ISO 27001 vs Cyber Essentials — What a UK SME Should Ask an HR Vendor in 2026

The question every procurement form now asks

Any UK SME signing an HR, payroll, or benefits vendor in 2026 will see the same line in the procurement form: "Please confirm your security certifications." The drop-down lists two names — Cyber Essentials and ISO 27001 — and most SME buyers tick them without knowing what they actually cover, or what to do when the vendor says "we are aligned but not certified".

The two standards serve different purposes. One is a technical baseline written for SMEs by the UK government. The other is an international management-system standard typically held by larger organisations. A credible vendor can hold one, both, or neither — and the honest answer matters more than the badge.

This guide explains the practical scope of each, what to ask, and how to read the answer.

Cyber Essentials — what it actually means

Cyber Essentials is a UK government-backed scheme delivered by the National Cyber Security Centre (NCSC), operated through its delivery partner IASME. The scheme is "aligned to five technical controls designed to prevent the most common internet based cyber security threats" (NCSC, Cyber Essentials overview).

The five controls are:

1. Firewalls — filtering traffic between the internet and internal networks.
2. Secure configuration — locking down the default state of devices and software.
3. User access control — restricting who can do what, with the lowest privilege necessary.
4. Malware protection — detecting and stopping malicious software.
5. Security update management — patching known vulnerabilities within defined timeframes.

There are two levels.

Cyber Essentials is a verified self-assessment signed off by a board member and reviewed by a licensed assessor. Certification starts at £320 + VAT for the smallest organisations and is priced by company size (NCSC, Cyber Essentials overview).

Cyber Essentials Plus covers the same five controls but adds independent, hands-on technical testing by a licensed Certification Body. Pricing varies by network complexity. It is the version the UK government and many enterprise buyers prefer to see.

IASME, the NCSC's "official Cyber Essentials Delivery Partner", manages a network of more than 400 UK certification bodies that issue the badges (IASME, NCSC, Cyber Essentials overview).

The scheme matters in procurement because of Procurement Policy Note 09/14, which has required Cyber Essentials certification for central government suppliers handling personal information or providing certain ICT services since 1 October 2014 (gov.uk, PPN 09/14). Many local authorities, NHS trusts, and large private buyers have since adopted the same baseline in their own supplier requirements.

ISO 27001:2022 — what it actually means

ISO/IEC 27001:2022 is the international standard for an Information Security Management System (ISMS) — published by the International Organization for Standardization and the International Electrotechnical Commission (ISO/IEC 27001:2022, iso.org).

The 2022 revision restructured Annex A into 93 controls across four themes — organisational, people, physical, and technological — replacing the 114 controls of the 2013 version. Vendors still on the 2013 version are running an outdated baseline; the transition deadline for existing certificates closed on 31 October 2025.

Certification is not a self-assessment. An accredited certification body conducts a Stage 1 documentation review followed by a Stage 2 on-site audit of the ISMS in operation. A certificate is then issued for a three-year cycle, with annual surveillance audits and a full recertification audit in year three.

The cost is the reason most SMEs do not hold it. A first ISO 27001 certification for a small UK SaaS company typically costs £15,000 to £40,000+ in consulting, implementation, and audit fees, plus a recurring annual surveillance cost. The standard is also process-heavy: it requires a documented risk-treatment plan, an internal audit programme, management review minutes, and demonstrable continual improvement.

ISO 27001 says nothing about whether the vendor has a firewall switched on. It says the vendor has a management system that decides where firewalls belong and proves it works.

The key difference — process vs perimeter

The two standards do not overlap as much as the procurement form implies.

• Cyber Essentials is a control baseline. It checks that five technical defences are in place across the IT estate that is in scope. It is cheap, quick, and aimed at SMEs.
• ISO 27001:2022 is a management system. It checks that the organisation has a repeatable process for identifying risks, choosing controls, and improving them over time. It is expensive, slow, and aimed at organisations that can sustain the overhead.

A vendor can hold both — many do. A vendor can hold one — usually Cyber Essentials in the SME tier, ISO 27001 in the enterprise tier. A vendor can hold neither and still operate to a defensible standard, but only if the underlying policies and evidence exist on paper.

Treat the badges as shorthand for what is underneath, not as a substitute for asking.

What "ISO 27001 aligned" actually means

Many UK SaaS vendors describe themselves as "ISO 27001 aligned" or "self-assessed against ISO/IEC 27001:2022". That phrase has no formal definition. It can mean anything from a fully documented ISMS that has not yet been audited, to a marketing line written without reading the standard.

If a vendor uses the phrase, the diligence question is simple: show me the evidence. A credible "aligned" vendor should be able to produce on request:

• A written Information Security Policy signed by the senior leadership.
• An inventory of policies covering each of the 93 Annex A control areas — access control, supplier relationships, cryptography, incident response, business continuity, secure development, and the rest.
• A risk assessment and Statement of Applicability showing which controls apply and why.
• Evidence the policies are in operation — access reviews, vulnerability scans, change records, training logs.
• An internal audit programme and management review minutes.
• A documented incident-response plan and a sub-processor register.

If the vendor can show those, "aligned" is meaningful. If they cannot, it is marketing — and a thirty-second email reply asking "what does your ISMS cover under Annex A.5 — Information Security Policies?" will usually settle the point.

Ten questions to put to an HR or benefits vendor

A focused diligence pack for a UK SME procurement team:

1. Are you Cyber Essentials or Cyber Essentials Plus certified? If yes, what is the certificate date and which IASME certification body issued it?
2. Are you ISO 27001:2022 certified? If yes, what is the certificate number, the accredited body, and the certificate scope?
3. What does the scope cover — the whole company, only the production environment, or only a specific product line?
4. Where is customer data hosted? Which region, which provider, and is the data ever transferred outside the UK or EEA?
5. What encryption is applied at rest and in transit, and which key-management service controls the keys?
6. Who are your sub-processors? Is there a published list and a notification process for changes?
7. What is your data-retention position for active customers and on termination?
8. What is your incident-response process and what is the contractual notification window?
9. Will you sign a UK GDPR-compliant Data Processing Agreement as the data processor, and is the standard DPA available to review before contract?
10. What is your business-continuity and disaster-recovery position — RPO, RTO, and last successful test date?

The answers to those ten questions tell you more than any certification badge. A vendor that answers all ten plainly is doing the work. A vendor that deflects on three or more is not ready for an SME with regulated data.

A practical decision framework

For a typical 50-person UK SME storing salary data, National Insurance numbers, bank details, and health-related benefits records, the practical bar in 2026 is:

• Cyber Essentials is the minimum. It is cheap, fast, and government-backed. A vendor that cannot reach the £320 entry-level certification is signalling something.
• Cyber Essentials Plus is the realistic baseline for a vendor handling regulated data at any scale.
• ISO 27001:2022 certified is the gold standard — but it is rare among SME-priced vendors. Do not refuse to contract on its absence; ask what the vendor is doing instead.
• "ISO 27001 aligned" is acceptable if backed by the evidence list above. Ask for it. Read it.

The combination of one government-backed certification plus a written ISMS with evidence of operation is a defensible position for most UK SME buyers.

How WagePerks honestly stands today

WagePerks is ISO 27001 aligned — self-assessed against ISO/IEC 27001:2022, with the policy set, risk register, Statement of Applicability, and incident-response plan documented and available on request. WagePerks is not currently ISO 27001 certified and is not currently Cyber Essentials certified. Certification of both is on the 2026/27 roadmap.

The current security posture:

• Hosting: AWS, eu-west-2 (London) region. UK data residency by default.
• Encryption: at rest via AWS KMS; in transit via TLS 1.2 or higher.
• Access control: least-privilege role-based access; audit logs retained.
• Mobile: full feature parity in any modern browser; native iOS and Android apps launching Q3 2026.
• GDPR: UK GDPR-compliant Data Processing Agreement available on request; sub-processor list available on request.
• Retention: documented retention schedule per data category — see /policies/data-retention/.

The full statement, including sub-processor list and incident-response process, sits at /security/. If a question is not answered there, the procurement contact will get a written answer within two working days.

WagePerks is £4.50 per employee per month, eleven modules, white-label included, rolling monthly — pricing at /pricing/, company background at /about/.

Two related guides worth reading before you sign anything:

• How to choose an employee benefits platform — UK checklist
• Rolling monthly SaaS contracts — what they cover and what they do not

Sources

• Cyber Essentials overview — National Cyber Security Centre — the five technical controls, the two levels, and the £320+VAT entry price.
• IASME — official Cyber Essentials Delivery Partner — the body that operates the scheme on behalf of NCSC.
• ISO/IEC 27001:2022 — Information security management systems — the published standard, Annex A control set, and certification framework.
• Procurement Policy Note 09/14 — Cyber Essentials Scheme Certification, gov.uk — the UK government requirement for supplier certification on contracts handling personal information.

Sources verified 2026-06-11. We re-verify quarterly.