Comment by lwhi
For government tenders, I do know that agencies need certification. Maybe not ISO2001 (which is a security standard that many corporate procurement processes require the supplier to have obtained when purchasing software), but Cyber Essentials / Cyber Essentials Plus is common.
Cyber Essentials is a lot more of a PITA than 9001, it's very prescriptive in ways that cause all kinds of headaches without helping security.