Blog
Compliance
ISO 27001
Cyber Essentials
GDPR
May 4, 2026
Approx 11 min read

ISO 27001 in enterprise procurement: close the security review

Pricing is broadly agreed and the contract sits in commercial discussion. Then the buyer's procurement team routes the engagement to vendor risk management, and a security questionnaire lands in your inbox. Until it comes back clean, the deal does not move. For most UK scale-ups selling into a Fortune 1000 buyer, this is the moment ISO 27001 enterprise procurement stops being a back-office topic and becomes the single thing standing between you and signature.

This piece is for the founder, head of revenue or head of security at a UK scale-up running into that wall for the first or fifth time. It walks through what the buyer is actually doing in a vendor security review, how an ISO/IEC 27001:2022 certificate maps to the questionnaire, where SOC 2 sits alongside it, and what timeline you are realistically looking at if you start today.

What an enterprise vendor security review actually looks like

The buyer's vendor risk team is not reading your marketing site. They are running you against a structured questionnaire built around a recognised framework, and scoring the answers against an internal threshold.

Two questionnaires dominate enterprise procurement. The Standardized Information Gathering Questionnaire, or SIG, is published annually by Shared Assessments. Its 2025 update runs to 128 questions in SIG Lite, 627 in SIG Core, and 1,936 questions in the full SIG Detail (Shared Assessments, 2025 SIG update). The Cloud Security Alliance's Consensus Assessments Initiative Questionnaire, or CAIQ, is the cloud-native equivalent. CAIQ v4 carries 261 questions across 17 control families of the Cloud Controls Matrix, with a CAIQ-Lite at 124 (CSA STAR, CAIQ v4).

Some buyers send these questionnaires verbatim. Many more take SIG or CAIQ as the spine and overlay an in-house variant. Either way, the volume is large, the answers must reference real evidence, and the review thread sits with procurement until security signs off.

Two structural problems follow. The first is volume: each control needs a written answer, an evidence reference and, for high-tier suppliers, a corroborating artefact. The second is consistency: an answer that says "yes" without a documented control behind it is flagged for follow-up, and the cycle restarts. Without a recognised certificate, every question is bespoke. With one, the questionnaire collapses to the small number of items the certificate does not already cover.

How ISO 27001 maps to the SIG and CAIQ questionnaires

ISO/IEC 27001:2022 was published on 25 October 2022 and supersedes the 2013 version of the standard (ISO/IEC 27001:2022). It defines the requirements for an Information Security Management System, or ISMS, and lists 93 controls in Annex A. Three artefacts do most of the work in a vendor security review:

The certificate itself, issued by a UKAS-accredited certification body, is the headline. UKAS is the sole UK national accreditation body, appointed by the UK Government under EC Regulation 765/2008 (UKAS CertCheck). Enterprise procurement teams check accreditation as a matter of routine, and a self-issued or non-accredited certificate fails the review.

The Statement of Applicability, or SoA, is the document buyers ask for more often than the certificate. It maps every one of the 93 Annex A controls to your business and records which controls are included, which are excluded, and on what justification.

The most recent surveillance audit report sits behind both. It evidences that the ISMS is being operated in practice, with regular audit, review and corrective action.

Where the buyer's review framework explicitly maps to ISO 27001, holding the certificate auto-satisfies a substantial proportion of items. Shared Assessments publishes a SIG-to-ISO crosswalk; the CSA Cloud Controls Matrix is built with ISO 27001 as one of its primary anchor frameworks. McKinsey's analysis of supplier nth-party risk argues that information-security screening can cut due-diligence effort by close to 40% when suppliers carry recognised certification (McKinsey, "Taking a business-critical approach to supplier nth-party IT risk management"). For a 627-question SIG Core, that is the difference between weeks of evidence collation and a focused exchange on the controls the certificate does not cover.

There is a hard date worth knowing. The transition from ISO 27001:2013 to :2022 ended on 31 October 2025, and from that date all 2013 certificates were withdrawn regardless of their printed expiry (IAF MD 26:2023 Issue 2). Any UK scale-up still trading on a 2013 certificate is now non-compliant, and enterprise buyers running fresh reviews from late 2025 onwards reject the older standard outright.

The 93-control ISO 27001:2022 structure, for a sales-side reader

The 2022 revision reorganised the previous 114 controls into 93, grouped under four themes (ISO/IEC 27002:2022; ISO news, October 2022). It is worth knowing the shape, because this is what the SoA covers and what the buyer's questionnaire is implicitly testing.

  • Organisational (37 controls). The governance layer. Information security policy, supplier relationships, threat intelligence, classification, access control policy, segregation of duties. This is the largest theme and the one most often under-evidenced in pre-certification scale-ups.
  • People (8 controls). Background checks at hire, terms of employment, ongoing security awareness training, the disciplinary process when something goes wrong, and the handover obligations when someone leaves. Small in count, frequently weak in practice.
  • Physical (14 controls). Office and equipment security, secure disposal, clear desk, working in secure areas. For a remote-first SaaS scale-up this looks lighter than it reads, because most of the answers cluster around endpoint security, home-working policies and device return at offboarding.
  • Technological (34 controls). Authentication, encryption in transit and at rest, logging and monitoring, secure development, web filtering, configuration management. The largest theme outside Organisational, and the one enterprise security teams scrutinise hardest.

The 2022 revision also introduced 11 new controls. Threat intelligence, information security for cloud services, ICT readiness for business continuity, data masking, data leakage prevention, monitoring activities, web filtering, secure coding and configuration management are among them. Several of these line up directly with what enterprise buyers now expect to see in CAIQ and SIG responses, which is one of the reasons ISO 27001:2022 reads as the more procurement-relevant version of the standard.

ISO 27001 vs SOC 2: which one closes your enterprise deal

The short answer depends on where the buyer is headquartered and which procurement playbook their security team uses.

ISO 27001 is the international standard. UK FTSE 100 procurement, EU enterprise procurement and UK regulated sectors are built around it. For a UK or EU pipeline, ISO 27001 alone normally clears the security review. Where the buyer has a sector overlay, that overlay sits on top of ISO 27001 rather than replacing it.

SOC 2 is the de facto US enterprise standard. SOC 2 Type II reports, issued under the AICPA's attestation framework against the Trust Services Criteria, are what most US-headquartered SaaS buyers and US Fortune 1000 vendor risk teams default to. ISO 27001 is recognised in the US, and is increasingly accepted as supporting evidence, but in our experience and in industry consensus it rarely closes a US enterprise deal on its own when the buyer's procurement team is built around SOC 2.

For a UK scale-up with a mixed pipeline of UK, EU and US enterprise buyers, both certifications often make sense. ISO 27001 and SOC 2 share a high proportion of underlying controls, and the same ISMS evidence library can feed both audit cycles. Industry consensus puts the control overlap at 60-80%, and running them together can compress total effort by 30-40% relative to certifying separately. Treat that as directional rather than guaranteed; the actual saving depends on how cleanly your evidence is structured at the start.

The decision is rarely "which one". It is usually "which first", and that answer follows your pipeline. If your largest active deals are UK or EU, start with ISO 27001. If your largest active deals are US, start with SOC 2 and add ISO 27001 as the international pipeline grows.

Cyber Essentials Plus, ISO 27001, and the UK enterprise stack

For UK enterprise buyers and most UK public-sector adjacent procurement, Cyber Essentials Plus and ISO 27001 are the typical baseline. The NCSC explicitly recommends large organisations set Cyber Essentials certifications as a minimum-security requirement for their supply chains (NCSC Cyber Essentials Supply Chain Playbook), and the NCSC Supply Chain Security 12 Principles structure the wider assurance question into understanding the risks, establishing control, checking arrangements and continuous improvement (NCSC Supply Chain Security 12 Principles).

GOV.UK procurement guidance reinforces this. Procurement Policy Note guidance on Cyber Essentials sets the scheme as the minimum technical baseline for central government suppliers and influences how UK enterprise buyers shape their own supplier requirements (GOV.UK, PPN updates to the Cyber Essentials scheme).

The practical reading is that Cyber Essentials Plus is the technical floor and ISO 27001 is the management-system credential the buyer expects on top of it. A UK scale-up holding both clears the broadest range of UK enterprise vendor reviews without having to argue for an alternative.

What it takes to certify in time for an active enterprise opportunity

ISO 27001 certification follows a six-stage path on a three-year cycle. Gap analysis against the 93 controls. ISMS build and implementation, typically 3-6 months for an SME. A Stage 1 audit, conducted by a UKAS-accredited certification body, lasting one to two days and reviewing documentation. A Stage 2 audit, on-site or remote, typically twice the length of Stage 1, performed six to eight weeks after Stage 1 and no more than six months apart. A certification decision, with the certificate issued for three years. Annual surveillance audits in years 2 and 3, and full recertification at year 3.

For a UK SME starting from scratch, the typical elapsed time from gap analysis to certificate is 6-12 months. Where an existing framework already covers part of the ground (Cyber Essentials Plus, partial DSPT alignment, a SOC 2 in flight), 3-6 months is achievable.

The implication for a sales-side reader is uncomfortable but worth saying directly. You cannot start ISO 27001 the day your enterprise deal lands. The certificate has to be in flight or in hand. The most frequent Stage 1 findings, across UK certification bodies, are an incomplete risk assessment, an inadequate Statement of Applicability, no internal audit evidence and no management review. Each of those failures is recoverable, but each one adds weeks. The realistic path through an active enterprise opportunity is to begin certification as soon as the first qualified enterprise lead enters pipeline, not when the questionnaire arrives.

How ISO 27001 evidence carries across multi-framework procurement

A UK scale-up selling into enterprise is rarely facing only one framework. UK FTSE 100 buyers ask for ISO 27001 and Cyber Essentials Plus. EU enterprise buyers add UK GDPR and EU GDPR record-keeping. NHS-adjacent enterprise buyers add DSPT v8. US buyers add SOC 2. The cost of running these as separate evidence streams compounds quickly.

The structural answer is to run a single evidence library, with each control mapped to every framework it satisfies. ISO 27001 Annex A access control evidence satisfies Cyber Essentials access control, SOC 2 CC6 logical access, and the technical-security elements of DSPT v8 simultaneously. Encryption evidence does the same across ISO 27001, SOC 2, GDPR Article 32 and Cyber Essentials. The evidence is collected once and presented to each auditor or buyer in their preferred format.

This is where most pre-certification scale-ups under-invest. Building the ISMS for ISO 27001 alone is achievable. Building the ISMS so that one Article 32 control satisfies four frameworks at once is the difference between certifying once and managing a permanent compliance overhead.

Vormats: shortened sales cycle through ISO 27001 certification

Vormats is a SaaS scale-up running a video-led platform for employer brand, employee storytelling and talent acquisition. The team certified to ISO 27001 on the Naq platform, and the certificate now sits in front of every enterprise procurement conversation Vormats opens.

Arnold Bouwman, Co-founder of Vormats:

"Naq has been instrumental in achieving compliance and security, obtaining ISO27001 certification and shortening our sales-cycle by easily demonstrating compliance."

Vormats also reported an 80% cost saving compared with traditional consultancy routes. That figure is Vormats' own assessment of their certification path, not a Naq-produced benchmark, and the saving available to any individual scale-up will depend on existing framework coverage and ISMS maturity.

How Naq automates ISO 27001 alongside SOC 2, Cyber Essentials Plus and GDPR

The Naq platform is built to automate ISO 27001, SOC 2, Cyber Essentials Plus, GDPR and DSPT from a single dashboard. Controls are mapped across frameworks, so one piece of evidence satisfies requirements in ISO 27001, SOC 2 and Cyber Essentials Plus at the same time, rather than being collected three times.

Where enterprise buyers want named expert support, Naq's in-house virtual DPOs sit alongside the platform for the controller decisions a vendor security review depends on. Access to CREST-accredited penetration testers is available through Naq's external partnership network where the buyer's questionnaire requires evidence of an independent test.

To see how your existing tooling and frameworks map against an enterprise vendor security review, book a 15-minute demo at naqcyber.com.

Frequently asked questions

What is the difference between ISO 27001 and SOC 2 for UK enterprise sales?

ISO 27001 is an international standard certifying an Information Security Management System against 93 controls in Annex A. SOC 2 is an AICPA attestation report against the Trust Services Criteria. UK and EU enterprise procurement teams default to ISO 27001. US-headquartered enterprise procurement teams default to SOC 2. For a UK scale-up selling primarily into UK and EU pipeline, ISO 27001 normally closes the security review on its own.

Does ISO 27001 alone close a US Fortune 1000 vendor security review?

Rarely. ISO 27001 is recognised in the US and is increasingly accepted as supporting evidence, but most US-headquartered Fortune 1000 vendor risk teams ask for a SOC 2 Type II report as the primary credential. UK scale-ups with US enterprise pipeline normally run both certifications in parallel, with the same ISMS evidence library feeding both audit cycles.

How long does ISO 27001 certification take for a UK SME, and can I certify in time for an active enterprise deal?

The typical UK SME timeline from gap analysis to certificate is 6-12 months from a standing start, or 3-6 months where Cyber Essentials, partial DSPT or a SOC 2 already covers part of the ground. Stage 1 and Stage 2 audits sit six to eight weeks apart, and UKAS-accredited certification bodies often book audits eight to twelve weeks out. The realistic answer is to begin certification once the first qualified enterprise lead enters pipeline, well ahead of any questionnaire landing.

What is a Statement of Applicability and why do enterprise buyers ask for it?

The Statement of Applicability, or SoA, is the document that maps every one of the 93 Annex A controls in ISO 27001:2022 to your business, and records which controls are included, which are excluded, and on what justification. Enterprise procurement teams ask for the SoA more often than the certificate itself, because it is the artefact that shows whether the certificate covers the specific controls the buyer cares about.

Do I need Cyber Essentials Plus alongside ISO 27001 for UK enterprise procurement?

For most UK enterprise and UK public-sector adjacent procurement, yes. The NCSC recommends Cyber Essentials as a minimum-security requirement for supply chains, and UK enterprise buyers typically expect Cyber Essentials Plus as the technical floor with ISO 27001 as the management-system credential on top. Holding both clears the broadest range of UK enterprise vendor reviews.

Internal links: /frameworks/iso-27001 · /blog/iso-27001-explained · /blog/iso-27001-certification-uk-business-guide-2026 · /guides/iso-27001-certification-guide · /solutions/defence

Written by
The Naq Team
Share
Share
Compliance
DCB 0129
NHS DTAC
NHS DSPT
Clinical Safety Officer Requirements Under DCB 0129
April 12, 2026
Compliance
2023 Compliance Unwrapped: Hits, Misses, and what’s coming up in 2024
February 25, 2024
Compliance
NHS DTAC
ISO 27001
NHS DSPT
AI and Digital Health: Navigating Regulatory Requirements
November 27, 2024
Compliance
NHS DSPT
DCB 0129
ISO 27001
DSPT v8 deadline: an eight-week checklist for NHS suppliers
May 4, 2026
Newsletter

The latest in compliance and cybersecurity direct to your inbox

Sign up now
Connect with us

Streamline compliance & accelerate your growth

Book a 15-minute demo and discover how Naq can take the complexity out of your compliance.
Book a demo
arrow_forward
Product
Platform OverviewAutomated ComplianceRisk ManagementClinical Risk ManagementTrainingMulti-framework ManagementComprehensive SupportFrameworks
Solutions
BuildGrowScaleHealthDefenceFinanceBusiness to EnterpriseBusiness to Government
Resources
All ResourcesBlogCase StudiesGuidesNaq in the News
Company
ContactAboutVacanciesPartnershipsMedia
Taking complexity out of compliance.
Connect with us
© Copyright 2024 - Naq Cyber UK Ltd.   © Copyright 2024 - Naq Cyber B.V.
Responsible Disclosure
Cookie Policy
Terms of Service
Privacy Policy