essentials certification is often enough at the SMB end; larger or higher-risk insureds increasingly need ISO 27001 or SOC 2.
- Internal assurance — Boards and audit committees use independent certification as evidence that the controls they are signing off actually exist and work.
If you do not yet know which driver applies to you, our guide on is Cyber Essentials worth it walks through the cost/benefit calculation for the entry-level scheme, and the choice gets clearer from there.
What are the main UK cyber security certifications?
Five schemes dominate the UK cyber security certification landscape. The first four are voluntary certifications, ranging from the UK-specific Cyber Essentials family to internationally recognised standards, while the fifth is a regulatory obligation rather than a true certification. Most UK organisations hold more than one of these over time as customer demand, sector and geography evolve.
Cyber Essentials: the UK government-backed entry point
Cyber Essentials is a UK government-backed certification scheme launched in 2014 and now overseen by the National Cyber Security Centre (NCSC), with IASME as the sole accreditation body since April 2020. It tests five technical control areas (firewalls and routers, secure configuration, user access control, malware protection, and security update management) on every in-scope device and cloud service.
Key facts:
- Format: Self-assessment questionnaire reviewed by an IASME-accredited assessor
- Validity: 12 months, renewed annually
- Cost: From £330+VAT for micro organisations (1–9 staff) up to £500+VAT for large (250+); see Cyber Essentials cost for the full pricing breakdown
- Typical timeline: 4–12 weeks from kick-off to certificate
- Bonus: Eligible UK organisations with turnover under £20M receive free cyber liability insurance worth £25,000
- Best for: UK SMBs bidding for government work; suppliers to large enterprises; insurance prerequisites; first formal certification
Cyber Essentials is the lowest-cost and fastest UK cyber security certification. It is also the one with the most direct procurement value, because UK government and many private buyers mandate it specifically by name. For the line-by-line readiness work, our Cyber Essentials checklist walks through every check before you submit.
Cyber Essentials Plus: independently audited assurance
Cyber Essentials Plus uses the same five control areas as Cyber Essentials, but adds an independent technical audit. An IASME-accredited assessor scans sample devices, verifies multi-factor authentication by live login, tests email and web filtering, and confirms the controls you have attested to actually work in practice.
- Format: SAQ plus hands-on technical audit of a representative sample of devices
- Validity: 12 months
- Cost: Typically £1,500–£3,000 on top of the base Cyber Essentials cost, depending on environment complexity
- Timeline: 1–2 weeks on top of Cyber Essentials, once readiness work is complete
- Best for: Suppliers to MOD or high-risk supply chains (DEFCON 658), buyers who specifically require Plus, organisations using Plus as a stepping stone to ISO 27001
The five technical control areas are documented in detail in Cyber Essentials Plus requirements. If you are weighing CE vs CE Plus, the deciding factor is usually whether a specific contract or insurer requires the Plus tier.
ISO 27001: international information security management certification
ISO/IEC 27001 is the international standard for information security management systems (ISMS). Where Cyber Essentials tests five technical controls, ISO 27001 certifies a full management system: a risk-driven framework that covers governance, policy, asset management, supplier security, incident response, business continuity and 93 specific Annex A controls (the 2022 revision; reduced from 114 in the 2013 version).
- Format: Stage 1 documentation audit, then Stage 2 implementation audit, then surveillance audits each year and a full recertification audit every three years
- Validity: 3 years between recertifications, with annual surveillance
- Cost: Typically £3,000–£15,000+ for UK SMBs, depending on scope and chosen certification body
- Timeline: 4–9 months for first-time certification; longer for complex organisations
- Best for: Organisations selling internationally, B2B SaaS, regulated sectors, anyone whose customers ask for an ISMS certificate by name
ISO 27001 is the gold standard of cyber security certifications globally. Most enterprise customers expect their suppliers to hold it; many UK organisations use Cyber Essentials as the foundation and then progress to ISO 27001 as customer demand grows. For the differences in depth, scope and recognition, see Cyber Essentials vs ISO 27001; for the audit process in detail, see ISO 27001 certification.
SOC 2: assurance for US customers and SaaS providers
SOC 2 (Service Organisation Control 2) is a US-originated assurance report produced under standards set by the American Institute of CPAs (AICPA). It evaluates a service organisation against the five Trust Services Criteria (security, availability, processing integrity, confidentiality and privacy), with security mandatory and the others optional based on scope.
- Format: Type 1 (point-in-time design assessment) or Type 2 (operating effectiveness over an observation window of 3–12 months)
- Validity: SOC 2 produces a report rather than a certificate; reports are typically renewed annually
- Cost: £15,000–£100,000+ depending on scope, criteria included and observation window
- Timeline: 3–12 months observation window for Type 2; readiness work typically adds 2–4 months
- Best for: SaaS providers selling into the US, service organisations holding customer data, any UK organisation whose US customers ask for SOC 2 by name
SOC 2 and ISO 27001 overlap heavily in the controls they require. UK organisations selling on both sides of the Atlantic often run both, with ISMS.online as the common evidence layer. Our SOC 2 hub covers the criteria, the readiness process and how it differs from ISO 27001.
NIS 2: regulatory cyber security for essential and important entities
NIS 2 is the EU’s second-generation Network and Information Security Directive, and the UK has adopted an equivalent national regime. It is not a certification, but a regulatory requirement for essential and important entities in critical sectors (energy, transport, banking, financial market infrastructures, health, drinking water, digital infrastructure, public administration, space, postal services, waste management, manufacture and distribution of chemicals, food, manufacturing of medical devices and certain digital service providers).
- Format: Regulatory obligation to implement specified cyber security risk management measures and incident reporting timelines
- Validity: Continuous, with regulator oversight
- Cost: No certification fee; cost is in the controls themselves, which often align with ISO 27001
- Timeline: Phased adoption; organisations in scope should be implementing now
- Best for: Any organisation classed as an essential or important entity under the directive; suppliers to those entities are also indirectly affected
NIS 2 is sometimes the trigger that pushes an organisation from Cyber Essentials to ISO 27001, because ISO 27001 provides a structured way to evidence the risk management measures the directive requires. Our NIS 2 hub walks through the in-scope sectors and the specific obligations.
Comparison: UK cyber security certifications at a glance
| Certification | Scope | Typical cost (UK SMB) | Typical timeline | Validity | Best fit |
|---|---|---|---|---|---|
| Cyber Essentials | 5 technical controls, self-assessed | From £330+VAT | 4–12 weeks | 12 months | UK SMBs, gov contracts, insurance, first certification |
| Cyber Essentials Plus | Same 5 controls + independent audit | Add £1,500–£3,000+ | +1–2 weeks | 12 months | MOD suppliers, contracts requiring Plus, ISO 27001 stepping stone |
| ISO 27001 | Full ISMS, 93 Annex A controls, governance | £3,000–£15,000+ | 4–9 months | 3 years (annual surveillance) | International sales, B2B SaaS, regulated sectors |
| SOC 2 (Type 2) | 5 Trust Services Criteria, operating effectiveness | £15,000–£100,000+ | 3–12 months observation | Annual report | SaaS selling into the US, service organisations |
| NIS 2 | Regulatory cyber risk management for essential/important entities | Embedded in operations | Continuous | Continuous | Critical infrastructure sectors and their suppliers |
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
How do you choose between cyber security certifications?
Start with the question that triggered the project. The right certification depends on what (or who) is asking for it.
- UK government contract or MOD supplier — Start with Cyber Essentials, then Plus if specifically required. This is mandated by name in PPN 09/14 and DEFCON 658.
- Cyber insurance policy — Cyber Essentials is usually enough at the SMB end. Larger or higher-risk insureds may need ISO 27001.
- Enterprise customer asking for an ISMS certificate — ISO 27001. Customers almost always name this specifically.
- US-based SaaS customer asking for an assurance report — SOC 2 (usually Type 2 once the relationship is established).
- NIS 2 or equivalent regulatory obligation — Implement the controls the regulation requires; many organisations use ISO 27001 as the structuring framework to evidence this.
- First certification, not driven by a specific buyer — Cyber Essentials. It is the lowest-cost, fastest and has the clearest UK procurement value, and the work feeds straight into ISO 27001 if you progress.
Most UK organisations end up with more than one over time. A typical progression looks like Cyber Essentials → Cyber Essentials Plus → ISO 27001 → SOC 2 once US customers appear. The controls overlap enough that maintaining the next certification is incremental rather than starting over — provided you have a single evidence layer that maps controls across schemes.
What if you need multiple certifications?
Running Cyber Essentials, ISO 27001 and SOC 2 separately is expensive. The same evidence (firewall rules, MFA configuration, joiner/leaver records, asset inventory, patch reports) is asked for by all three, just in different formats. Most of the time it ends up in three places with three sets of update cycles.
The alternative is to capture every control and every piece of evidence once, mapped to every scheme it satisfies. That is what ISMS.online does — a single ISMS that exposes Cyber Essentials, ISO 27001, SOC 2 and NIS 2 control sets at the same time, with evidence linked once and reused everywhere. Customers who start with Cyber Essentials in ISMS.online are often half-way to ISO 27001 readiness when the customer demand arrives.
What are the common misconceptions about cyber security certification?
- “A certification means we are secure.” A certification means you meet a defined set of controls at a point in time. It does not mean you cannot be breached. Treat the certificate as evidence of a programme, not an outcome.
- “Cyber Essentials and ISO 27001 are the same thing.” They are not. Cyber Essentials covers five technical control areas; ISO 27001 certifies a full information security management system covering governance, risk and 93 specific controls.
- “We need both ISO 27001 and SOC 2 from day one.” Usually no. Most UK organisations start with the one their largest current buyer requires, then add the second when international sales need it.
- “Our cloud provider’s certification covers us.” Your cloud provider’s certificate covers their infrastructure, not your tenant configuration, access controls or data handling. You still need your own certification.
- “Certification is a one-off project.” Every cyber security certification has an annual or three-year renewal cycle. Treat it as an operating programme, not a project.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
Why Choose ISMS.online for Cyber Security Certification?
- One platform, every scheme — Cyber Essentials, Cyber Essentials Plus, ISO 27001, SOC 2 and NIS 2 are all pre-mapped in ISMS.online, with controls aligned across schemes so evidence is reused, not rewritten.
- Single source of evidence — Attach a screenshot or document once and link it to every control it satisfies, across every certification. No duplication and no version drift.
- Risk register and ISMS scope — Capture your information assets, risks and treatments in a structured ISMS that satisfies ISO 27001 clause requirements and feeds your SOC 2 narrative.
- Pre-built policies and procedures — A library of pre-written policies aligned to the controls of each scheme, so you start from a working baseline rather than a blank document.
- Audit-ready — Surveillance audits, recertification audits and SOC 2 observation windows are easier when the platform tracks evidence freshness, action owners and due dates automatically.
- Trusted by thousands of organisations — ISMS.online supports companies of every size, from first-time Cyber Essentials applicants to global multi-certification groups.
- Customer success that has been through it — Implementation support from people who have certified to the same schemes themselves, not just sold the platform.
FAQs
What is the best cyber security certification for a UK SMB?
For most UK SMBs the right starting point is Cyber Essentials. It is the lowest-cost certification, the fastest to achieve, and the one mandated by UK government procurement under PPN 09/14. Cyber Essentials Plus comes next if a contract or supply chain requires it. Move to ISO 27001 once enterprise customer demand or international sales appear.
Is Cyber Essentials a recognised cyber security certification internationally?
Cyber Essentials is UK-specific. It is recognised by UK government, UK insurers and many UK private buyers, but it does not carry direct weight outside the UK. ISO 27001 is the equivalent internationally recognised certification, and SOC 2 is the dominant assurance report in the US. UK organisations selling globally usually progress from Cyber Essentials to ISO 27001 or SOC 2.
How much does cyber security certification cost in the UK?
Costs vary widely. Cyber Essentials starts at £330+VAT for the smallest organisations. Cyber Essentials Plus typically adds £1,500–£3,000 for the audit. ISO 27001 ranges from £3,000 for very small organisations to £15,000+ for complex scopes. SOC 2 Type 2 ranges from £15,000 to £100,000+ depending on the criteria, scope and observation window. NIS 2 has no certification fee but requires investment in the underlying controls.
How long does cyber security certification take?
Cyber Essentials typically takes 4–12 weeks from kick-off. Cyber Essentials Plus adds 1–2 weeks on top, plus readiness work. ISO 27001 takes 4–9 months for a first-time SMB certification. SOC 2 Type 2 needs an observation window of 3–12 months on top of the readiness work. NIS 2 is continuous: it is not a one-off project.
Does a cyber security certification cover GDPR?
No certification on its own constitutes GDPR compliance. ISO 27001 and SOC 2 both cover many of the security controls GDPR requires, and ISO 27701 extends ISO 27001 specifically into a privacy management system. None of them replace the legal and documentation obligations under UK GDPR, but they make demonstrating the security controls much easier.
Do I need to recertify every year?
Cyber Essentials and Cyber Essentials Plus are valid for 12 months and renewed annually. ISO 27001 runs on a 3-year cycle with annual surveillance audits. SOC 2 reports are typically refreshed annually. NIS 2 is a continuous obligation rather than a periodic certification. Whichever scheme you hold, treat it as an operating programme rather than a one-off project.
