The short answer is yes — you can self-declare conformity with ISO 27001 without engaging a certification body.
The longer answer is… that self-declaration and third-party certification are different things that serve different purposes, and which is appropriate depends entirely on why you want the certification in the first place.
This distinction matters because organisations sometimes invest significant effort in implementing an ISMS to a high standard, then discover that what their customers actually require is a certificate issued by an accredited certification body — not a self-declaration. Understanding the difference before you start saves considerable time and money.
Self-Declaration vs Third-Party Certification: What's the Difference?
ISO 27001 does not require third-party certification — but your customers almost certainly do
What the Standard Says About Certification
ISO 27001 is a standard that specifies requirements for an Information Security Management System. Like most ISO management system standards, it can be used in three ways:
- Self-declaration of conformity — the organisation assesses its own ISMS against the standard and declares that it conforms, without independent verification
- Second-party audit — a customer or business partner audits the organisation’s ISMS against the standard as part of their supply chain management
- Third-party certification — an accredited certification body independently audits the ISMS and issues a certificate confirming conformity
The standard itself does not require third-party certification. Nothing in ISO 27001 says you must engage a certification body. The requirement for third-party certification comes from external sources: customers, regulators, contracts, or market expectations.
What Is Self-Declaration?
Self-declaration of conformity means that an organisation has assessed its own ISMS against the requirements of ISO 27001 and determined that it meets them. This can be a rigorous process — some organisations conduct thorough internal assessments using qualified internal auditors — and can result in an ISMS that genuinely conforms to the standard.
However, self-declaration has significant limitations in practice:
No independent verification. A self-assessment is only as reliable as the organisation conducting it. Without external review, there is no check on whether the assessment is accurate, whether auditors had the objectivity to identify gaps in their own organisation, or whether the standard has been correctly interpreted.
No certificate. A self-declaration does not result in a certificate issued by an accredited body. You cannot make the same commercial claim as an organisation with a third-party certificate.
Limited commercial value. In the markets where ISO 27001 certification is most valued — enterprise procurement, regulated industries, government contracting — self-declaration is typically not accepted as equivalent to third-party certification. A procurement team asking “are you ISO 27001 certified?” is almost always asking whether you hold a certificate from an accredited body.
The ISO 27001 Certification Chain: Who Certifies Whom
Accreditation is what makes a certificate credible — always check your certification body is accredited
What Is Third-Party Certification?
Third-party certification involves engaging an accredited certification body — one that is accredited by a national accreditation body such as UKAS in the UK, DAkkS in Germany, or ANAB in the USA — to audit your ISMS against the requirements of ISO 27001.
The certification body’s auditors conduct: – A Stage 1 audit reviewing your documentation and readiness – A Stage 2 audit assessing the implementation and operation of your ISMS
If the audit results are satisfactory, the certification body issues a certificate confirming that your ISMS conforms to ISO 27001:2022. The certificate is valid for three years, subject to annual surveillance audits.
The certificate is an externally verifiable claim. Customers can confirm your certificate status through the certification body’s public register or through accreditation body databases. This verifiability is a large part of what makes third-party certification commercially valuable.
When Is Self-Declaration Appropriate?
Self-declaration is genuinely appropriate in certain circumstances — though it is less common in practice because most organisations pursuing ISO 27001 are doing so for commercial or contractual reasons that require third-party certification.
Internal assurance programmes. An organisation implementing ISO 27001 as a framework for improving its own security posture, without external pressure to certify, may choose to self-assess progress against the standard rather than invest in formal certification.
Preparatory assessment. Many organisations conduct an internal gap assessment against ISO 27001 as a precursor to certification — identifying gaps and improvement areas before engaging a certification body. This is not a self-declaration of conformity, but it uses similar methodology.
Supply chain participation. In some supply chain contexts, a customer may accept a self-assessed response to a security questionnaire or supplier assessment, particularly where the organisation is lower-risk and formal certification would be disproportionate.
Jurisdictions or sectors with lower certification expectations. In some markets, the market norm for security assurance is less formalised, and self-declaration or informal assessment may be sufficient to satisfy customer expectations.
When Is Third-Party Certification Required?
Third-party certification is required whenever:
Your customers or contracts require it. Enterprise procurement processes that specify ISO 27001 certification almost universally mean third-party certification from an accredited body. If a contract requires you to “maintain ISO 27001 certification”, self-declaration does not fulfil that obligation.
You want to make a credible public claim. Stating that your organisation is “ISO 27001 certified” without holding a third-party certificate is misleading and potentially in breach of advertising standards. Self-declaration of conformity is a different claim and should be described differently.
You operate in regulated industries. Some regulatory frameworks reference ISO 27001 certification explicitly and require third-party evidence. Financial services, healthcare, and public sector suppliers in many jurisdictions fall into this category.
You are targeting enterprise customers. Enterprise security questionnaires typically ask whether certification was conducted by an accredited body. The answer “we have self-assessed” will, in most cases, not satisfy the question.
The Cost Comparison
Third-party certification involves two main cost components: the cost of the certification body’s audit fees, and the internal cost of implementing and maintaining the ISMS.
Audit fees from accredited certification bodies vary with organisation size, scope complexity, and the body chosen. For a small organisation (under 50 people), Stage 1 and Stage 2 audit fees combined typically range from £4,000 to £8,000, with annual surveillance audits costing £2,000–£4,000. Larger organisations pay more.
Self-declaration avoids audit fees but incurs the same or greater internal costs — implementing the ISMS requires the same work whether you certify formally or not, and a thorough self-assessment process requires qualified internal resource.
The relevant comparison is therefore not “certification cost vs no cost” but “audit fees vs the value of the certificate to the business”. For any organisation where ISO 27001 certification is a commercial requirement or competitive differentiator, the audit fee is typically modest relative to the contracts it unlocks.
A Middle Path: Internal Audit with External Verification
Some organisations choose a path between pure self-declaration and full third-party certification: they implement an ISMS, conduct a rigorous internal audit using qualified internal auditors, and then engage an external consultant (not a certification body) to review and validate their internal assessment before seeking certification.
This can be useful as a pre-certification health check — identifying gaps before the formal audit and avoiding the cost of a Stage 2 finding that requires remediation before certification can proceed. It is not a substitute for third-party certification and should not be presented as one.
What Auditors Actually Verify
For organisations proceeding to third-party certification, it is worth understanding what auditors verify and what the certificate actually attests to.
Certification does not mean your organisation has zero information security risk, or that it has implemented every possible security control. It means that your ISMS meets the requirements of ISO 27001 — that you have a functioning management system for information security, with appropriate risk identification, treatment, monitoring, and improvement processes in place.
This distinction matters because some organisations go into the certification process expecting a comprehensive security audit — a thorough assessment of whether all their controls are effective. That is not what ISO 27001 certification is. An auditor samples your controls and assesses your management system; they do not penetration test your systems or comprehensively verify every control implementation.
27001 in 90 days
Guided sprint to pass your audit quickly, without bloat. Workshops, templates, and a pre-audit check tailored to your scope.
- Rapid ISO 27001 certification sprint
- Minimal disruption to your business
- Consultancy support all the way
- Internal audit facility
If you don’t pass your scheduled audit, I’ll work at no additional fee to close findings and support your re-assessment until you do.
Do-It-Yourself
8 hours of video and exercises, plus every template. Learn, implement and evidence the standard with my online training.
- ISO 27001 from the ground up
- Step-by-step implementation
- Includes the document toolkit
- Email consultancy support
Start the course and decide you’d rather have hands-on help? Get 100% of your course fee towards Consultancy within 30 days.
Document Toolkit
All mandatory policies, procedures, and records are ready for customisation, with practical notes on what auditors expect.
- All the policies, procedures and records.
- Includes ‘how-to’ implementation guides
- Minimal tailoring required to fit your business.
- Email support
Buy the toolkit and want the full training? I’ll credit 100% of your toolkit price against the Course within 30 days.
Common Mistakes
Claiming ISO 27001 certification without a third-party certificate. Describing yourself as “ISO 27001 certified” when you have only self-assessed creates legal and reputational risk. Self-declaration should be described as such — “conforming to ISO 27001” or “aligned with ISO 27001” rather than “certified.”
Assuming self-declaration will satisfy procurement requirements. Always confirm what a customer or contract actually requires before investing in either path. Discovering mid-process that formal certification is required is a costly mistake.
Choosing a non-accredited certification body to reduce cost. Some lower-cost “certification” bodies are not accredited by national accreditation bodies. Their certificates do not carry the same weight and are frequently rejected by enterprise procurement teams. Always verify that your chosen certification body holds accreditation from a recognised national body.
FAQs
Can we display the ISO 27001 logo if we self-certify?
No. The ISO logo and any accreditation body mark (such as the UKAS mark) can only be used by organisations that hold a current certificate from an accredited certification body. Using these marks without authorisation is a misrepresentation.
Is there an official register of ISO 27001 certified organisations?
There is no single global register, but accreditation bodies and certification bodies maintain searchable registers of current certificates. UKAS maintains a register of UK certificates; IAF (International Accreditation Forum) member bodies maintain national registers. Customers can verify your certification status through these channels.
If we self-assess now, can we transition to third-party certification later?
Yes. Many organisations begin with a gap assessment or internal audit against ISO 27001, use this to drive implementation, and then proceed to formal certification once they are confident in their readiness. A self-assessment is a useful starting point; it simply does not produce a certificate.
Does ISO 27001 certification expire?
Yes. Third-party certificates are valid for three years, subject to annual surveillance audits. If the surveillance audits are not conducted or the recertification audit is not completed at the end of year three, the certificate lapses. A lapsed certificate is equivalent to no certificate.
What is the difference between the certification body and the accreditation body?
The certification body (e.g. BSI, Bureau Veritas, LRQA, NQA) is the organisation that audits your ISMS and issues the certificate. The accreditation body (e.g. UKAS in the UK, DAkkS in Germany, ANAB in the US) is the body that verifies that the certification body is competent and operates to the required standards. Accreditation of the certification body is what gives the certificate credibility — a certificate from a non-accredited body carries significantly less weight.
