Choosing between ISO 27001, SOC 2, and Cyber Essentials Plus is one of the most common questions we receive from organisations beginning their compliance journey. The answer depends almost entirely on three factors: your customer base, your geographic markets, and the maturity of your existing security programme. This is a side-by-side comparison to help you decide.
At a Glance: The Three Frameworks
| Dimension | ISO 27001 | SOC 2 Type II | Cyber Essentials Plus | |-----------|-----------|---------------|----------------------| | Origin | International standard (ISO/IEC) | US (AICPA) | UK (NCSC) | | Primary market | Global | USA-led, global recognition | UK only | | Scope | Full ISMS (organisation-wide) | Trust services criteria | 5 technical controls | | Approach | Risk-based management system | Operational evidence over time | Prescriptive technical controls | | Audit duration | 5-15 days initial + annual surveillance | 6-12 month observation period | 1-3 days | | Time to certify | 6-12 months | 9-18 months for Type II | 4-12 weeks | | Typical cost | £8k-£40k+ initial | $20k-$100k annual | £1.5k-£5k annual | | Recertification | 3-year cycle, annual surveillance | Annual | Annual | | Self-assessment option | No | No | No (basic CE only) |
ISO 27001: The Comprehensive Standard
ISO/IEC 27001 is the international gold standard for information security management. Rather than mandating specific controls, it requires organisations to establish a complete Information Security Management System (ISMS) — a structured approach to identifying, treating, and continuously improving security risks.
Best suited for:
- Organisations selling globally, particularly into European and Asian markets
- Mid-market to enterprise organisations with multiple business units
- Organisations that want a foundation framework to support other certifications
- Companies subject to NIS2 or similar regulatory requirements
What you get:
- A structured, board-level approach to security governance
- A risk register driven by your specific threat model
- Annex A controls (114 in 2013 edition, 93 in 2022 edition) selected based on your risk treatment plan
- International recognition — single certificate accepted in 100+ jurisdictions
Watch out for:
- The standard is principles-based, not prescriptive. Two organisations with the same certificate can have very different security postures.
- Annual surveillance audits are scope-dependent. A large organisation pays substantially more than the headline numbers above.
- Internal audit competence is a common deficiency raised in surveillance audits.
SOC 2: The US B2B Standard
SOC 2 (Service Organization Control 2) is an AICPA attestation framework specifically designed for service organisations handling customer data. It is not technically a "certification" — it is a report issued by a CPA firm attesting to the organisation's controls against the Trust Services Criteria.
The five trust services criteria:
- Security (mandatory) — protection against unauthorised access
- Availability — system uptime commitments
- Confidentiality — protection of designated confidential information
- Processing Integrity — system processing is complete, valid, accurate, timely
- Privacy — collection, use, retention, and disposal of personal information
Most organisations begin with Security only. SaaS vendors with uptime SLAs typically add Availability. Healthcare-adjacent organisations add Privacy.
Best suited for:
- SaaS vendors selling into US enterprise
- B2B service providers where customers ask "do you have SOC 2?" in procurement
- Organisations where customer trust is the primary commercial driver
Type I vs Type II:
- Type I — auditor's opinion that controls are designed effectively at a point in time. Quick to achieve. Often a stepping stone.
- Type II — auditor's opinion that controls are operating effectively over a period (typically 6-12 months). The real deliverable customers want.
Watch out for:
- A SOC 2 report is dense, often 100+ pages, and varies in rigour between auditors. The report's value depends on the auditing firm's reputation.
- The scope you choose determines what is attested. A narrow scope (e.g. only production AWS) limits the report's commercial usefulness.
- Recurring annual cost is significant. Budget accordingly.
Cyber Essentials Plus: The UK Baseline
Cyber Essentials Plus is a UK government-backed scheme operated by IASME. It covers five technical control areas:
- Firewalls — perimeter and host-based
- Secure configuration — hardened defaults, no unnecessary services
- User access control — accounts, privileges, MFA
- Malware protection — anti-malware, application allowlisting
- Security update management — patch management
Cyber Essentials Plus adds independent technical verification (vulnerability scans against external infrastructure and a sample of internal devices) on top of the self-assessed Cyber Essentials basic.
Best suited for:
- UK organisations selling into UK public sector (mandatory for many contracts)
- UK SMEs seeking a baseline security certification
- Organisations needing a quick win for procurement requirements
- A pre-cursor to ISO 27001 for organisations starting their compliance journey
Watch out for:
- The scheme is narrow. It does not address governance, risk management, incident response, supply chain, or business continuity.
- It is UK-only. US customers will not recognise it.
- Annual recertification. Drift between audits is common — the certificate is a snapshot, not an ongoing programme.
How to Choose
If you sell primarily into the US enterprise: Start with SOC 2 Type II. It is what your customers will ask for. ISO 27001 can be layered on later for European expansion.
If you sell primarily into UK or European enterprise: Start with ISO 27001. Its global recognition makes it the most flexible base. Cyber Essentials Plus can be added quickly for UK public sector eligibility.
If you are a UK SME serving UK SME or public sector customers: Cyber Essentials Plus is sufficient and proportionate. ISO 27001 is overkill if you have under ~50 employees and a focused customer base.
If you have NIS2 exposure: ISO 27001 provides the closest mapping to Article 21 requirements. SOC 2 and Cyber Essentials Plus both leave material gaps in supply chain security and incident reporting that you will need to address separately.
If you can pursue more than one: The optimal sequence for a UK-headquartered organisation expanding into the US is: Cyber Essentials Plus first (quick win, 4-8 weeks), then ISO 27001 (6-12 months), then SOC 2 Type II layered on the ISO 27001 foundation (an additional 3-6 months because the control overlap is substantial).
The Cost-Benefit View
| Outcome | Best Framework | Worst Framework | |---------|---------------|-----------------| | Win US enterprise deals | SOC 2 Type II | Cyber Essentials Plus | | Win UK public sector deals | Cyber Essentials Plus | SOC 2 | | Demonstrate mature security to regulators | ISO 27001 | Cyber Essentials Plus | | Cheapest path to "we have a certification" | Cyber Essentials Plus | SOC 2 Type II | | Foundation for NIS2 readiness | ISO 27001 | Cyber Essentials Plus | | Easiest to maintain year over year | Cyber Essentials Plus | SOC 2 Type II |
There is no universally "best" framework. The right answer is the one your customers will ask for, the one your team can sustainably operate, and the one that maps cleanly to your regulatory exposure. Most organisations will eventually hold more than one — and the cost of the second framework, layered on the first, is substantially lower than the cost of the first.
References
Frequently Asked Questions
Which is most rigorous: ISO 27001, SOC 2, or Cyber Essentials Plus?
ISO 27001 is the most comprehensive — it covers an entire ISMS (Information Security Management System) with risk assessment, treatment, and continuous improvement. SOC 2 Type II is the most rigorous for operational evidence over time (typically 6-12 months observation period). Cyber Essentials Plus is the most prescriptive but narrowest in scope, focusing on five technical controls.
How much does each certification cost?
Cyber Essentials Plus typically costs £1,500-£5,000 ($1,900-$6,300) for SMEs, certification annual. ISO 27001 initial certification ranges from £8,000-£40,000+ depending on scope, with annual surveillance audits. SOC 2 Type II audits typically cost $20,000-$100,000 (£15,800-£79,000) annually, depending on number of trust service criteria and organisational complexity.
Can a single organisation hold all three certifications?
Yes, and many do. ISO 27001 provides the foundation. SOC 2 maps closely to ISO 27001 controls but adds specific trust services criteria around availability, confidentiality, processing integrity, and privacy. Cyber Essentials Plus adds UK public sector procurement eligibility. Organisations selling into US enterprise (SOC 2), EU/UK enterprise (ISO 27001), and UK public sector (CE+) often pursue all three.
Which framework do US customers ask for most?
SOC 2 Type II is by far the most commonly requested in US B2B sales cycles, particularly for SaaS vendors. ISO 27001 is recognised but less common as a US procurement requirement. Cyber Essentials Plus carries no weight in US markets — it is a UK-specific scheme.
Which framework do UK customers ask for most?
It depends on the customer. UK public sector mandates Cyber Essentials (basic) for most contracts and Cyber Essentials Plus for sensitive contracts. UK enterprise procurement typically asks for ISO 27001. Financial services may require both. SOC 2 is recognised but less commonly mandated than in the US.
How long does each certification take to achieve from scratch?
Cyber Essentials Plus: 4-12 weeks. Cyber Essentials (basic, self-assessed): 2-4 weeks. ISO 27001 from scratch: 6-12 months including implementation, internal audit, and Stage 1 + Stage 2 certification audits. SOC 2 Type I: 3-6 months. SOC 2 Type II requires an additional 6-12 month observation period after Type I controls are operational.
Does NIS2 compliance require any of these certifications?
NIS2 does not mandate specific certifications, but Article 21 controls map closely to ISO 27001 Annex A. Organisations with mature ISO 27001 programmes face a substantially narrower NIS2 gap. SOC 2 and Cyber Essentials Plus alone are insufficient for NIS2 readiness — both have material gaps versus Article 21 (notably supply chain security and incident reporting timelines).
Can we self-assess for any of these?
Only Cyber Essentials (basic) supports self-assessment. ISO 27001, SOC 2, and Cyber Essentials Plus all require independent third-party audit. The certifying or attesting body must be accredited — for ISO 27001 by UKAS (UK) or ANAB (US), for SOC 2 by AICPA member firms, for Cyber Essentials Plus by IASME or QG accredited assessors.