How to Become ISO 27001 Certified: A Step-by-Step UK Guide

ISO 27001 certification shows that a UK organisation has implemented an Information Security Management System (ISMS) that meets ISO/IEC 27001 requirements for a defined scope. The process is structured, but it is achievable for growing organisations when the work is broken into clear steps and evidence is collected as controls go live.

This guide sets out the practical steps UK organisations follow to become ISO 27001 certified, from scoping and risk assessment to Annex A controls, audits and ongoing surveillance.

ISO/IEC 27001:2022 is the international standard that sets requirements for an Information Security Management System (ISMS). ISO 27001 certification is independent confirmation, by a certification body, that your ISMS meets those requirements for the scope you define.

Certification applies to your organisation and the defined ISMS scope, not to individual products or tools. Certificates are issued by certification bodies rather than ISO itself. The goal is to build and run a working management system, not just produce a document set for the audit.

Read more: ISO 27001 vs Other Standards

Define exactly what is included in the ISMS scope, such as locations, teams, systems, services and information assets, so everyone is clear what the ISO 27001 certificate will actually cover.

A practical scope usually focuses on the services that handle customer data or deliver contracted outcomes. Keep it realistic enough to implement, but broad enough to satisfy buyer expectations and avoid a certificate that feels too narrow.

Build the Information Security Management System (ISMS), the set of policies, processes, roles and records used to manage information security risks in a structured way so security is repeatable, not ad hoc. ISO 27001 is a management system standard, so auditors look for governance, repeatable processes and continual improvement.

At minimum, you should have an information security policy, a risk management approach, incident management, asset and access management responsibilities and a regular management review cycle.

Carry out a risk assessment for the in-scope assets and processes, then create a risk treatment plan that states how risks will be reduced, accepted, avoided or transferred. ISO 27001 is risk-based, so your control choices must be justified by real risks.

Use Annex A in ISO/IEC 27001 as the reference control set. Annex A lists controls you can select to treat identified risks. Choose controls that match your risks and operating context, not a generic list.

Create a Statement of Applicability (SoA), which lists all Annex A controls, states whether each control is applicable and explains why it is included or excluded.

Auditors review the SoA alongside your risk assessment and risk treatment plan to confirm that your control set is complete and coherent. Keep it accurate, current and aligned to how controls operate in practice.

Implement the selected controls and collect evidence that they operate in practice. Certification audits assess both documentation and real operation.

Evidence can include access reviews, backup and restore tests, incident logs, supplier due diligence and training completion records. Build simple routines so evidence is created as part of normal work, not as a scramble before an audit.

Run an internal audit to check whether the ISMS meets ISO/IEC 27001 requirements and whether controls work as intended. Internal audits reveal gaps before external audits do, and certification bodies expect to see them completed.

Then hold a management review, where leadership reviews ISMS performance, risks, incidents, audit results and improvement actions.

Select a certification body to conduct your ISO 27001 audits. In the UK, many organisations expect a UKAS-accredited certification body so they can trust that the certificate is robust and recognised.

UKAS accredits certification bodies, while organisations are certified to ISO 27001. When choosing a certification body, check sector experience, availability, audit style and how they handle non-conformities and follow-up evidence. Ask them to explain their Stage 1 and Stage 2 audit process in plain terms.

Complete the Stage 1 audit, a readiness review of your documented ISMS, risk assessment, Annex A control selection and Statement of Applicability. It confirms whether you are ready for the main certification audit and highlights any gaps you should address.

Then complete the Stage 2 audit, where the certification body tests how the ISMS operates in practice through sampling, evidence checks and staff interviews to confirm that controls work as described. If non-conformities are raised, you close them with corrective actions and evidence within an agreed timeframe. When the certification body is satisfied, it issues an ISO 27001 certificate for your defined scope, typically valid for three years with surveillance audits.

Maintain ISO 27001 certification through ongoing operation of the ISMS and regular surveillance audits. Surveillance audits confirm that controls remain effective as the organisation changes.

During the three-year cycle, surveillance audits usually focus on selected parts of the ISMS. Keep risk assessments current, update the SoA when controls change and continue internal audits, management reviews and continual improvement.

ISO 27001 certification is an ongoing management system, not a one-off project. It means running a risk-based ISMS, proving it works in practice and keeping it aligned to how your organisation operates.

At a glance, the steps are:

1. Decide what will be in scope for ISO 27001
2. Build an ISMS with clear policies, roles and governance
3. Run a risk assessment and create a risk treatment plan
4. Select Annex A controls and document them in a Statement of Applicability
5. Implement controls and collect day-to-day evidence
6. Complete internal audit and management review
7. Use a UKAS-accredited certification body for Stage 1 and Stage 2 audits
8. Maintain certification through surveillance audits and continual improvement