When you are choosing a certification body for ISO 27001, one of the first things you will encounter is the question of accreditation. Some certification bodies hold accreditation from UKAS — the United Kingdom Accreditation Service, or its equivalent in other countries. Others do not. The difference in cost can be significant. Whether the difference matters depends entirely on why you want the certificate.
This guide explains what UKAS accreditation actually means, when it is essential, when it is less important, and what risks come with choosing a non-accredited body.
What UKAS Accreditation Means
UKAS is the national accreditation body for the United Kingdom, appointed by the UK government. Its role is to assess and accredit organisations that perform conformity assessment activities — including certification bodies that issue ISO management system certificates.
When a certification body holds UKAS accreditation, it means that UKAS has independently assessed that body’s competence, impartiality, and consistent operation against international standards for certification bodies — specifically ISO/IEC 17021-1. The certification body is assessed periodically to confirm that its auditors are qualified, its processes are sound, and its decisions are made impartially.
A certificate issued by a UKAS-accredited body carries the UKAS mark alongside the certification body’s own mark. This combination signals that the certificate was issued through a process that has itself been independently verified.
Internationally, each country has its own national accreditation body — UKAS in the UK, DAkkS in Germany, ANAB in the USA, COFRAC in France, and others. These bodies are all members of the International Accreditation Forum (IAF), which operates a Multilateral Recognition Arrangement (MLA) ensuring that accreditations are mutually recognised across member countries. A certificate from a UKAS-accredited body is therefore recognised as equivalent to one from a DAkkS-accredited body or an ANAB-accredited body.
Anatomy of a UKAS-Accredited ISO 27001 Certificate
What to look for when reviewing your own certificate or verifying a supplier's
BODY
LOGO
body mark
MARK
0000
accredited cert
What a Non-Accredited Certification Body Is
A non-accredited certification body issues certificates that say “ISO 27001 certified” but without the oversight of a national accreditation body. There is no independent verification that the certification body operates competently, applies the standard consistently, or makes impartial decisions.
This does not mean that all non-accredited certificates are worthless — some non-accredited bodies operate to high standards and conduct thorough audits. But there is no external check on this, which means the quality of the certificate is entirely dependent on the individual body’s internal standards and culture.
Non-accredited certification is typically cheaper. Audit fees may be significantly lower than those from UKAS-accredited bodies. For organisations that have internal reasons to implement ISO 27001 as a framework but do not face external pressure to demonstrate certification, this cost difference might be the deciding factor.
When UKAS Accreditation Is Non-Negotiable
In many commercial contexts, UKAS (or equivalent national accreditation) is not a preference — it is a requirement. Knowing when this is the case saves you from investing in a certificate that will be rejected by the parties that matter.
Enterprise procurement and vendor security assessments. Most large organisations, when they specify ISO 27001 certification as a supplier requirement, mean a certificate from an accredited body. A procurement questionnaire that asks “Do you hold ISO 27001 certification from an accredited certification body?” specifically distinguishes between accredited and non-accredited. Answering yes while holding only a non-accredited certificate creates significant contractual and reputational risk.
UK public sector contracting. Government and public sector frameworks increasingly specify ISO 27001 certification from a UKAS-accredited body, or reference Cyber Essentials alongside a requirement for independently verified certification. UKAS accreditation is the assumed standard in this context.
Financial services and regulated industries. Regulated sectors with oversight from the FCA, PRA, or equivalent bodies tend to require independently verified certification. Auditors and regulators distinguish between accredited and non-accredited certificates when reviewing supplier controls.
Customers who verify your certificate. Enterprise customers who take security seriously will check your certificate’s status. UKAS and other national accreditation bodies maintain searchable online registers of accredited certification bodies and their issued certificates. A certificate from a non-accredited body will not appear in these registers, which is visible to any sophisticated buyer.
International markets. If you are selling to customers outside the UK — particularly in EU markets, the Middle East, or regulated sectors globally — a certificate from an IAF MLA member-accredited body is the recognised standard. A certificate from a non-accredited body is unlikely to satisfy international procurement requirements.
When Non-UKAS Certification Might Be Acceptable
There are genuine scenarios where non-accredited certification is a reasonable choice — though they are narrower than some organisations assume.
Internal assurance only. If your organisation is implementing ISO 27001 to improve its own security posture, to create a structured management system, or to satisfy an internal board requirement — and you face no external pressure to demonstrate accredited certification — then the formal accreditation of the certifying body matters less than the quality of the assessment. A non-accredited body that conducts a rigorous audit may be perfectly adequate for this purpose.
Smaller suppliers in less-regulated supply chains. Some supply chain contexts are less formalised than enterprise or government procurement. A smaller customer asking whether you have “ISO 27001 or something similar” may not scrutinise which body issued the certificate. This is less common than it used to be, as security expectations across supply chains have risen.
Proof-of-concept before formal certification. Some organisations use a non-accredited assessment as a structured gap assessment before pursuing accredited certification — essentially a dry run. This is a legitimate use, provided it is not presented externally as equivalent to accredited certification.
The Risk of Getting This Wrong
The primary risk of choosing a non-accredited body when you need accredited certification is discovering this mismatch after the fact — once a contract has been lost, a procurement question has been answered incorrectly, or a customer relationship has been damaged.
This happens more often than organisations expect. The sequence is typically: organisation invests in ISO 27001 implementation, engages a lower-cost non-accredited body, receives a certificate, presents it in response to a procurement requirement, and is then asked by the customer to clarify which accreditation body certified the certifying body. At this point, the gap becomes apparent — and the options are expensive: recertify with an accredited body (repeating audit fees and potentially the implementation work), or lose the contract.
The cost saving from using a non-accredited body — typically a few thousand pounds in audit fees — is rarely proportionate to this risk if the certificate is intended for commercial use.
How to Verify a Certification Body’s Accreditation
Before engaging a certification body, verify their accreditation status directly. This takes less than five minutes and removes any ambiguity.
In the UK: UKAS maintains a searchable register at ukas.com. Search for the certification body by name and confirm that they hold accreditation specifically for ISO/IEC 27001 certification (the scope of accreditation matters — some bodies are accredited for other standards but not for information security management systems).
Internationally: The IAF maintains a database of accreditation bodies at iaf.nu, which links to national registers. If your chosen body claims accreditation from a specific national body, verify this through the national body’s own register.
Look for the mark. A certificate from an accredited body will display both the certification body’s mark and the accreditation mark (the UKAS mark in the UK). The accreditation mark includes the accreditation body’s logo and a reference number. A certificate without an accreditation mark is not from an accredited body.
The Major UKAS-Accredited Certification Bodies
Several well-established certification bodies hold UKAS accreditation for ISO 27001. The most widely recognised in the UK include BSI (British Standards Institution), Bureau Veritas, LRQA (formerly Lloyd’s Register Quality Assurance), NQA, Alcumus, and SGS. There are others — the UKAS register is the authoritative source.
Choosing a UKAS-Accredited ISO 27001 Certification Body
All hold UKAS accreditation — the differentiators are audit approach, sector depth, pricing, and commercial terms
These bodies vary in their audit approach, customer service, pricing, sector expertise, and commercial terms. Comparing two or three on these dimensions before committing is worthwhile. Accreditation status being equal, the differentiators are audit quality, auditor experience in your sector, commercial flexibility, and how the body handles findings and corrective action closure.
Common Mistakes
Assuming “ISO 27001 certified” is sufficient without specifying accreditation. When a customer or contract requirement says “ISO 27001 certified,” most procurement teams mean accredited certification. If this is not specified clearly on your certificate, clarify with your customer before assuming the requirement is met.
Choosing a non-accredited body because of cost without checking commercial requirements first. The cost saving is real, but it is irrelevant if the certificate cannot be used commercially. Confirm what your target customers and contracts actually require before choosing a certification body.
Not verifying a certification body’s accreditation scope. Some bodies are UKAS-accredited for quality management (ISO 9001) but not for information security management (ISO 27001). Accreditation is standard-specific. Verify that the accreditation covers ISO 27001 specifically.
Assuming that a rigorous audit from a non-accredited body is equivalent to accredited certification. The quality of an individual audit and the accreditation status of the certifying body are separate questions. Even a thorough non-accredited audit does not produce a certificate that will be accepted in contexts requiring accredited certification.
FAQs
If I already hold a non-accredited ISO 27001 certificate, can I transition to accredited certification?
Yes. Engaging an accredited certification body will typically involve a fresh Stage 1 and Stage 2 audit, as the new body needs to assess your ISMS independently. Your existing documentation and controls will speed up the process, but there is no abbreviated pathway based on a non-accredited certificate. Some accredited bodies offer a gap assessment service that helps you understand what additional work is needed before the formal audit.
Do all countries have a national accreditation body equivalent to UKAS?
Most do — all IAF member countries have designated national accreditation bodies. The extent to which local accreditation is required or preferred varies by market. In the EU, national accreditation bodies operate under Regulation (EC) No 765/2008, which gives them a formal legal status. If you are targeting markets outside the UK and EU, check whether local procurement requirements specify a particular national accreditation body.
Is a UKAS-accredited certificate valid internationally?
Yes — certificates from UKAS-accredited bodies are recognised internationally through the IAF Multilateral Recognition Arrangement. This means that a certificate issued by a UKAS-accredited body such as BSI or LRQA is recognised as equivalent to certificates from bodies accredited by DAkkS, ANAB, COFRAC, and other IAF MLA members. International customers can verify the accreditation chain through the IAF database.
Can a non-accredited certificate become UKAS-accredited?
No. Accreditation applies to the certification body, not to individual certificates. A certificate is either issued by an accredited body or it is not. An existing non-accredited certificate cannot be retrospectively upgraded. Achieving accredited certification requires an audit by an accredited body.
Are there sectors where even UKAS accreditation is not sufficient?
Some highly regulated sectors have additional requirements beyond ISO 27001 certification. The UK government’s Cyber Essentials Plus scheme, for example, involves a separate technical verification process alongside any management system certification. Certain defence-related contracts may require specific government assurance schemes that go beyond ISO 27001. In these cases, ISO 27001 certification is typically one component of a broader assurance requirement rather than the sole requirement.
