Choosing a certification body is one of the decisions that organisations leave until too late — and then rush. It matters more than people realise, both for the quality of the audit and for whether your certificate will be accepted by the customers you’re pursuing.
This guide walks you through what to look for, the UKAS question, and how to compare providers effectively.
Please note that while this guide is tailored towards UK certification bodies, the same will apply internationally, but UKAS would be replaced by another body.
What Is a Certification Body?
A certification body (sometimes called a registrar or a CB) is the independent third-party organisation that audits your ISMS and, if it meets the requirements of ISO 27001, issues your certificate.
They are not connected to ISO itself — ISO publishes the standard, but it doesn’t certify anyone. Certification bodies are separate commercial or non-profit organisations that are themselves assessed for competence.
The UK has dozens of certification bodies offering ISO 27001 certification, ranging from large multinationals to smaller specialist firms.
UKAS-Accredited vs Non-Accredited: The Key Decision
The most important choice you’ll make is whether to use a UKAS-accredited certification body or a non-UKAS-accredited one.
UKAS (United Kingdom Accreditation Service) is the national accreditation body for the UK. When a certification body holds UKAS accreditation for ISO 27001, it means UKAS has independently assessed the CB’s auditors, processes, and quality management against the international standard for certification bodies (ISO/IEC 17021-1).
A UKAS-accredited certificate carries the UKAS mark — a triangular logo that appears on the certificate alongside the CB’s own logo.
Why does it matter?
Enterprise customers often specify UKAS-accredited certification. If you’re pursuing ISO 27001 to satisfy a customer requirement, read their specification carefully. Many enterprise procurement policies and supplier questionnaires require UKAS-accredited certification specifically — a non-UKAS certificate may not satisfy them.
Government contracts typically require it. UK government procurement frameworks generally expect UKAS-accredited certification for ISO 27001.
Some industries effectively require it. Financial services, healthcare, and defence tend to expect UKAS accreditation as a baseline.
Non-UKAS certification is still real certification — but it carries less weight. A non-accredited CB can still conduct a genuine, rigorous audit and issue a valid ISO 27001 certificate. But because there’s no independent oversight of the CB itself, customers can’t easily verify the rigour of the process. For many customers, a non-UKAS certificate is a yellow flag.
When might non-UKAS be fine?
If your primary goal is internal assurance — demonstrating security maturity to yourself and your team — rather than satisfying external customer requirements, a non-UKAS CB can be a lower-cost option. Some smaller specialist CBs produce excellent audits without UKAS accreditation.
If your customers haven’t specified UKAS and are unlikely to, it may also be acceptable. But if you’re not certain, default to UKAS — it gives you maximum flexibility.
How to Choose an ISO 27001 Certification Body
✔ Use a UKAS-accredited CB when…
◎ Non-UKAS may be acceptable when…
How to Find UKAS-Accredited Certification Bodies
UKAS maintains a public directory of all accredited certification bodies at ukas.com/find-an-organisation. You can search by standard (ISO 27001) and filter to UK bodies.
Some of the well-established UKAS-accredited CBs offering ISO 27001 in the UK include: BSI, Bureau Veritas, Alcumus ISOQAR, NQA, Intertek, QMS International, and Amtivo (formerly Socotec). This list is not exhaustive and the landscape does change, so always verify against the UKAS register.
What to Compare When Shortlisting
Once you have a list of accredited CBs, here’s how to evaluate them:
Price
Get at least two or three quotes. Pricing varies significantly — not always because of quality differences, but because of different pricing models, overhead structures, and competitive positioning.
Ask for a complete quote that includes Stage 1, Stage 2, and at least one surveillance audit so you can compare like-for-like. Some CBs include Stage 1 in their overall price; others quote it separately.
Be wary of unusually low quotes — they sometimes reflect compressed audit time, which means less rigorous scrutiny and a less valuable certificate.
Auditor experience in your sector
A good ISO 27001 audit is better when the auditor understands your sector. An auditor who has experience with SaaS companies will ask better questions about development environments, shared responsibility models, and cloud configuration than a generalist. Ask the CB what experience their auditor has in your industry.
Audit format
Will Stage 2 be conducted on-site or remotely? Both are standard — many CBs moved to remote auditing during the pandemic and the quality has generally been maintained. For remote-first organisations with no physical office, remote audit is clearly preferable. Check what the CB’s default approach is and whether you have a choice.
Scheduling and availability
Audit scheduling can be a bottleneck. Ask for typical lead times for Stage 1 and Stage 2 slots. Some CBs have significant waiting lists, especially at certain times of year (Q4 is typically busy). If you have a certification deadline, confirm the CB can meet it before committing.
The relationship
The certification relationship lasts at least three years. It helps if the CB is responsive, clear about what they need, and not bureaucratic to deal with. First impressions — how quickly they respond to your enquiry, how clearly they communicate — are often a reasonable proxy for what the ongoing relationship will be like.
Questions to Ask a Potential Certification Body
When you contact CBs for quotes, these are useful questions to ask:
- “Are you UKAS-accredited for ISO 27001?” (verify on ukas.com)
- “Who would be our auditor? What is their background and sector experience?”
- “What is your typical lead time from contract to Stage 1?”
- “What is the gap you’d recommend between Stage 1 and Stage 2?”
- “Do you conduct Stage 2 on-site or remotely?”
- “What happens if we receive a nonconformity — how does the closing process work?”
- “What’s included in your surveillance audits and how are they priced?”
- “Can we see an example certificate?”
The quality of a CB’s responses to these questions is itself informative.
One More Thing: Don’t Leave It Until the End
A common mistake is to wait until documentation is complete before contacting certification bodies. By then, your preferred CB may not have availability when you need it, and you’ll have lost weeks waiting for a slot.
Contact CBs early — ideally once you’ve completed your gap analysis and have a reasonable sense of your timeline. Get quotes, ask questions, and make your choice while you’re still building your documentation. Most CBs will contract with you in advance and confirm scheduling without requiring everything to be ready immediately.
Related Guides
- ISO 27001 Certification Costs (UK)
- The ISO 27001 Certification Process
- UKAS vs Non-UKAS: Paths to Certification
- How to Prepare for a Stage 1 Audit
Get Started
Free Templates
Free
The 14 mandatory documents. The starting point for any ISO 27001 project.
A great way to get started without the commitment.
Templates
Full Toolkit
£85
130+ documents; policies, risk register, audit pack, staff communications and everything else you need to build a working ISMS.
Buy now →Do-It-Yourself
DIY Course
£285
The Do-It-Yourself course introduces the standard, its requirements, and then shows you how to implement it, stage by stage.
Includes the full toolkit & email consultancy.
More support?
Coaching
~£3,500
I can guide you through the standard and help you tailor it to your business through a series of coaching workshops.
Includes the full toolkit, personal consultancy, and first-pass guarantee.
