ISO 27001 Certification · United Kingdom

ISO 27001 Certification in the UK — Everything You Need to Know

A practical guide to getting ISO 27001 certified in the UK — covering costs, the certification process, how to choose an auditor, and the fastest route to your first certificate.

See my tools & services ← Back to ISO 27001 Hub

What Does ISO 27001 Certification Actually Mean in the UK?

ISO 27001 is an internationally recognised standard for information security management. In the UK, certification is increasingly required by enterprise clients, government frameworks, and procurement processes — particularly in IT services, SaaS, managed services and professional services.

Achieving ISO 27001 certification means an independent certification body has audited your Information Security Management System (ISMS) and confirmed it meets the requirements of the standard. It’s not a self-assessment — it requires an external audit.

The certificate typically lasts three years, with annual surveillance audits to maintain it.

The ISO 27001 Certification Process in the UK

The typical certification process is the same whether you use a UK-based or international certification body. It follows a structured sequence that typically takes 8–12 weeks once your ISMS is ready.

Build your ISMS

Establish your scope, complete your risk assessment, implement your controls and produce your mandatory documentation. This is the bulk of the work — typically 60–90 days for an SME starting from scratch.

Stage 1 Audit — Documentation Review

Your chosen certification body reviews your documentation to confirm you’re ready for Stage 2. They’ll flag any gaps before the main audit — giving you a chance to fix them.

Stage 2 Audit — Evidence Review

The auditor verifies that your ISMS is operational — not just documented. They’ll interview staff, review records and test controls. Non-conformances raised here must be addressed before certification is granted.

Certificate Issued

Once any non-conformances are closed, your certificate is issued. Valid for three years, with annual surveillance audits and a recertification audit in year three.

FURTHER READING

📖 The ISO 27001 certification process explained in full
📖 ISO 27001 certification costs in the UK
📖 Accredited vs Non-accredited certification
📖 Certification for Individuals

Choosing a UK Certification Body

In the UK, UKAS (United Kingdom Accreditation Service) is the national accreditation body. A UKAS-accredited ISO 27001 certificate is universally recognised — required for government procurement, NHS contracts and most enterprise supplier frameworks. However, there are also auditors who offer non-accredited

UKAS Accredited

The gold standard for UK certification — widely required for government and enterprise contracts.

Non-Accredited

A faster, cheaper route. Recognised by many commercial clients but not government frameworks.

Factor	UKAS Accredited	Non-Accredited
Government contracts	✓ Required	✗ Not accepted
Enterprise clients	✓ Always accepted	Often accepted
Audit timeline	3 months min evidence	Can be faster
Typical cost (SME)	£5,500–£12,000	£1,500–£4,000
Annual surveillance	✓ Required	Varies by body
International recognition	✓ IAF MLA member	Limited

How Long Does ISO 27001 Certification Take in the UK?

Timeline depends on where you’re starting from, how many resources you can commit, and which type of certification you’re targeting. Here’s a realistic view for a UK SME.

Weeks 1 to 2

Kick-off & Scope

Define your ISMS scope, assign roles, establish your Information Security Policy.

Weeks 3 to 4

Risk Assessment

Identify and evaluate information security risks, build your risk treatment plan.

Weeks 5 to 6

Statement of Applicability

Evaluate all 93 Annex A controls and document your decisions in the SoA.

Weeks 7 to 9

Implementation & Evidence

Implement controls, run internal audit, conduct management review.

Weeks 10 to 11

Certification Audit

Stage 1 audit with your chosen UKAS certification body.

Non-accredited audit & certification awarded

+1 to 3 months (Depending on auditor)

Stage 2 Certification (UKAS Only)

Data & record build up demonstrating running of your ISMS

ISO 27001 Certification Costs in the UK

Costs vary significantly depending on whether you use a consultant, DIY with templates, or take a hybrid approach. The two main costs are implementation (getting ready) and auditor fees (the certification body’s charges).

Do-It-Yourself

Self-Implemented

£2,000–£6,000 total. Templates + auditor fees. Requires significant internal time investment.

Coaching

Guided Consultancy

£5,500–£12,000 total. Fixed-fee consultant + auditor fees. Faster, lower risk of failure.

Third-Party

Traditional Consultancy

£15,000–£40,000+. Full-service engagement. Slower, higher cost, usually for larger organisations.

ISO 27001 Complexity Calculator Screenshot

My ISO 27001 cost & complexity calculator

Not sure how much, how long, or how complex your ISO 27001 implementation will be?

Find out here with my rapid calculator tool.

Try the free estimator

FULL COST BREAKDOWN GUIDE

I’ve gone into greater detail about overall costs in the following article

📖 ISO 27001 certification costs in the UK — complete guide

Ready to Get ISO 27001 Certified in the UK?

Fixed-fee consultancy, fully remote, with a first-pass guarantee. Most UK clients certified within 90 days. Book a free 30-minute discovery call to discuss your timeline and requirements.

Learn More… Or get the free templates →

What UK Clients Say

A sample of some of my client feedback

★★★★★
Kept us on task and made sure we sailed through our assessment. Highly recommend!

Jenna Cooper

Helpthemove, UK

★★★★★
A great, down-to-earth, no-nonsense help in achieving our UKAS-accredited ISO 27001 certification.

Bryn

Periculum Security Group, UK

FAQs

Do I need UKAS accreditation for ISO 27001 in the UK?

Not always. UKAS accreditation is required for government procurement and NHS contracts, but many commercial clients accept non-accredited certificates — especially in the early stages of a supplier relationship. If you’re unsure, check your client’s contract requirements before committing to a certification body.

How much does ISO 27001 certification cost in the UK?

For a UK SME, total costs typically range from £3,500 to £15,000 depending on approach. This includes both implementation (consultant or DIY) and auditor fees. UKAS-accredited auditors for smaller organisations typically charge £2,500–£6,500 for the initial certification audit.

How long does ISO 27001 certification take in the UK?

Most UK SMEs achieve certification within 90 days when they have dedicated resource and expert guidance. The fastest UKAS-accredited certification we’ve delivered was 68 days. Non-accredited certificates can be achieved faster — as quickly as 20 days in some cases.

Which certification bodies offer ISO 27001 in the UK?

UKAS-accredited bodies operating in the UK include BSI, Bureau Veritas, DNV, LRQA, NQA and Alcumus ISOQAR. For non-accredited certificates, there are additional options. Fees vary significantly between bodies — always get at least two or three quotes.

Can a small business get ISO 27001 certified in the UK?

Yes — ISO 27001 is designed to be scalable. Some of the easiest certifications to achieve are for small, well-defined organisations with a clear scope. A five-person SaaS company can be certified just as legitimately as a 500-person enterprise — the ISMS just looks different.

How long is my ISO 27001 certificate valid for?

ISO 27001 certification is valid for three years and requires an organisation to undergo annual surveillance audits to maintain compliance.

ISO 27001 Certification Articles

Everything you need to know about getting ISO 27001 certified — costs, choosing an auditor, what happens at each audit stage, and how to prepare.

GUIDE