ISO 27001 for Accountants and Financial Services Firms

ISO 27001 for Accountants and Financial Service Firms

Financial services and accountancy firms face relentless pressure to protect sensitive client information, maintain regulatory compliance, and demonstrate robust information security. The Financial Conduct Authority, the Information Commissioner’s Office, and professional bodies including the ICAEW and ACCA have set high expectations for how firms must safeguard data. For many firms, ISO 27001 certification has become not merely a competitive advantage but an essential requirement to satisfy regulatory obligations, retain clients, and defend against the increasingly sophisticated threats targeting the financial services sector.

This article explores why financial services firms and accountancy practices pursue ISO 27001 certification, how the standard aligns with the UK’s regulatory framework, which information assets demand the greatest protection, and how a thoughtfully scoped ISO 27001 program supports both security and regulatory supervision.

Why Financial Services Firms Pursue ISO 27001

Regulatory and Compliance Drivers

The regulatory case for ISO 27001 in financial services has become compelling. The FCA’s Senior Management Arrangements, Systems and Controls sourcebook (SYSC) requires firms to maintain effective governance, risk management, and internal controls. Principle 3 of the FCA’s Principles for Businesses establishes that firms must take reasonable care to organise and control their affairs responsibly and effectively, with adequate risk management. SYSC rules then operationalise this by requiring firms to put in place systems and controls appropriate to the nature, scale, and complexity of their business activities. Whilst SYSC does not mandate ISO 27001 specifically, it demands a comprehensive, documented, and regularly tested information security program—exactly what a properly implemented ISO 27001 certification delivers.

The UK GDPR and the Information Commissioner’s Office guidance reinforce this expectation. Article 32 of the UK GDPR requires organisations to implement appropriate technical and organisational measures to protect personal data. The ICO’s own guidance on security of personal data and accountability emphasises that organisations should adopt recognised standards and frameworks when managing information security. For firms handling personal data on behalf of clients, this obligation extends across the full data lifecycle: collection, processing, storage, transmission, and deletion.

For firms holding client money or managing investments, the Client Assets Sourcebook (CASS) introduces additional requirements. CASS 7 sets out detailed rules for safeguarding client money and client assets. These rules require firms to maintain systems and controls that prevent the loss or misappropriation of client money and assets. Demonstrating compliance with CASS often requires evidence of segregation controls, access restrictions, and robust audit trails—all areas where ISO 27001 controls contribute meaningfully.

The FCA’s operational resilience requirements, introduced in policy statement PS21/3 and now embedded in SYSC, extend compliance obligations beyond confidentiality and integrity to include the availability and recoverability of critical systems and data. Financial services firms must now identify important business functions, map the technology and people that support them, and maintain the ability to deliver these functions even during periods of severe stress. ISO 27001’s requirements for business continuity and disaster recovery planning (controls 5.29 and 5.30) provide a direct pathway to demonstrating compliance with this emerging obligation.

Client Expectations and Competitive Necessity

Beyond formal regulation, clients increasingly expect evidence of information security investment. When accountants or wealth managers seek to win audit contracts or discretionary fund management mandates, prospective clients now routinely ask for information about information security practices. Many mid-market and large organisations now require their suppliers—including their accountants and financial advisors—to hold formal security certifications. Some clients require audits of supplier information security controls, requesting ISAE 3402 Type II reports or SOC 2 assessments. For firms without ISO 27001 certification, the inability to provide such evidence becomes a business development handicap.

Professional indemnity insurers have also begun to incorporate information security as a factor in underwriting decisions. Firms demonstrating a formal, certified approach to information security often qualify for lower premiums or improved coverage terms. Over a period of several years, this financial benefit alone can justify the investment in achieving and maintaining certification.

The Regulatory Context

FCA SYSC and the Governance Framework

The FCA’s SYSC sourcebook establishes the overarching governance and control framework within which financial services firms must operate. SYSC 1 sets out general principles: firms must ensure that their systems and controls are appropriate to their business, reflect risks arising from the firm’s operations, and are documented and regularly reviewed. SYSC 2 applies these principles to systems and controls governance, requiring senior management to be responsible for the establishment and maintenance of such systems. SYSC 3 addresses business continuity, requiring firms to maintain, test, and periodically review arrangements to ensure that critical functions can continue during severe disruptions.

Importantly, whilst SYSC does not prescribe specific technical measures, it establishes clear accountability. The Senior Managers Regime under SMCR requires individuals in senior positions to take personal responsibility for the management of risk. A data breach, a security incident, or a failure of information security governance can trigger investigations by the FCA’s Enforcement Division and result in fines for both the firm and individuals. This regulatory reality makes a demonstrable, certified information security program not merely advisable but essential to discharge senior management accountability.

UK GDPR and the Information Commissioner’s Office

The UK GDPR imposes direct obligations on organisations that process personal data. Under Article 5, personal data must be processed lawfully, fairly, and transparently; must be collected for specified, explicit, and legitimate purposes; must be accurate and kept up to date; and must be kept in a form that permits identification of individuals for no longer than necessary. Article 32 then requires organisations to implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage.

The ICO’s guidance clarifies that “appropriate” measures are not fixed but contextual. For a financial services firm processing large volumes of sensitive personal data, including special categories such as health information from vulnerable clients, “appropriate” measures must be comprehensive. The ICO explicitly references ISO 27001 in its guidance on security of personal data as an example of a recognised standard that organisations can adopt to demonstrate compliance with Article 32. Achieving ISO 27001 certification therefore provides strong evidence of compliance with UK GDPR obligations.

Client Assets Sourcebook and Money Regulation

CASS 7 governs the handling of client money and client assets. The rules establish that client money must be held in a separate bank account, segregated from the firm’s own money. Client assets (such as securities) must be registered in the client’s name or a nominee name, and records of client assets must be kept and regularly reconciled. The rules also require firms to maintain an orderly system of accounting records and to keep records for six years.

Breaches of CASS rules—such as mixing client money with firm money, or failing to maintain accurate records—attract severe sanctions from the FCA. From a systems and controls perspective, CASS compliance relies on strong access controls (ensuring that only authorised personnel can record client money transactions), audit trails (enabling firms to track all movements of client funds), encryption of sensitive records, and business continuity planning (ensuring that records can be recovered even if systems fail). ISO 27001 controls directly support compliance with these CASS obligations.

ISAE 3402 and Supplier Control Assessments

Many large clients now require their suppliers—including accountants and financial advisors—to provide audited reports on their systems and controls. The standard for such reports is ISAE 3402 (International Standard on Assurance Engagements), which specifies the format and content of control reports. An ISAE 3402 Type II report, which is the more comprehensive variant, examines the design and operating effectiveness of controls over a period of time. For firms that serve institutional clients, an ISAE 3402 Type II report provides tangible evidence of control effectiveness and can be a key component of winning new business.

ISO 27001 certification does not replace the need for an ISAE 3402 report, but it substantially simplifies the process of preparing one. The auditor conducting an ISAE 3402 assessment will examine the same control domains—access controls, cryptography, supplier management, incident management, business continuity—that are central to ISO 27001. A certified firm has already documented these controls, tested them, and had them audited by an independent certification body. The ISAE 3402 auditor can therefore focus on testing the effectiveness of controls in practice, rather than starting from scratch to map controls.

Key Information Assets in Financial Services and Accountancy

Before implementing ISO 27001 controls, a firm must identify and classify its information assets. For financial services firms and accountancy practices, the most critical information assets include the following.

Client financial data forms the core asset. For discretionary fund managers, this includes client investment portfolios, transaction records, and valuations. For accountancy practices, this includes client financial statements, tax returns, payroll records, and detailed financial analysis. This data is both commercially sensitive (valuable to competitors) and sensitive under data protection laws. Loss of confidentiality could expose clients to fraud or identity theft. Loss of integrity could undermine audit conclusions or investment decisions. Loss of availability could disrupt critical business processes.

Trading data for firms that execute transactions on behalf of clients includes orders, execution records, trade confirmations, and settlement instructions. Compromised trading data could lead to incorrect settlements, loss of client assets, or regulatory breaches. This asset demands strong access controls, comprehensive audit trails, and rapid detection of anomalies.

Client personal data includes names, addresses, contact details, and—for sensitive client segments such as vulnerable persons—special categories of personal data such as health information, financial circumstances, or family status. Under the UK GDPR, special category data demands heightened protection. The loss of such data to unauthorised parties could cause significant harm to clients and expose the firm to substantial ICO enforcement action.

Client money records represent the documentary evidence of client funds held by the firm. These records are the basis for reconciliation and dispute resolution. If records are corrupted, deleted, or falsified, clients have no recourse and the firm has no defence against allegations of misappropriation. Accordingly, these records demand the highest levels of integrity protection, including encryption, access controls, and immutable audit trails.

Regulatory submissions including regulatory notifications, returns to the FCA, and correspondence with supervisors contain sensitive information about the firm’s business, risks, and regulatory affairs. Loss of confidentiality could provide competitors with strategic advantage. Loss of availability could delay regulatory reporting and trigger FCA enforcement action.

Audit working papers for accountancy practices and internal audit teams document the basis for audit conclusions. These papers typically contain sensitive client financial information, audit findings, and management discussions. They are protected by professional privilege in many jurisdictions, and their loss or disclosure could expose clients to harm and expose the firm to claims of breach of professional duty.

Identifying these assets is the first step in scoping information security requirements. The next step is to classify them according to sensitivity and criticality, assign responsibility for their protection, and design controls appropriate to the risks.

Critical Annex A Controls for Financial Services

ISO 27001 Annex A contains 93 controls organised across 14 control groups. For financial services firms and accountancy practices, several controls are particularly important.

Access control (5.15 to 5.18) addresses who can access information systems and data. Control 5.15 requires that access to systems and applications must be granted on the basis of a documented decision, based on the principle of least privilege (users receive only the permissions required to carry out their assigned role). Control 5.16 requires management of user access rights, including registration, de-registration, and access review processes. For financial services, these controls are critical. Client money handlers must have access only to the specific client accounts and transactions they are authorised to process. Traders must have access only to the markets and instruments they are authorised to trade. Accountants must have segregated access to specific client files. A breach of access controls could permit unauthorised transactions, theft of assets, or disclosure of client data.

Cryptography (8.24) addresses the use of encryption and cryptographic controls to protect information. The control requires that information must be protected by encryption when transmitted over untrusted networks, and that encryption keys must be managed securely. For financial services firms, cryptographic protection is essential for protecting data in transit (such as client instructions transmitted via email or over public networks) and data at rest (such as client records stored in cloud systems or backup locations). Many regulatory standards and client expectations now mandate encryption of personal data and sensitive financial information.

Supplier management (5.19 to 5.22) addresses the governance of relationships with external service providers. Control 5.19 requires that information security requirements must be defined in agreements with suppliers, such as cloud service providers, payment processors, or outsourced IT support. Control 5.20 requires management of supplier information security through continuous monitoring and review. For financial services firms, supplier management is increasingly important as firms move workloads to cloud platforms and outsource critical functions. The firm remains ultimately responsible to its clients and regulators for the security of information, even when it is processed by a third party. Control 5.22 extends this to the management of supplier incidents: if a supplier suffers a security incident, the firm must be able to detect it, assess its impact, and take remedial action.

Incident management (5.26) requires organisations to establish processes to detect, report, investigate, and respond to information security incidents. The control requires that incidents must be assessed to determine the type and severity of the incident and the impact on the organisation and its stakeholders. For regulated firms, incident management is intertwined with regulatory notification obligations. Under CASS 8, firms must notify the FCA within two business days of any incident that could give rise to significant loss or material disruption. Under GDPR, the firm must notify the ICO within 72 hours of becoming aware of a personal data breach. A robust incident management process, as required by control 5.26, directly supports compliance with these notification obligations and enables the firm to minimise harm.

Business continuity (5.29 and 5.30) requires organisations to maintain the ability to deliver critical services even during periods of disruption. Control 5.29 requires that the organisation must identify critical business functions, assess the resources required to support them, and plan for continuity during periods of severe disruption. Control 5.30 requires that business continuity arrangements must be regularly tested to ensure they work in practice. For financial services firms, business continuity is now a core regulatory obligation under FCA SYSC 3 and the operational resilience requirements. Firms must ensure that critical functions (such as settlement of client trades or processing of client withdrawal requests) remain available even during periods of system outages, cyber attacks, or other severe disruptions. ISO 27001 controls on business continuity provide the foundation for demonstrating compliance with these operational resilience obligations.

ISO 27001 and FCA Operational Resilience

The FCA’s operational resilience requirements, introduced in 2022, mark a significant evolution in regulatory expectations. Rather than requiring firms to prevent disruptions (which is unrealistic), the FCA now requires firms to demonstrate that they can absorb disruptions and continue delivering critical services. This is fundamentally a systems and controls question.

Firms must now identify their “important business functions”—defined as functions the loss of which would cause severe disruption to clients or market functioning. For each important business function, firms must map the technology and people that support it, identify the points of vulnerability, and develop plans to continue the function even if key systems or personnel are unavailable. This is sometimes termed “impact tolerance” analysis: the firm must define the maximum period for which it can tolerate disruption to each important business function, and then ensure that its recovery capabilities meet that tolerance.

ISO 27001 controls on business continuity and incident management support this operational resilience framework. The controls require that firms identify critical services and resources, conduct risk assessments to identify potential disruptions, develop recovery plans with documented recovery time objectives (RTO), and test recovery plans regularly. By implementing these controls, firms create the documentary evidence and practical capabilities that the FCA now requires.

ISO 27001 and FCA Supervision

The FCA’s supervisory approach for financial services firms now routinely includes examination of information security governance. Supervisors examine whether firms have senior management accountability for information security, whether the board has visibility of information security risks, and whether the firm has appropriate resources devoted to information security. Supervisors also examine the outcomes: has the firm experienced security incidents? Has it had personal data breaches? Have there been misstatements of client records or loss of client assets due to information security failures?

For firms under intensive supervision (those designated as “higher risk” or subject to close monitoring), the FCA may conduct detailed reviews of information security governance and controls. Supervisors examine access control policies, user access audits, incident response procedures, and business continuity plans. They examine whether the firm can demonstrate compliance with relevant controls such as segregation of duties, audit trails, and encryption.

ISO 27001 certification provides a concrete foundation for these supervisory interactions. It demonstrates that the firm has committed to a recognised standard, has documented its policies and procedures, and has undergone independent audit of control design and operating effectiveness. Supervisors can therefore have greater confidence in the adequacy of the firm’s information security program and can focus their examination on outcomes and regulatory-specific requirements rather than on foundational control design.

Information Security for Accountancy Practices

Accountancy firms face distinctive information security challenges. Unlike regulated financial services firms, accountancy practices are not directly regulated by the FCA. However, professional bodies including the ICAEW, ACCA, and ACA set expectations for information security in accountancy practice.

The ICAEW’s guidance emphasises that practitioners must protect client information and maintain professional confidentiality. The guidance recognises that modern accountancy increasingly involves cloud-based systems and remote working, both of which introduce information security risks. ICAEW members are expected to have information security governance appropriate to the scale and nature of their practice, even if they are not formally certified.

For accountancy practices that aspire to serve mid-market and larger clients, ISO 27001 certification is increasingly essential. Large clients conducting vendor management due diligence now routinely request evidence of formal information security certifications. Some clients require SOC 2 reports; others accept ISO 27001 as evidence of equivalent control maturity.

Accountancy practices also face distinctive asset protection challenges. Audit working papers contain detailed financial information about the client’s business, which is often highly sensitive. If working papers are compromised, the client could suffer competitive harm. If working papers are altered or deleted, the integrity of the audit is compromised and the firm’s professional indemnity could be at risk. ISO 27001 controls on access control, cryptography, and incident management directly address these risks.

Furthermore, audit independence requires that auditors have unfettered access to the information they need to conduct the audit, but not more than that. This creates a distinctive access control challenge: the firm must restrict access to client files to the engagement team members who are authorised to conduct the audit, but must do so in a way that does not compromise the auditor’s ability to obtain the evidence necessary to support the audit opinion. ISO 27001’s emphasis on access control based on documented decision and least privilege principle supports this balance.

Common Mistakes in Implementing ISO 27001 for Financial Services

Many firms make avoidable errors when implementing ISO 27001 in the financial services context.

The first mistake is treating FCA obligations and ISO 27001 certification as separate exercises. Some firms approach ISO 27001 certification as a compliance checkbox, developing controls purely to satisfy the certification standard without considering how those controls support regulatory obligations. Conversely, other firms develop responses to FCA requirements without recognising that these same requirements are directly addressed by ISO 27001 controls. The effective approach is to view ISO 27001 as the vehicle for meeting both regulatory obligations and information security best practice. Controls should be designed to address the FCA’s SYSC requirements, UK GDPR obligations, and other regulatory requirements, all whilst meeting ISO 27001’s control requirements.

The second mistake is inadequate data classification. Some firms implement access controls uniformly across all client data, rather than classifying information according to sensitivity and criticality. This approach leads to either overly restrictive controls (which hinder business operations) or inadequately protective controls (which leave sensitive information exposed). The effective approach is to classify information according to sensitivity and criticality, define distinct control requirements for each classification level, and then implement controls that align. Client money records, for example, should demand higher integrity protection than routine client correspondence.

The third mistake is treating supplier management as a one-time activity. Some firms conduct initial due diligence of cloud service providers or outsourced suppliers but then fail to maintain ongoing oversight. If a supplier experiences a security incident, the firm may not learn of it. If a supplier’s security posture degrades over time, the firm may not detect it. The effective approach is to establish contractual obligations requiring suppliers to notify the firm of security incidents, to conduct periodic re-assessments of supplier security, and to maintain visibility of any security incidents affecting suppliers.

The fourth mistake is scoping ISO 27001 too broadly or too narrowly. Some firms attempt to include their entire operations within the ISO 27001 scope, leading to an overwhelming compliance burden. Others exclude critical assets from scope, such as email systems or file sharing, leading to control gaps. The effective approach is to scope the certification to include all systems and processes that handle critical information assets (client money records, client personal data, trading data), and to define the scope clearly in the Statement of Applicability.

Frequently Asked Questions

Does the FCA mandate ISO 27001 certification for regulated financial services firms?

The FCA does not mandate ISO 27001 certification specifically. However, the FCA’s SYSC requirements demand that firms maintain systems and controls appropriate to their business. These requirements are broadly equivalent to the requirements of ISO 27001. For firms that pursue ISO 27001 certification, the standard provides a clear framework for demonstrating compliance with SYSC obligations and a mechanism for subjecting controls to independent audit. In practice, most mid-market and larger financial services firms that conduct regulated activities now pursue ISO 27001 certification, recognising it as a practical pathway to demonstrating compliance with both regulatory obligations and recognised best practice. Smaller firms may operate compliant systems without formal ISO 27001 certification, provided they can demonstrate that their controls are documented, regularly reviewed, and appropriate to their business.

How does ISO 27001 relate to PCI DSS and DORA?

PCI DSS is a payment card security standard maintained by the Payment Card Industry. It applies to organisations that store, process, or transmit payment card data. ISO 27001 and PCI DSS address overlapping control domains, particularly access control, cryptography, and incident management. If a firm is subject to both PCI DSS and ISO 27001, it can often align the controls such that a single control design addresses both standards. DORA (the Digital Operational Resilience Act) is a new EU regulation that applies to financial services firms. DORA’s requirements for information and communications technology (ICT) security and operational resilience are closely aligned with ISO 27001 and with the FCA’s operational resilience requirements. For firms operating in the EU or serving EU clients, DORA should be considered alongside UK regulatory requirements when designing the ISO 27001 scope.

Do financial services firms need to provide ISO 27001 audit reports to clients?

No, ISO 27001 certification is not required to be disclosed to clients. However, many clients now expect evidence of information security controls and may request reports such as ISAE 3402 (a control report) or SOC 2 (a US-based control and compliance report). Some clients accept an ISO 27001 certificate and supplementary documentation as evidence of control maturity. The firm should clarify what evidence of controls is required by its major clients and ensure that its information security program is designed and documented in a way that can be readily evidenced to clients through suitable reports.

How should a multi-regulated firm (e.g., an accountancy practice that also operates a wealth management subsidiary) scope ISO 27001?

A multi-regulated firm should define the ISO 27001 scope to encompass all regulated activities and associated systems and data. If the accountancy practice and wealth management subsidiary operate separate information systems and have different control requirements, it may be practical to pursue separate ISO 27001 certifications for each entity. Alternatively, the firm can pursue a group certification that covers both entities, with a detailed Statement of Applicability explaining how controls address the requirements of each regulatory regime. The approach should be driven by the firm’s organisational structure and the need to clearly identify the systems and controls relevant to each regulatory obligation.

Is it necessary to encrypt all client data, or only personal data?

The requirement to encrypt data is not determined solely by whether it is personal data under GDPR. The firm should classify all client information according to sensitivity and criticality, and define encryption requirements accordingly. Client personal data should generally be encrypted, particularly special category data. Client financial data and trading data may also require encryption, depending on the sensitivity and the risks to the client if the data is disclosed. The requirement to encrypt data in transit over untrusted networks is more universal: information transmitted over the internet or other untrusted networks should generally be encrypted to protect it from interception. The firm should conduct a risk assessment to determine the appropriate encryption strategy for different categories of information and document the rationale in the Statement of Applicability.

Conclusion

For financial services firms and accountancy practices, ISO 27001 certification has evolved from a nice-to-have credential to an essential component of regulatory compliance and business development. The FCA’s SYSC requirements, the UK GDPR, and the expanding expectations of clients and professional bodies all converge on the need for a comprehensive, documented, and regularly tested information security program. ISO 27001 provides a recognised framework for such a program and a mechanism for subjecting it to independent audit.

The challenge for firms is to scope ISO 27001 appropriately, to design controls that address both regulatory obligations and information security risks, and to maintain the program over time as business circumstances and threats evolve. Firms that take this challenge seriously, and that view ISO 27001 not as a compliance checkbox but as a vehicle for building a genuinely secure operating environment, will position themselves well for regulatory supervision, for client confidence, and for protection against increasingly sophisticated threats.

Previous post

ISO 27001 Recertification: What Happens After 3 Years

NEXT post

Photo of author

Written by

Alan Parker

Alan Parker is an ISO 27001 consultant of over 10 years and founder of Iseo Blue Limited. He helps UK SMEs achieve certification in 90 days or less - often without a dedicated security team or a large budget. With over 30 years in IT governance and information security, Alan works with software companies, IT service providers, managed service providers, and professional services firms across the UK, Europe, and internationally. Qualifications: B.Sc (Hons) Information Systems, CISMP certified, ITIL Expert, PRINCE2 Practitioner. Named IT Project Expert of the Year (2024, UK). Alan writes in plain English for busy teams who need to get things done. Connect on LinkedIn, or explore his free ISO 27001 tools and templates at iseoblue.com.

Iseo Blue Limited - UK Registered Company Number : 10215427

Privacy Policy  

Registered office address: Belmont Suite Paragon Business Park, Chorley New Road, Bolton, England, United Kingdom, BL6 6HG