A client asks for “your SOC 2.” A prospect’s vendor questionnaire mentions HITRUST. A partner in the UK mentions Cyber Essentials. All three sound like cybersecurity certifications you might need. They are not the same thing, and most small businesses do not need any of them yet.
This post lays out the differences in plain English: what each one is, who asks for it, what it costs, and what size of business it fits.
The three frameworks in one sentence each¶
- UK Cyber Essentials is a UK government-backed baseline cybersecurity certification scheme aimed at small organizations. It covers five technical control areas and is verified by self-assessment or by a one-day external assessment.
- HITRUST CSF is a US healthcare-focused, prescriptive control framework with three tiers of certification (e1, i1, r2) that map to HIPAA, NIST, ISO 27001, and several other standards. It is administered by HITRUST Alliance, a private organization.
- SOC 2 Type II is an AICPA-defined attestation report produced by a licensed CPA firm, reporting on how a service organization’s controls operated over a 6-to-12-month observation period against the AICPA Trust Services Criteria.
All three are real, all three are credible, and they solve different problems for different audiences.
What each framework actually covers¶
UK Cyber Essentials¶
Launched by the UK National Cyber Security Centre (NCSC) in 2014. The baseline cybersecurity requirement for organizations bidding on UK government contracts that touch personal or technical data. Five technical control areas: firewalls and internet gateways, secure configuration, user access control, malware protection, and security update management.
Two levels: Cyber Essentials (self-assessment, verified by a certifying body) and Cyber Essentials Plus (the same controls plus external technical testing). The self-assessment version is intentionally accessible to small organizations.
It is concrete, technical, and narrow. It does not address governance, risk management, vendor oversight, or incident response. It does not produce an attestation report a customer can read.
HITRUST CSF¶
HITRUST CSF (Common Security Framework) consolidates HIPAA, NIST SP 800-53, ISO 27001, PCI DSS, and several state laws into a single set of testable controls. Most commonly required by large healthcare payers, health systems, and pharma companies of their downstream vendors and business associates.
Three certification tiers as of the 2025 refresh:
- e1 (Essentials, 1-year): entry tier, roughly 44 controls
- i1 (Implemented, 1-year): intermediate, roughly 180 controls
- r2 (Risk-based, 2-year): comprehensive, several hundred controls calibrated to risk factors
Certification is performed by HITRUST-authorized external assessors and produces a formal report and a public listing. It is the dominant security certification in US healthcare-adjacent B2B procurement.
SOC 2 Type II¶
SOC 2 is an attestation, not a certification. A CPA firm registered under the AICPA examines your controls against the Trust Services Criteria (security, availability, processing integrity, confidentiality, privacy; security is mandatory, the rest are selectable). The CPA issues a report.
Type I reports on design at a point in time. Type II reports on design AND operating effectiveness over a 6-to-12-month observation window. Type II is what enterprise customers ask for.
SOC 2 is the dominant security attestation in US B2B SaaS. Almost every mid-market and enterprise software buyer’s security questionnaire asks for it before signing a contract above some threshold.
Who actually asks for each one¶
This is the most important question, because it determines whether you should care.
Cyber Essentials is asked for if¶
You sell to UK government bodies or their prime contractors, you have UK-based clients with formal procurement processes, or you operate primarily in the UK and want a recognized baseline credential.
If you are a US small business that does not sell to UK customers, no US buyer is going to ask for the UK Cyber Essentials scheme. (Worth noting: our paid Cyber Essentials bundle uses the name in a broader sense, referring to a foundational set of 12 written policies. The UK government scheme is separate and narrower. If a US customer asked you for “Cyber Essentials,” confirm which they mean. Nine times out of ten they mean the broader policy set.)
HITRUST is asked for if¶
You are a vendor to large hospital systems, payers, or pharma companies, you handle PHI at scale on behalf of a covered entity, or your customer’s procurement team specifies “HITRUST certified or willing to begin certification within X months.”
HITRUST is rare outside healthcare-adjacent B2B. A 4-person dental practice will never be asked for HITRUST. You are a covered entity yourself, not a vendor. You need HIPAA-aligned documentation, not HITRUST certification.
SOC 2 is asked for if¶
You sell software-as-a-service to mid-market or enterprise US customers, you handle customer data in your cloud (you are a “service organization” in AICPA terms), and your annual contracts are large enough that buyers run formal security reviews (roughly $25K+ ACV is where SOC 2 requests appear routinely).
SOC 2 is the most commonly asked-for credential in US B2B software, and the most expensive and slowest to obtain.
The honest cost picture¶
Real 2025-2026 ranges for small organizations. Orders of magnitude are stable even as exact numbers shift.
Framework First-year cost Timeline
─────────────────────────────────── ──────────────────────── ──────────────
Cyber Essentials (self-assessment) $400-$800 + ~30h internal 4 to 8 weeks
Cyber Essentials Plus $2,000-$5,000 + ~60h 8 to 12 weeks
HITRUST e1 $25,000-$50,000 4 to 6 months
HITRUST i1 $50,000-$120,000 6 to 9 months
HITRUST r2 $150,000-$500,000+ 9 to 18 months
SOC 2 Type II (small org) $25,000-$75,000 9 to 14 months
These are not list prices; they are what small organizations actually spend after readiness work, tooling, and the CPA or assessor invoice. A 5-person SaaS startup chasing SOC 2 should plan on 6 months of meaningful internal effort and around $40K of cash out the door. A solo dental practice does not need any of these.
When SMBs actually need each one¶
A direct read.
You need Cyber Essentials if¶
You sell to UK customers who explicitly ask for it. Otherwise, no.
You need HITRUST if¶
A major healthcare customer has told you in writing that they will not renew or expand the contract without it. Pursuing HITRUST speculatively before that demand exists is a waste of small-business capital.
You need SOC 2 if¶
You are losing deals because mid-market or enterprise prospects’ procurement teams cite the lack of a SOC 2 report. Specifically, the lack of it has cost you at least one named deal in the last 12 months, or two of the next 12 months’ largest prospective deals will require it. If neither is true, you are not ready to invest yet.
You need NONE of these if¶
You are a sub-50-person business serving small business customers, no one has asked you for any of these credentials, and your immediate goal is satisfying a cyber insurance application or onboarding a new healthcare client (where HIPAA-aligned policies, not a HITRUST report, are what gets asked for).
This is the most common honest answer and the hardest to sell, because compliance vendors do not make money telling you to wait. Most 5-to-25-person businesses do not need any of these three frameworks. They need written policies mapped to recognized standards (NIST CSF, ISO 27001, CIS Controls), an annual risk assessment, and evidence of basic security hygiene. That foundation is what underwriters, healthcare clients, and most B2B buyers will accept until you grow into formal certification.
The decision tree¶
A three-question version:
- Is a customer or insurer demanding a specific framework in writing? If yes, pursue that one. If no, go to question 2.
- Are you losing real deals because of the absence of a security credential? If yes, the credential the buyers cite is the one worth pursuing. If no, go to question 3.
- Are your existing written policies good enough to pass a cyber insurance application and a standard customer security questionnaire? If yes, that is your priority for the next 12 months. If no, fix the policies first. Frameworks come after.
Most SMBs end at question 3.
If you want help figuring out where you are¶
This is genuinely consulting work, not a product-shaped problem. Email support@breachsecurity.io with three things:
- What your business does and roughly how many employees you have
- What credential or document a customer or insurer has actually asked you for (paste the email if possible)
- What you already have in place (policies, prior audits, certifications)
We will reply with a recommendation. Sometimes it is “you need our Cyber Essentials bundle, here is why.” Sometimes it is “you should start a SOC 2 readiness engagement with a CPA firm, here are three we have worked with.” Sometimes it is “you do not need to spend money on any of this for the next 18 months, focus on revenue.” We will tell you which one you are.