Essentials
Cyber Essentials
UK government's baseline cyber-hygiene scheme. Self-assessment against five technical controls.
For SME owners and directors
Cyber Essentials, ISO 27001, SOC 2, PCI DSS, DSPT and the rest. What each one is, roughly what it costs, and when an SME actually needs it.
16 certifications across 7 categories. None of this is legal advice; sector requirements change — check the source before committing.
Category 1
The minimum-credible cyber posture for any SME. Quick to obtain, increasingly demanded by buyers.
UK government's baseline cyber-hygiene scheme. Self-assessment against five technical controls.
Same five controls, but with a hands-on technical audit by a certifying body.
Category 2
Broader, audited proof of how you manage information security as an organisation. Increasingly required by enterprise B2B buyers.
UK alternative to ISO 27001 designed for SMEs. Includes GDPR and risk management. Verified or fully audited tiers.
International standard for an Information Security Management System (ISMS). 3–9 months of work for an SME.
US auditor's attestation of security, availability and confidentiality controls. Type II covers a 3–12 month evidence window.
Category 3
UK and EU privacy obligations and the standards that demonstrate them.
Legal requirement under the Data Protection Act for any UK business processing personal data. Not a certification but commonly mistaken for one.
Privacy information management. Extends ISO 27001 with GDPR-style controls. Audited extension, not a standalone.
Category 4
If your business runs cloud-hosted services or sells SaaS, these complement the general security standards.
Code of practice for cloud security controls. Usually pursued alongside ISO 27001 by cloud service providers.
Protection of personal data (PII) in public clouds. Often paired with 27017.
Cloud Security Alliance Security, Trust & Assurance Registry. Three levels: self-assessment, third-party audit, continuous monitoring.
Category 5
For MSPs, IT outsourcers, and any business that wants demonstrable resilience.
IT service management standard. The ITIL-aligned audit. Demonstrates mature IT operations.
Business continuity management. Often paired with 27001 when buyers ask “what if your systems disappear?”
Category 6
Mandatory in their sector. If you supply NHS, accept card payments, or sell into automotive, you can't opt out.
Payment Card Industry Data Security Standard. Self-assessment questionnaire (SAQ) at lower volumes; full audit at high volumes.
Data Security and Protection Toolkit. Annual self-assessment for any organisation handling NHS data or accessing NHS systems.
Automotive industry information-security standard. ENX Association. Required by UK and European car manufacturers.
Category 7
Not security certifications, but commonly cited as digital credentials by IT and SaaS resellers.
Each major platform runs a partner programme with tiered accreditations (Solutions Partner, Specializations) based on certified staff, customer outcomes and revenue.
A pragmatic order