Exploring the Paths to ISO 27001 Certification
Learn how the ISO 27001 certifications works, and work out which is best for your organisation.
Getting ISO 27001 – Which Certification is Right for You?
This article explores the key differences between the two certification paths, outlines their respective pros and cons, and helps you determine which approach is most suitable for your organisation’s goals. Whether you’re aiming for formal assurance or looking for a pragmatic starting point to improve your security posture, understanding these routes will ensure your investment in ISO 27001 pays off in the ways that matter most to your business.
One of the first decisions you’ll face on the path to certification is choosing the type of certification body to work with. Not all certifications are created equal, and the route you choose—UKAS-accredited certification versus a general, non-accredited certification—can influence timelines, cost, credibility, and market perception. It’s not just about getting the certificate; it’s about understanding what that certificate represents to your clients, partners, regulators, and stakeholders.
When aiming for ISO 27001 certification, organisations typically face two primary routes: UKAS Certification and General Certification. Each path offers different benefits, costs, timelines, and levels of recognition. Understanding these differences will help you choose the route that best aligns with your organisation’s goals and requirements.
Contents
What Are the Two Main Certification Types?
1. UKAS Certification
UKAS (United Kingdom Accreditation Service) certification is issued by certification bodies that are formally accredited by UKAS. This path is known for its high level of rigour and credibility.
- What it means: UKAS-accredited bodies have been independently assessed to meet strict international standards for competence and impartiality.
- Benefits:
- Recognised in the UK and internationally.
- Often required for government contracts or regulated industries.
- Signifies high assurance and trust in your Information Security Management System (ISMS).
- Time & Cost:
- Typical duration: 6–9 months
- Estimated cost: £11,000 to £15,000
- Evidence requirements: Six months of operational evidence is usually needed before certification can be granted.
2. General Certification
This refers to ISO 27001 certification provided by non-UKAS-accredited bodies. While not carrying the same level of formal recognition, it’s still a valid way to demonstrate your commitment to information security.
- What it means: Certification is still based on ISO 27001 requirements, but the certifier is not officially accredited by a national accreditation service.
- Benefits:
- Faster and more affordable.
- Suitable for organisations seeking internal improvement or with less stringent regulatory needs.
- Time & Cost:
- Typical duration: 6–8 weeks
- Estimated cost: £3,000 to £5,000
- Evidence requirements: Begins with documentation-based audit; evidence builds up in future assessments.
For a breakdown of likely ISO 27001 Costs, please review my ISO 27001 Costs of Certification
Which Path Should You Choose?
Here’s a quick comparison to guide your decision:
| Factor | UKAS Certification | General Certification |
|---|---|---|
| Accreditation | UKAS-accredited | Not accredited |
| Recognition | High, formal recognition (UK and global) | Lower, informal recognition |
| Time to Certify | 6–9 months | 6–8 weeks |
| Audit Cost | £11k – £15k | £3k – £5k |
| Evidence Requirements | Six months of prior evidence needed | Documentation at start; evidence builds |
| Best For | High-assurance needs, government contracts | Fast, cost-effective certification |
UK-Based (UKAS-Accredited) ISO 27001 Certification Bodies
These organisations are UKAS-accredited, meaning their ISO 27001 certifications carry formal recognition under international accreditation standards.
| Certification Body | Accreditation | Website |
|---|---|---|
| BSI Group (British Standards Institution) | UKAS | https://www.bsigroup.com |
| LRQA (Lloyd’s Register Quality Assurance) | UKAS | https://www.lrqa.com |
| SGS UK | UKAS | https://www.sgs.co.uk |
| Alcumus ISOQAR | UKAS | https://www.alcumus.com/isoqar |
| NQA | UKAS | https://www.nqa.com |
| QMS International | UKAS (for some services) | https://www.qmsuk.com |
US-Based ISO 27001 Certification Bodies
In the US, certification bodies may be accredited by ANAB (ANSI National Accreditation Board) or similar. Some bodies also offer non-accredited ISO 27001 certifications for cost-sensitive or internal use cases.
| Certification Body | Accreditation | Website |
|---|---|---|
| BSI Group America | ANAB | https://www.bsigroup.com/en-US |
| Perry Johnson Registrars (PJR) | ANAB | https://www.pjr.com |
| TÜV SÜD America | ANAB | https://www.tuvsud.com/en-us |
| DNV (Det Norske Veritas) | ANAB | https://www.dnv.com |
| Intertek | ANAB | https://www.intertek.com |
| Schellman & Co. | ANAB (also known for SOC 2 audits) | https://www.schellman.com |
Final Thoughts
ISO 27001 certification isn’t one-size-fits-all. The route you take—UKAS-accredited or general certification—depends on a variety of factors, including your industry, customer expectations, regulatory obligations, and budget.
UKAS-accredited certification is the gold standard for organisations that need internationally recognised assurance, often essential for securing government contracts or demonstrating compliance in highly regulated sectors. It’s rigorous, takes time, and demands operational maturity—but the return in credibility and trust can be substantial.
On the other hand, general certification offers a lower-cost, faster alternative for organisations seeking to benchmark themselves, satisfy internal stakeholders, or build momentum toward future accreditation. While it doesn’t carry the same level of formal recognition, it’s still grounded in the ISO 27001 standard and can serve as a valuable stepping stone.
Ultimately, the right path is the one that aligns with your strategic goals. If you’re uncertain which approach suits your business, or you’d like help preparing for either route, the team at Iseo Blue is here to guide you. Get in touch at info@iseoblue.com for practical, impartial advice tailored to your organisation’s needs.
FAQs
Is UKAS certification a legal requirement for ISO 27001?
No, UKAS certification is not legally required. However, many clients—particularly in regulated sectors or government supply chains—will expect or require it. It’s more about market expectations and credibility than legal obligation.
Can I start with general certification and upgrade to UKAS later?
Yes, many organisations begin with a general certification to get the benefits of an ISO-aligned ISMS quickly, and then transition to a UKAS-accredited certification once they have more evidence and resources. However, you’ll need to undergo a full audit again when switching providers.
Will clients care if I don’t use a UKAS-accredited body?
That depends on your clients. Some will be satisfied with any form of ISO 27001 certification, while others—especially those in finance, healthcare, or government—may require UKAS or equivalent accreditation. Always check what your target market expects.
Does a non-UKAS certification mean I’m not compliant with ISO 27001?
Not necessarily. The certification process still follows ISO 27001 requirements, but without the added assurance that comes from an accredited certification body being regularly assessed by a national authority like UKAS. It’s still compliance—but with less external validation.
What’s the biggest risk of choosing the cheaper route?
The main risk is perception. If a potential client or partner checks your certificate and sees it wasn’t issued by an accredited body, they may question its legitimacy—even if your actual controls are solid. It can create a credibility gap in certain markets.