CYBER ESSENTIALS, ISO 27001, SOC 2 & NIST
Which cyber security framework does your business actually need?
Cyber Essentials, ISO 27001, SOC 2 and NIST CSF all sound similar, but they solve different commercial problems. The right choice depends on what your customers, insurers, tenders and contracts are asking for – and what will help you win and keep work over the next 12 months.
CYBER ESSENTIALS & FRAMEWORK
The 5 frameworks, compared
Use this table to understand which framework is most relevant to your business, what usually triggers it, and how much effort it is likely to involve. For most SMEs, Cyber Essentials is the sensible starting point – the others usually become relevant because of customer, contract, regulatory or sector requirements.
| Framework | What it is | Who it’s for | Usually triggered by | Typical effort | Watch out for |
|---|---|---|---|---|---|
| Cyber Essentials | UK government-backed certification covering five core security controls. | Most UK SMEs that want a recognised baseline. | Questionnaires, public-sector work, insurer expectations, customer due diligence. | Weeks; lowest cost. | Treating it as an IT tick-box rather than a commercial risk control. |
| Cyber Essentials Plus | The same scope as Cyber Essentials, but independently tested. | SMEs whose customers or contracts require extra assurance. | Defence supply chain, large-customer requirements, higher-risk tenders. | 1–2 months. | Doing it without a clear customer or contract reason. |
| ISO 27001 | International standard for an information security management system. | Larger, regulated or more complex SMEs. | Major customers, regulated sectors, enterprise procurement. | Many months. | Pursuing it when Cyber Essentials Plus would satisfy the requirement. |
| SOC 2 | Assurance report focused on controls for service organisations. | Software, SaaS and tech companies selling into the US. | US customers, enterprise procurement, investor/customer assurance. | 6–12 months for Type II. | Pursuing it without a genuine US or SaaS-driven need. |
| NIST CSF 2.0 | A flexible framework for organising and improving cyber security maturity. | Businesses wanting a structured way to assess and improve security. | Security questionnaires, board reporting, internal risk reviews. | Self-assessment or advisory-led. | Treating it like a certification when it is really a framework. |
WHAT'S NEXT
Which one should we start with?
Gather three things before committing: the security questionnaires received in the last year, your current cyber insurance schedule and the requirements of contracts you are pursuing. The certification that appears most often is your starting point. For many SMEs, that is Cyber Essentials, with Cyber Essentials Plus only when a contract, framework or risk case requires it.
sector examples
Common framework triggers by sector
Manufacturing
Cyber Essentials often helps with supplier questionnaires and customer assurance. CE Plus is more likely where you support defence, aerospace or higher-risk supply chains.
Professional Services
Cyber Essentials is usually the practical starting point for client and insurer checks. ISO 27001 may become relevant when larger clients expect formal information security controls.
Construction & Property
Cyber Essentials is commonly requested for tenders, frameworks and public-sector work. CE Plus may be needed where contracts require independently tested controls.
PROOF
what our clients say
I have been using INDIGO IT as our trusted IT partner for more than 20 years, both with my previous and current company. They are so good I had to take them with me – recommended!
Mark Bosher · CAD/IT Manager – Watkins Payne
I have always found INDIGO IT to be technically ahead and keen to ensure we get the best service. I have had the good fortune of dealing with them for about 6 years now.
Peter Sudlow · MD, Sapphire Wealth
2026 CYBER RESILIENCE REPORT
Find out more in our new 2026 Cyber Resilience Report
Read the report in full in under an hour, or jump straight to the section that answers your current question.
- Why It’s Now Commercial – Why cyber resilience now affects contracts, insurance and customer confidence.
- The Microsoft-365 Gap – The common security settings SMEs miss – and the eight checks to make first.
- Frameworks Compared – Cyber Essentials, Cyber Essentials Plus, ISO 27001, SOC 2 and NIST – when each one matters.
- Monitoring & Evidence – What to record, review and evidence before a customer or insurer asks.
- Zero Trust, Simply – How to reduce unnecessary access without slowing people down.
- The 90-Day Roadmap – A practical order of work: visibility, hardening, evidence and certification.
- The Self-Assessment – A 25-question check to run with your leadership team in 15 minutes.
Meet Matt, Managing Director of INDIGO IT
Making Great IT Personal and Accessible
Frequently Asked Questions
Here are some of the most common questions businesses ask us:
Does an SME need Cyber Essentials?
Many SMEs benefit from Cyber Essentials because it is widely recognised, practical and often requested in supplier questionnaires. It is usually the first certification to consider before larger standards.
What is Cyber Essentials Plus?
Cyber Essentials Plus adds independent technical testing to Cyber Essentials. It is useful when contracts, tenders or higher-risk supply chains require more assurance.
What is Zero Trust for an SME?
Zero Trust means users and devices only get the access they need, when they need it. For SMEs, it usually starts with MFA, conditional access, device compliance and reducing admin permissions.
What is SIEM and does an SME need it?
SIEM centralises security logs so suspicious activity can be monitored and investigated. Some SMEs need it for compliance or risk reasons, but it should follow the basics: MFA, backup, device management and evidence.
Can an IT support provider help with Microsoft 365 security?
Yes. A good provider should be able to review Secure Score, MFA, conditional access, admin permissions, email protection, audit logging, backup and device management.