Blog
Compliance
ISO 27001
Cyber Essentials
GDPR
June 28, 2026
Approx 7 min read

ISO 27001 and Cyber Essentials for SaaS

The deal is agreed in principle. Then the security questionnaire arrives, or the tender pack names a standard you do not yet hold, and procurement will not move until you produce the certificate. For a UK software, IT or SaaS company, that single document is usually the moment compliance stops being a someday project and starts holding up revenue.

The question most founders ask at that point is simple. Do you need ISO 27001 and Cyber Essentials for SaaS deals, one of them, or both, and which comes first. The honest answer turns on who is asking and what they buy.

Do I need ISO 27001 or Cyber Essentials?

It depends who is asking. UK public-sector contracts that handle personal or OFFICIAL data usually require Cyber Essentials under Procurement Policy Note 014. Enterprise and international buyers typically ask for ISO 27001 in their security questionnaire. Many growing SaaS firms end up holding both as they sell into both markets.

Which standard your buyers actually ask for

The standard named in a contract is a good signal of who you are selling to.

UK public-sector bodies ask for Cyber Essentials. Procurement Policy Note 014, which applies to in-scope government procurements from 24 February 2025, requires suppliers handling citizens' personal data, government employee data, or ICT at the OFFICIAL level to hold Cyber Essentials or demonstrate an equivalent (GOV.UK, PPN 014). That covers central government, agencies, non-departmental public bodies and NHS organisations. Where the work carries higher cyber risk, the authority can require Cyber Essentials Plus, which adds an independent technical audit. So a public-sector tender or a deal with a supplier to government tends to name Cyber Essentials, with Plus where the risk is greater.

Enterprise and international buyers ask for ISO 27001. When a large customer sends a security questionnaire, the credible bar it sets for a SaaS vendor is usually ISO/IEC 27001, the international standard for an information security management system (ISO/IEC 27001:2022). It is increasingly expected for B2B SaaS selling into regulated or enterprise accounts, because it covers governance and risk management across the business rather than a fixed set of technical checks. Buyers headquartered in the United States may also ask for SOC 2, which is a separate American attestation.

Most growing SaaS companies sell into both worlds. A public-sector pilot points to Cyber Essentials. A six-figure enterprise contract points to ISO 27001. Sequence the certifications to the deals in front of you.

Cyber EssentialsCyber Essentials PlusISO 27001What it isUK government-backed baseline of five technical controls, developed by the NCSCThe same five controls, independently testedInternational standard for a full information security management systemWho asks for itUK public sector and their suppliers (PPN 014)UK public sector for higher-risk workEnterprise and international buyers via security questionnairesAssessed or auditedVerified self-assessment, answers independently reviewedHands-on technical audit of a sample of your systemsStage 1 documentation review plus a Stage 2 implementation audit by a UKAS-accredited bodyValidity12 months12 months, audit within 3 months of the self-assessment3 years, with annual surveillance audits

Sources: NCSC Cyber Essentials overview; IASME; GOV.UK PPN 014; UKAS.

What sits inside each one

Cyber Essentials covers five technical controls: firewalls, secure configuration, user access control, malware protection and security update management. They are unchanged in 2026. The question set behind the assessment is the standard's living part. The current set, Danzell, sits under Requirements for IT Infrastructure v3.3 and applies to assessments registered from late April 2026 (IASME). If you are certifying around now, work to that version.

ISO 27001 is broader. It asks you to define the scope of your management system, run a risk assessment, produce a Statement of Applicability, set governance and leadership responsibilities, and commit to continual improvement. Annex A of the 2022 edition lists 93 controls across four themes: organisational, people, physical and technological (ISO/IEC 27001:2022, corroborated by BSI and UKAS). The certificate runs for three years with annual surveillance audits.

Alongside both, the security questionnaire almost always has a data-protection section. UK buyers check your standing under UK GDPR and the Data Protection Act 2018, and any handling of EU personal data brings EU GDPR into scope. They look for a data processing agreement, a sub-processor list, breach-notification terms, transfer safeguards and a named data protection contact (ICO). ISO 27001 and Cyber Essentials answer the security half of the questionnaire. GDPR answers the privacy half.

ISO 27001 and Cyber Essentials for SaaS: where the two overlap

Holding both is less work than it looks, because the two standards overlap. The five Cyber Essentials controls map onto a subset of the ISO 27001:2022 Annex A controls, concentrated in the technological group: access control, secure configuration, malware protection and management of technical vulnerabilities. Evidence you produce for Cyber Essentials supports the corresponding ISO 27001 controls, so being Cyber Essentials certified gives you a genuine head start on the technical side of an ISO 27001 audit.

The head start has a limit worth being clear about. Cyber Essentials does not satisfy the management-system requirements at the heart of ISO 27001: the scope definition, the risk assessment, the Statement of Applicability, the leadership and governance, and the continual improvement cycle. Cyber Essentials covers technical hygiene, while ISO 27001 covers how the organisation runs security as a system. The technical evidence carries across, but you still have to build the management system itself.

That overlap is what makes a map-once approach pay off. Capture each control and its evidence a single time, record which standards it answers, and reuse it everywhere it applies. Done that way, the second certification costs less than the first, and a future GDPR or sector requirement starts from evidence you have already proven rather than a blank page.

Getting ISO 27001 and Cyber Essentials for SaaS in place

The path is the same in shape whichever standard comes first. Scope what you are certifying, assess the gap against the controls, fix what is missing, gather the evidence, and book the assessment or audit. The work is in keeping the evidence organised and current, because a certificate is a point in time and a buyer's confidence depends on the controls still holding the day they check.

This is where a platform earns its place. Naq runs Cyber Essentials, Cyber Essentials Plus, ISO 27001 and UK and EU GDPR as one connected system, so a control completed once counts across every standard it maps to and the reuse story above becomes the default rather than a manual exercise. Cyber Essentials certification sits under one roof, as Naq is an IASME Certifying Body, while Cyber Essentials Plus assessment and penetration testing run through an accredited external partner network. Where the privacy half of a questionnaire needs judgement, a virtual data protection officer is included rather than billed as a separate engagement, and the AI assistant is read-only by design, summarising and checking evidence without ever editing the formal record.

The result a buyer sees is exportable evidence and continuous monitoring, so the next security review clears faster than the last.

If a security questionnaire or a tender is holding up a deal right now, book a 15-minute demo and we will map it against the frameworks your buyer is asking for, run against your own data.

Frequently asked questions

Do I need ISO 27001 or Cyber Essentials?

It depends who is asking. UK public-sector contracts and tenders that handle personal or OFFICIAL data typically require Cyber Essentials under PPN 014. Enterprise and international buyers usually ask for ISO 27001 in their security questionnaire. Many growing SaaS companies end up holding both.

What is the difference between Cyber Essentials and Cyber Essentials Plus?

Both cover the same five technical controls. Cyber Essentials is a verified self-assessment. Cyber Essentials Plus adds an independent, hands-on technical audit of a sample of your systems. Both certificates last 12 months, and the Plus audit must be completed within 3 months of the self-assessment.

Does Cyber Essentials count towards ISO 27001?

Partly. The five Cyber Essentials controls map onto a subset of ISO 27001:2022 Annex A technological controls, so the same evidence supports both and cuts the technical work the second time round. Cyber Essentials does not replace ISO 27001's management system, risk assessment or Statement of Applicability.

How does ISO 27001 certification work?

A UKAS-accredited certification body runs a Stage 1 documentation review and a Stage 2 implementation audit. On success the certificate is valid for three years, with annual surveillance audits and a recertification audit in year three.

Written by
The Naq Team
Share
Share
Compliance
NHS DTAC v2
What You Need to Know About DTAC Version 2
March 4, 2026
Compliance
DCB 0129
NHS DTAC v2
NHS DSPT v8
What is DCB 0129 clinical risk management?
June 21, 2026
Compliance
What Will Define Success in Digital Health in 2026?
January 7, 2026
Compliance
NHS DSPT v8
Cyber Essentials
Supply Chain Security and the new Cyber Resilience Bill
July 18, 2024
Newsletter

The latest in compliance and cybersecurity direct to your inbox

Sign up now
Connect with us

Streamline compliance & accelerate your growth

Book a demo
arrow_forward
See the framework set
Product
Platform OverviewAutomated ComplianceRisk ManagementClinical Risk ManagementTrainingMulti-framework ManagementComprehensive SupportFrameworks
Solutions
BuildGrowScaleHealthDefenceFinanceBusiness to EnterpriseBusiness to Government
Resources
All ResourcesBlogCase StudiesGuidesNaq in the News
Company
ContactAboutVacanciesPartnershipsMedia
Taking complexity out of compliance.
Connect with us
© Copyright 2024 - Naq Cyber UK Ltd.   © Copyright 2024 - Naq Cyber B.V.
Responsible Disclosure
Cookie Policy
Terms of Service
Privacy Policy