When an organisation says it holds ISO 27001 certification, the value of that statement (to anyone in the know) depends on who issued the certificate.
A UKAS-accredited ISO 27001 certificate is one issued by a certification body that has itself been assessed and approved by the United Kingdom Accreditation Service. Understanding what that means — and why enterprise buyers increasingly specify it — is important for anyone evaluating a supplier’s security credentials or pursuing certification for commercial purposes.
The Certificate Itself
An ISO 27001 certificate is a formal document issued by a certification body following a successful audit of an organisation’s Information Security Management System (ISMS). It states that the organisation’s ISMS conforms to the requirements of ISO/IEC 27001:2022, specifies the scope of the ISMS covered, names the certification body, and confirms the certificate’s validity period.
A certificate from a UKAS-accredited body will display two marks alongside the text of the certificate: the certification body’s own trademark or logo, and the UKAS accreditation mark. The UKAS mark typically takes the form of the UKAS logo alongside an accreditation reference number. This combination is what distinguishes an accredited certificate from one issued without accreditation oversight.
The certificate’s scope statement is a critical element. It defines what is covered — which products, services, locations, systems, and teams — and what is not. A certificate covering “the development and hosting of the client management platform operated from London headquarters” covers something fundamentally different from one covering “all information assets across the full enterprise.” Enterprise buyers read scope statements carefully.
What UKAS Accreditation Means
UKAS — the United Kingdom Accreditation Service — is the UK’s national accreditation body, appointed by the UK government under the Accreditation Regulation (EC) No 765/2008. Its role is to assess organisations that perform conformity assessment activities and to confirm that they are competent, impartial, and operating to recognised standards.
When UKAS accredits a certification body for ISO 27001, it has assessed that body against ISO/IEC 17021-1 — the international standard that specifies requirements for bodies providing audit and certification of management systems. UKAS assesses the certification body’s auditor competence and qualifications, the reliability of its audit processes, the impartiality of its certification decisions, and its consistent application of the standard across different clients.
UKAS conducts this assessment periodically — not just once at the time of initial accreditation. Accredited bodies are subject to ongoing surveillance by UKAS, which means their performance is monitored and their accreditation can be suspended or withdrawn if standards are not maintained.
This is the fundamental distinction: a UKAS-accredited certificate comes with an independent check that the issuing body is competent and operating to a recognised standard. A certificate from a non-accredited body has no such external validation.
Why Enterprise Buyers Specify It
The commercial value of a UKAS-accredited certificate — as opposed to one from a non-accredited body — lies in verifiability. Enterprise procurement teams, security assessors, and regulated sector buyers need to be able to confirm that a supplier’s certification claim is genuine and meaningful. A UKAS-accredited certificate provides this in two ways.
It appears in public registers. UKAS maintains a publicly searchable register of accredited certification bodies and the certificates they have issued. An enterprise buyer can search a supplier’s name or certificate number and confirm: that the certificate exists, that it was issued by an accredited body, that it covers the relevant scope, and that it has not expired or been suspended. A certificate from a non-accredited body will not appear in these registers.
The certification body’s competence has been independently verified. When an enterprise buyer accepts a UKAS-accredited certificate, they are relying on the fact that UKAS has assessed the certification body’s processes and auditor competence. The certificate is therefore not just the assertion of the certified organisation — it is an assertion that has been verified by a qualified auditor whose own qualifications and methods have been checked by an independent national body.
In procurement contexts, this matters significantly. A security questionnaire that asks “Do you hold ISO 27001 certification from an accredited body?” is specifically asking whether this chain of verification is in place. A supplier who holds only a non-accredited certificate is answering a different question.
The Certification Bodies That Hold UKAS Accreditation
A number of well-established certification bodies hold UKAS accreditation for ISO/IEC 27001. The most widely recognised in the UK market include:
BSI (British Standards Institution) — the UK’s national standards body and one of the world’s largest certification organisations. BSI wrote much of the foundational work that became ISO 27001 and is frequently the first-choice certification body for organisations seeking visible, recognised accreditation.
Bureau Veritas — an international certification and testing organisation with a significant UK presence and sector depth in manufacturing, energy, and infrastructure.
LRQA (formerly Lloyd’s Register Quality Assurance) — an internationally recognised certification body with roots in marine and industrial inspection and a substantial information security certification practice.
NQA — a UK-focused certification body with a large SME customer base and competitive pricing, particularly active in the IT services and professional services sectors.
Alcumus ISOQAR — a significant UK certification body serving a broad range of sectors, including professional services, healthcare, and technology.
SGS — one of the world’s largest inspection, verification, testing, and certification companies, with UKAS accreditation for ISO 27001 among many other standards.
This is not an exhaustive list. The UKAS register at ukas.com is the definitive source — search for certification bodies accredited for Information Security Management (the relevant scheme is UKAS accreditation against ISO/IEC 27001).
Choosing a UKAS-Accredited ISO 27001 Certification Body
All hold UKAS accreditation — the differentiators are audit approach, sector depth, pricing, and commercial terms
How to Verify a UKAS-Accredited Certificate
Verification of a supplier’s certificate is straightforward and takes a few minutes. There are two primary routes.
Through the UKAS register. Visit ukas.com and use the organisation search to find the certification body named on the certificate. Confirm that the body holds UKAS accreditation specifically for ISO/IEC 27001 management system certification. The scope of accreditation matters — some bodies hold UKAS accreditation for quality management (ISO 9001) but not for information security management. A body’s accreditation page on the UKAS register will list the specific standards for which they are accredited.
Through the certification body’s own register. Most accredited certification bodies maintain their own publicly searchable register of current certificates. Searching by the certified organisation’s name confirms that the specific certificate is live, in good standing, and has not been suspended or withdrawn. BSI’s register, for example, is searchable by company name and provides the certificate number, scope, and expiry date.
Through the IAF CertSearch database. The International Accreditation Forum operates a global certificate search tool at certipedia.com and through IAF member databases. This allows verification of certificates from accredited bodies in multiple countries through a single interface.
When reviewing a supplier’s certificate, check four things: that the certificate has not expired, that the scope covers the products or services you are procuring, that the certification body is listed in the UKAS register with accreditation for ISO 27001, and that the certificate displays the UKAS mark alongside the certification body’s own mark.
Anatomy of a UKAS-Accredited ISO 27001 Certificate
What to look for when reviewing your own certificate or verifying a supplier's
BODY
LOGO
body mark
MARK
0000
accredited cert
What the Certificate Does and Does Not Attest To
A UKAS-accredited ISO 27001 certificate is not a guarantee that a supplier has zero security risk, or that all of its controls are operating perfectly. Understanding what the certificate actually attests to helps buyers use it appropriately.
What it attests to
The organisation has a documented ISMS covering the stated scope that meets the requirements of ISO 27001:2022. A qualified auditor from an accredited certification body assessed the ISMS against the standard’s requirements, sampled controls, reviewed documentation, and interviewed staff. The ISMS was assessed as conforming at the time of the audit. Surveillance audits have been conducted annually and have not identified issues that would cause the certificate to be suspended.
What it does not attest to
That every security control is operating at maximum effectiveness. That the organisation has zero vulnerabilities. That the ISMS has not changed since the last audit. That all possible threat scenarios have been identified and mitigated. That the scope covers parts of the business you care about if they are explicitly excluded.
The certificate is evidence of a functioning management system for information security — a structured, audited approach to identifying, treating, and monitoring information security risk. It is a strong positive signal in procurement and security assessment, and it significantly reduces the due diligence burden on buyers. It is not a comprehensive security audit and should be combined with, rather than replace, targeted supplier security assessments for high-risk engagements.
The Three-Year Certificate Lifecycle
A UKAS-accredited ISO 27001 certificate is valid for three years, not indefinitely. The lifecycle involves:
Initial certification: Stage 1 (documentation review) followed by Stage 2 (implementation assessment). Successful completion results in the certificate being issued.
Surveillance audit 1 (Year 1): A shorter audit confirming the ISMS is still operating. Typically half a day to a day for most organisations. Mandatory areas reviewed every year include previous nonconformities, internal audit, management review, and risk assessment.
Surveillance audit 2 (Year 2): Similar in scope to SA1, but sampling different Annex A control areas to ensure broader coverage over the cycle.
Recertification audit (Year 3): A more comprehensive reassessment closer in scope to the original Stage 2 audit. Reviews the full three-year ISMS operation and resets the certificate for a new three-year cycle.
If surveillance audits are not conducted on schedule, or if the recertification audit is not completed before the certificate expires, the certificate lapses. A lapsed certificate means the organisation is no longer certified and cannot make that claim commercially. Buyers verifying a certificate status in real time will see a lapsed certificate.
This is why verifying current validity — not just that a supplier was certified at some point — is an important step in procurement due diligence.
Common Mistakes
Accepting a certificate without verifying its current status. Certificates that were valid when last provided may have since lapsed or been suspended. Always verify current status through the UKAS or certification body register rather than relying on a copy of a certificate provided by the supplier.
Not checking the scope. A supplier may hold a genuine, accredited certificate that does not cover the product or service you are procuring. Checking scope is as important as checking accreditation.
Confusing the certification body mark with the accreditation mark. A certificate that displays only the certification body’s logo without an accreditation mark is not from an accredited body. Both marks must be present.
Assuming all certification bodies with “BSI” or similar in their name are the same. There are organisations that use similar naming to well-known bodies and which do not hold UKAS accreditation. Verify through the UKAS register, not through the certification body’s own marketing materials.
FAQs
How do I know if a specific certification body is UKAS-accredited for ISO 27001?
Search ukas.com for the body by name. On their accreditation entry, look for “Information Security Management Systems” or “ISO/IEC 27001” in their scope of accreditation. If it is not listed, the body does not hold UKAS accreditation for ISO 27001 — even if they hold accreditation for other standards.
Is a certificate from a UKAS-accredited body more expensive than one from a non-accredited body?
Typically yes. Audit fees from accredited bodies are higher because the bodies themselves incur the cost of maintaining UKAS accreditation, employing qualified auditors, and operating to the required processes. For a small organisation, the premium might be £2,000–£5,000 in audit fees over the three-year cycle — which is modest relative to the commercial value of having a certificate that enterprise buyers will accept.
Can I specify UKAS accreditation as a supplier requirement?
Yes, and many organisations do. A supplier security policy or procurement requirement that states “ISO 27001 certification from a UKAS-accredited body (or national equivalent for non-UK suppliers)” is precise and enforceable. It avoids the ambiguity of accepting any certificate that says “ISO 27001” on it.
What happens to my certificate if the certification body loses its UKAS accreditation?
This is rare but does occur. If a certification body loses its UKAS accreditation, certificates it has issued cease to be recognised as accredited. The certified organisation typically needs to transfer to another UKAS-accredited body and undergo a transfer audit. UKAS publishes notifications of changes to accreditation status, which is one reason it is worth periodically checking the status of your certification body in the UKAS register.
Does the UKAS mark on a certificate mean the same thing as a government endorsement?
UKAS is appointed by the UK government and operates on a statutory basis, but a UKAS-accredited certificate is not a government endorsement or guarantee. It means that the certification body that issued the certificate has been independently assessed as competent. The certificate is a commercial document, not a regulatory approval — though in many regulatory contexts, holding a UKAS-accredited certificate satisfies a requirement.
