Cybersecurity training for UK security teams: what enterprise buyers need to know

Before a platform reaches your analysts, it has to clear procurement, satisfy InfoSec, pass legal review, and in many organisations survive a finance sign-off that nobody budgeted for. For UK security teams, that process carries specific requirements.

Cybersecurity training for UK security teams: what enterprise buyers need to know
Cybersecurity traiing for UK security teams: what enterprise buyers need to know

Buying cyber security training for an enterprise security team is rarely just a training decision. Before a platform reaches your analysts, it has to clear procurement, satisfy InfoSec, pass legal review, and in many organisations survive a finance sign-off that nobody budgeted for.

For UK security teams, that process carries specific requirements. UK GDPR, the Data Protection Act 2018, internal vendor risk frameworks, and increasingly stringent supplier onboarding standards mean that where a vendor is incorporated, how they handle data, and what certifications they hold are legitimate blockers that can delay or kill a purchase entirely.

Does it matter if your cyber security training vendor is UK-incorporated?

For UK enterprise buyers, vendor jurisdiction has practical consequences that surface early in the procurement process.

A UK-incorporated vendor means contracts are governed by UK law. For legal and procurement teams, this removes the complexity of cross-jurisdictional agreements that can arise when buying from vendors incorporated elsewhere. There is no ambiguity about which country's law applies and no transatlantic redline cycles to manage.

UK VAT registration matters for finance teams. It means invoicing works exactly as it would with any other UK supplier, with no foreign currency conversion or withholding tax considerations to navigate.

When evaluating any cyber security training vendor, buyers should ask: where is the vendor incorporated, under which legal jurisdiction are contracts governed, and are they UK VAT registered?

TryHackMe Ltd is a private limited company incorporated in England and Wales in 2018. Contracts are governed by UK law. TryHackMe is UK VAT registered.

Does it matter where your cyber security training vendor hosts your data?

Yes. Data residency determines which data protection laws apply, whether personal data transfers are lawful, and how straightforward your Data Processing Agreement will be to sign off. It is one of the first questions a UK enterprise InfoSec or legal team will ask of any SaaS vendor.

For UK buyers, the key question is whether data is hosted within the UK or the EEA. Under the UK's post-Brexit adequacy regulations, the EEA remains an approved destination for personal data transfers from the UK, meaning no additional legal mechanism is required to justify the transfer.

For vendors hosting data outside the EEA, buyers should confirm what transfer mechanism the vendor relies on under UK GDPR, as this can add legal complexity and time to the procurement process.

Buyers should ask: where is data hosted, in which cloud region, and is that region within the UK or EEA?

TryHackMe hosts customer data on AWS in the eu-west-1 region, located in Dublin, Ireland. This sits within the EEA, meaning data transfers from the UK require no additional legal mechanism under current UK adequacy regulations.

What security certifications should a UK enterprise buyer require?

Security certifications give procurement and InfoSec teams independently verified evidence that a vendor manages information security to a recognised standard. For UK enterprise buyers specifically, two certifications are worth requiring.

The first is ISO/IEC 27001. This is an internationally recognised standard for information security management. Achieving certification requires an organisation to implement and maintain a documented security management system covering areas including data security, access control, incident management, and disaster recovery, and to have that system independently audited. Buyers should confirm that a vendor holds the current version of the standard, ISO/IEC 27001:2022, rather than an older iteration.

The second is Cyber Essentials. This is a UK government-backed certification scheme developed by the NCSC (National Cyber Security Centre), the UK's national authority on cyber security. It sets a baseline of cyber hygiene controls that organisations must demonstrate before they can be certified. Cyber Essentials carries particular weight for UK enterprise buyers because it is the standard the UK government requires of its own suppliers.

Buyers should ask: does the vendor hold ISO/IEC 27001:2022 certification, and are they Cyber Essentials certified?

TryHackMe holds ISO/IEC 27001:2022 certification and is Cyber Essentials certified.

What does genuine data protection compliance look like?

For UK enterprise buyers, data protection compliance determines whether your organisation can lawfully share employee data with a training vendor. Under UK GDPR, any vendor that processes personal data on your behalf must do so under a lawful basis, with appropriate technical and organisational measures in place, and under a signed Data Processing Agreement that sets out each party's obligations.

Buyers should understand what meaningful compliance looks like in practice. A vendor with documented data processing activities, a named Data Protection Officer, and a signed DPA is in a materially different position from one that lists GDPR compliance as a feature without supporting evidence.

Buyers should ask: is the vendor UK GDPR compliant, do they adhere to the Data Protection Act 2018, and is a Data Processing Agreement available to sign?

TryHackMe processes personal data in accordance with UK GDPR, the EU GDPR where applicable, and the Data Protection Act 2018. A Data Processing Agreement is available to sign as part of the standard procurement process.

Vendor evaluation criteria for UK enterprise buyers

CriteriaWhat to look forTryHackMe
Legal incorporationUK-registered entity, UK governing lawUK Ltd, incorporated in England and Wales 2018
VAT registrationUK VAT registered for clean invoicingUK VAT registered
Data hostingEEA or UK regionAWS eu-west-1, Dublin, Ireland
ISO 27001Current 2022 versionISO/IEC 27001:2022 certified
Cyber EssentialsNCSC-backed UK government schemeCyber Essentials certified
UK GDPR complianceUK GDPR and DPA 2018Confirmed compliant

Do enterprises train on TryHackMe?

TryHackMe is used by over 1,000 security teams globally, including enterprise clients across technology, government, and financial services.

Want to turn theoretical cyber security training into proven capability? Explore TryHackMe for Business