Anacruses Associates Ltd
← Back to ISO InsightsISO 27001

How to Get ISO 27001 Certified in the UK: A Complete Guide

2026-07-01

ISO 27001 certification in the UK involves five stages: gap analysis, risk assessment and Statement of Applicability, implementation of Annex A controls, internal audit, and certification audit with a UKAS-accredited body. For a UK SME, the process takes 12 to 20 weeks and costs between £8,000 and £25,000 in total, including consultancy and certification body fees.

ISO 27001:2022 is the international standard for Information Security Management Systems (ISMS). It provides a structured framework for identifying, assessing, and treating information security risks — protecting the confidentiality, integrity, and availability of your organisation's information assets and those belonging to your clients.

ISO 27001 certification is recognised globally as the benchmark for information security governance. It is increasingly required in technology, financial services, healthcare, and public sector supply chains — and is now routinely specified by cyber insurers as a condition of cover or as a factor in premium pricing.

Who needs ISO 27001?

ISO 27001 is relevant to any UK business that handles sensitive client data, personal data, or confidential business information; supplies IT, software, cloud, or managed services to other organisations; operates in financial services, healthcare, legal, or public sector supply chains; is required by a client contract to demonstrate information security controls; wants to strengthen their cyber insurance position or reduce premiums; or needs to demonstrate GDPR Article 32 compliance.

Stage 1: Gap Analysis

The gap analysis establishes your starting point. Your consultant reviews your current information security controls — policies, procedures, technical measures, physical security, and access controls — and maps them against the ISO 27001:2022 requirements. The output is a gap report that identifies what is already in place, what needs to be built, and a realistic implementation plan.

For most UK SMEs, the gap analysis takes one to two days on-site or by remote review. It sets the scope of the ISMS — which parts of the business, which information assets, and which locations are included.

Stage 2: Risk Assessment and Statement of Applicability

This is the most technically demanding stage of ISO 27001 and the one that most commonly trips up organisations that attempt self-implementation. You must identify all information assets within scope, assess the threats and vulnerabilities relevant to each asset, evaluate the likelihood and impact of each risk, select treatment options (accept, transfer, mitigate, or avoid), and document your decisions in a formal Risk Treatment Plan.

From the risk assessment, you produce a Statement of Applicability (SoA) — a document that lists all 93 Annex A controls from ISO 27001:2022, states whether each is applicable to your organisation, and explains your reasoning. The SoA is a key document that your certification body auditor will review in detail.

Stage 3: Controls Implementation and Documentation

Based on your SoA, you implement the controls your risk assessment has identified as necessary. ISO 27001:2022 organises these across four control themes: Organisational controls (37 controls, covering policies, roles, supplier relationships, and incident management), People controls (8 controls, covering screening, awareness, and training), Physical controls (14 controls, covering physical security perimeters, equipment security, and secure disposal), and Technological controls (34 controls, covering access control, encryption, network security, and monitoring).

Documentation includes: information security policy, acceptable use policy, access control policy, incident response procedure, business continuity plan, and the supporting records that demonstrate controls are operating. A competent consultant writes documentation that is proportionate to your organisation's size and genuinely reflects how you work — not generic templates that pass the audit but collect dust afterwards.

Stage 4: Internal Audit

Before the certification body visits, you must conduct a formal internal audit of the ISMS. The internal audit checks that your implemented controls match your documented system, that the system is operating effectively, and that any nonconformities are identified and addressed before Stage 2.

An internal audit conducted by your ISO consultant adds objectivity that a self-conducted audit cannot provide. It is also the stage where poorly prepared organisations typically discover problems — better to find them now than during the certification audit.

Stage 5: Certification Audit

ISO 27001 certification involves a two-stage audit with a UKAS-accredited certification body. The Stage 1 audit (document review) is typically conducted remotely: the auditor reviews your ISMS documentation — policies, risk assessment, SoA, internal audit records — and confirms you are ready to proceed to Stage 2. The Stage 2 audit (implementation audit) verifies that your controls are actually implemented and operating as documented. Auditors interview staff, examine records, and test controls. A successful Stage 2 results in certification.

UKAS-accredited certification is the only form of ISO 27001 certification recognised by most UK public sector buyers, financial services regulators, and supply chain compliance requirements. Non-UKAS certificates carry significantly less weight.

How long does ISO 27001 certification take?

For a UK SME implementing from scratch, realistic timelines are 12 to 20 weeks from kick-off to certification audit. Organisations with mature IT security practices and existing documentation move faster. A focused scope takes less time than a broad one. The amount of time your team can commit to implementation work alongside their day jobs has a direct effect on the timeline.

How much does ISO 27001 certification cost?

ISO 27001 has two main cost components. Consultancy fees typically run £5,000 to £20,000 depending on organisation size, scope, and starting point — Anacruses provides fixed-fee quotes so you know the ceiling upfront. Certification body fees for the initial certification audit are typically £2,500 to £6,000, plus annual surveillance audits. The total first-year cost for a UK SME is typically £8,000 to £25,000. Ongoing annual costs are primarily certification body surveillance fees of £1,500 to £3,500.

ISO 27001 and UK GDPR

ISO 27001 and UK GDPR are complementary frameworks. Many of the technical and organisational measures required under GDPR Article 32 are directly addressed by ISO 27001 Annex A controls. Achieving ISO 27001 certification provides documented evidence of your information security programme — which is valuable both in demonstrating compliance and in the event of an ICO investigation following a data breach.

ISO 27001 certification does not guarantee GDPR compliance — the two have different scopes — but it substantially closes the gap and demonstrates a systematic approach to information security that regulators regard favourably.

What changed in ISO 27001:2022?

The 2022 revision made three significant changes: the Annex A control set was restructured from 14 domains and 114 controls to four themes and 93 controls; 11 new controls were added (including controls for threat intelligence, cloud security, data masking, and physical security monitoring); and the main standard clauses were updated to align with the High Level Structure shared by all ISO management system standards. All new certifications are to the 2022 standard. Organisations certified to the 2013 version were required to transition by October 2025.

Do I need a consultant to get ISO 27001?

Not in principle — the standard does not require external consultancy. In practice, ISO 27001 is the most technically demanding of the common ISO management standards, and the risk assessment and Statement of Applicability in particular require specialist knowledge to produce correctly. Most organisations that attempt self-implementation either produce a system that fails audit or produce a compliant system that doesn't reflect how the business actually operates. A qualified consultant pays for itself in time saved and certainty of outcome.

Can a small business get ISO 27001 certified?

Yes. ISO 27001 is designed to be scalable to any organisation size. A ten-person IT consultancy can achieve a rigorous, auditable ISMS with a proportionate set of controls. The key is defining a scope that is appropriate to your organisation and not over-engineering the system for its actual size.

What certification body should I use for ISO 27001 in the UK?

Use a UKAS-accredited certification body. Well-regarded UKAS-accredited bodies for ISO 27001 in the UK include BSI, Bureau Veritas, LRQA, NQA, and Alcumus ISOQAR. The right choice depends on your sector, your clients' preferences, and commercial terms — we advise on this as part of our consultancy.

Free resource: ISO 27001 Certification Checklist

Ready to assess your own readiness? Download the free ISO 27001 Certification Checklist — a practical PDF covering all seven areas your certification body will examine, with every required item listed so nothing is missed before your Stage 2 audit. [Download the free checklist →](/iso-27001-checklist)

Ready to talk about your business?

Book a free, no-obligation call. We will tell you exactly what certification would involve for your size, sector, and starting point.