Skip to content

For SME owners and directors

UK digital & IT certifications for SMEs.

Cyber Essentials, ISO 27001, SOC 2, PCI DSS, DSPT and the rest. What each one is, roughly what it costs, and when an SME actually needs it.

16 certifications across 7 categories. None of this is legal advice; sector requirements change — check the source before committing.

Category 1

Cyber security baseline.

The minimum-credible cyber posture for any SME. Quick to obtain, increasingly demanded by buyers.

UK GovCyber
Essentials

Cyber Essentials

UK government's baseline cyber-hygiene scheme. Self-assessment against five technical controls.

Cost · ∼£320–£500/year Need it · Most public-sector and MoD supply contracts
UK GovCE+

Cyber Essentials Plus

Same five controls, but with a hands-on technical audit by a certifying body.

Cost · £1,500–£5,000+ Need it · When a contract specifically demands it

Category 2

Information security.

Broader, audited proof of how you manage information security as an organisation. Increasingly required by enterprise B2B buyers.

IASMECyber
Assurance

IASME Cyber Assurance

UK alternative to ISO 27001 designed for SMEs. Includes GDPR and risk management. Verified or fully audited tiers.

Cost · £400 verified – £1,800+ audited Need it · Mid-tier credibility, ISO 27001 stepping stone
ISO/IEC27001

ISO/IEC 27001

International standard for an Information Security Management System (ISMS). 3–9 months of work for an SME.

Cost · £5k–£25k+ all-in Need it · Enterprise B2B sales, financial-services suppliers
AICPASOC 2

SOC 2 (Type I / Type II)

US auditor's attestation of security, availability and confidentiality controls. Type II covers a 3–12 month evidence window.

Cost · £10k–£40k+ Need it · Selling SaaS into US customers

Category 3

Data protection & privacy.

UK and EU privacy obligations and the standards that demonstrate them.

UK GovICO

ICO registration

Legal requirement under the Data Protection Act for any UK business processing personal data. Not a certification but commonly mistaken for one.

Cost · £40 / £60 / £2,900/year by size Need it · Almost every business
ISO/IEC27701

ISO/IEC 27701

Privacy information management. Extends ISO 27001 with GDPR-style controls. Audited extension, not a standalone.

Cost · Add-on to 27001 (£3k–£10k) Need it · Buyers asking for GDPR assurance beyond a policy

Category 4

Cloud-specific.

If your business runs cloud-hosted services or sells SaaS, these complement the general security standards.

ISO/IEC27017

ISO/IEC 27017

Code of practice for cloud security controls. Usually pursued alongside ISO 27001 by cloud service providers.

Cost · Add-on to 27001 Need it · Cloud service providers
ISO/IEC27018

ISO/IEC 27018

Protection of personal data (PII) in public clouds. Often paired with 27017.

Cost · Add-on to 27001 Need it · Cloud providers handling personal data
CSASTAR

CSA STAR

Cloud Security Alliance Security, Trust & Assurance Registry. Three levels: self-assessment, third-party audit, continuous monitoring.

Cost · Free self-assessment; £8k+ Level 2 Need it · Cloud providers serving enterprise

Category 5

IT service management & continuity.

For MSPs, IT outsourcers, and any business that wants demonstrable resilience.

ISO/IEC20000-1

ISO/IEC 20000-1

IT service management standard. The ITIL-aligned audit. Demonstrates mature IT operations.

Cost · £8k–£20k+ Need it · MSPs, IT outsourcers, large IT teams
ISO22301

ISO 22301

Business continuity management. Often paired with 27001 when buyers ask “what if your systems disappear?”

Cost · £5k–£20k+ Need it · Critical-service providers, regulated sectors

Category 6

Sector-specific.

Mandatory in their sector. If you supply NHS, accept card payments, or sell into automotive, you can't opt out.

PCIDSS

PCI DSS

Payment Card Industry Data Security Standard. Self-assessment questionnaire (SAQ) at lower volumes; full audit at high volumes.

Cost · SAQ free – £50k+ full audit Need it · Anyone handling card payments
NHSDSPT

NHS DSPT

Data Security and Protection Toolkit. Annual self-assessment for any organisation handling NHS data or accessing NHS systems.

Cost · Free; 1–3 weeks of effort/year Need it · NHS suppliers and partners
ENXTISAX

TISAX

Automotive industry information-security standard. ENX Association. Required by UK and European car manufacturers.

Cost · €5k–€15k Need it · Automotive supply chain

Category 7

Vendor partner programmes.

Not security certifications, but commonly cited as digital credentials by IT and SaaS resellers.

VendorPartner
Programmes

Microsoft / Google / AWS / Salesforce Partner

Each major platform runs a partner programme with tiered accreditations (Solutions Partner, Specializations) based on certified staff, customer outcomes and revenue.

Cost · Free entry; thresholds for higher tiers Need it · IT firms reselling or implementing platforms

A pragmatic order

If you're starting from zero.

  1. Cyber Essentials first — cheap, quick, opens public-sector doors and reduces insurance premiums.
  2. Cyber Essentials Plus when a contract specifically demands it.
  3. IASME Cyber Assurance if you want a credible mid-tier story without ISO commitment.
  4. ISO 27001 when enterprise customers start asking for it (they will).
  5. SOC 2 if you sell SaaS into US buyers.
  6. PCI DSS / DSPT / sector-specific as the work demands.