What Is ISO 27001? Certification Guide for UK Businesses

ISO 27001 certification is formal, independent confirmation that your organisation has built and maintains an Information Security Management System (ISMS) that meets the requirements of the ISO/IEC 27001:2022 standard.

Certification is awarded by an accredited certification body -- such as the British Standards Institution (BSI) -- following a structured audit of your policies, controls, processes, and operational evidence.

It is not a one-time achievement. Certified organisations undergo annual surveillance audits and a full recertification audit every three years to maintain their status.

ISO 27001 certification tells clients, partners, and regulators that your approach to information security has been independently verified -- not self-declared.

These two terms are often used interchangeably, but they mean different things.

Compliance means your organisation is following the requirements of ISO 27001, or at least a meaningful portion of them. This is typically self-assessed. There is no external validation and no certificate issued.

Certification means an accredited third-party body has audited your ISMS and confirmed it meets the full ISO/IEC 27001:2022 standard. A certificate is issued, valid for three years subject to annual surveillance audits.

The distinction matters in commercial contexts. Many procurement processes, regulated sectors, and enterprise clients specifically require certification, not self-declared compliance. If a tender asks for ISO 27001, a compliance statement will often not be accepted as a substitute.

The ISO/IEC 27001 standard was updated in October 2022. The 2022 version is now the only valid basis for new certifications and for maintaining existing certifications. The transition deadline passed in October 2025, and 2013-based certificates are no longer valid.

If your organisation has not yet transitioned, contact your certification body to discuss recertification options.

Key changes in ISO 27001:2022

Annex A controls restructured

The control set has been reduced from 114 controls across 14 domains to 93 controls grouped into four themes: Organisational, People, Physical, and Technological. This makes controls easier to assign, apply, and audit.

11 new controls introduced

The new controls address threats that were not adequately covered in the 2013 version:

1. Threat intelligence
2. Cloud services security
3. ICT readiness for business continuity
4. Physical security monitoring
5. Configuration management
6. Information deletion
7. Data masking
8. Data leakage prevention
9. Monitoring activities
10. Web filtering
11. Secure coding

Stronger alignment with enterprise risk management

The 2022 revision places greater emphasis on understanding organisational context, the expectations of interested parties, and planning for change. This brings ISO 27001 into closer alignment with how risk is managed at board and executive level.

Harmonised structure

The standard now follows the ISO harmonised structure, also used by ISO 9001, ISO 22301, and others. This reduces duplication and simplifies integration with other management systems.

ISO 27001 is not a legal requirement in the UK or EU. However, it is increasingly a commercial necessity for organisations that handle sensitive data or operate in regulated markets.

You are likely to need ISO 27001 certification if you:

1. Supply software, data services, or managed services to enterprise clients
2. Operate in financial services, healthcare, legal, or public sector supply chains
3. Respond to formal procurement tenders or RFPs
4. Store or process personal data on behalf of clients
5. Are expanding into international markets where information security standards are expected

Common scenarios where certification is requested or required:

Enterprise procurement: Large organisations routinely require ISO 27001 as a condition of supplier approval. Without it, you may be disqualified at the due diligence stage before any commercial conversation takes place.

RFP responses: Many formal tenders name ISO 27001 explicitly. A self-assessment or alternative framework is often not accepted as an equivalent.

Regulated sector supply chains: Financial institutions, NHS suppliers, and government contractors face growing pressure to demonstrate supply chain security. ISO 27001 is the standard most commonly specified.

The global average cost of a data breach reached $4.88 million in 2024 (IBM Cost of a Data Breach Report, 2024). Investment in a verified security framework is increasingly difficult to defer.

Reduced security risk

ISO 27001 requires organisations to identify, assess, and treat information security risks systematically. This structured approach reduces the likelihood of breaches and the cost of incidents when they do occur.

Competitive advantage

Certification signals to clients and partners that your security posture has been independently verified. In competitive markets, it can determine whether you make a shortlist.

Regulatory alignment

ISO 27001 is not a substitute for GDPR compliance, but the two frameworks overlap significantly. Implementing an ISO 27001-aligned ISMS supports your obligations under the UK GDPR and EU GDPR, and reduces the risk of enforcement action. GDPR fines can reach €20 million or 4% of annual global turnover, whichever is higher.

Operational resilience

The standard requires regular reviews, internal audits, and continuous improvement. This keeps your security controls current as threats evolve and your business changes.

Faster client onboarding

A valid ISO 27001 certificate reduces the time and resource spent on answering security questionnaires and completing third-party due diligence processes.

Certification requires you to build, operate, and demonstrate an ISMS that meets the requirements of ISO/IEC 27001:2022. Auditors assess whether your controls are operational and whether your people understand them -- it is not a documentation exercise.

Core requirements

Define your ISMS scope

Decide which parts of your organisation, systems, and data the ISMS will cover. Scope can apply to the whole business or to specific functions, locations, or services.

Conduct a risk assessment

Identify your information assets, assess the threats and vulnerabilities relevant to each, and determine appropriate treatment options. This must be documented and repeatable.

Complete a Statement of Applicability (SoA)

The SoA lists all 93 Annex A controls. For each, you must state whether it applies to your organisation and, if not, justify its exclusion. This document is central to your certification audit.

Implement and document controls

Apply the controls identified in your risk treatment plan. Maintain evidence that they are operating as intended.

Prepare mandatory documentation

Required documents include your information security policy, ISMS scope statement, risk assessment and treatment methodology, risk treatment plan, Statement of Applicability, and security objectives.

Run an internal audit

Before the certification audit, conduct a formal internal audit to identify gaps and confirm your ISMS is functioning as documented.

Phase 1: Gap Analysis

Compare your current security practices against ISO 27001:2022 requirements. This identifies what is already in place, what needs to be built, and the scale of work ahead.

Phase 2: Define Scope

Determine what your ISMS will cover. A tightly defined scope that you can evidence fully is preferable to a broad scope with gaps. Many organisations start with a defined scope and expand over time.

Phase 3: Risk Assessment and Statement of Applicability

Conduct a formal risk assessment, document your risk treatment decisions, and produce your SoA. This is one of the most time-intensive phases and one that auditors scrutinise closely.

Phase 4: Implement Controls and Build Evidence

Apply your chosen controls and begin gathering the evidence that demonstrates they are working. This includes audit logs, training records, incident logs, and access review records.

Phase 5: Internal Audit

Carry out a full internal audit of your ISMS before the certification audit. This is your opportunity to find and address gaps before external scrutiny.

Phase 6: Certification Audit (Stage 1 and Stage 2)

Stage 1: The certification body reviews your documentation -- your ISMS scope, policies, SoA, and risk assessment -- to confirm you are ready for Stage 2.

Stage 2: Auditors assess whether your ISMS is operating in practice. They will interview staff, review evidence, and test whether your controls are functioning as documented.

Phase 7: Surveillance Audits

Once certified, you will undergo annual surveillance audits to confirm your ISMS remains effective. A full recertification audit takes place every three years.

Small to medium-sized businesses can typically reach the certification audit within four to six months, with the full process completed within six to nine months.

Larger or more complex organisations should plan for up to twelve months, depending on the number of systems in scope, the maturity of existing controls, and the size of the internal team.

The pre-audit phase -- scoping, risk assessment, control implementation, staff training, and internal audit -- takes the majority of that time. The certification audit itself (Stage 1 and Stage 2) typically follows within two to three months of completing that groundwork.

Costs vary significantly depending on the size of your organisation, the complexity of your systems, and the level of external support you use.

Typical range: £10,000 to £50,000 or more.

What affects the cost:

Organisation size and scope: Larger scopes require more time in both preparation and audit.

Existing security maturity: Organisations starting from a low baseline invest more in control implementation.

Internal vs. external delivery: Using consultants or a GRC platform affects how internal time is deployed, not just direct spend.

Certification body fees: Audit fees vary by body and organisation size.

Ongoing costs: Annual surveillance audits, staff training, and tooling are recurring costs that should be factored into the business case from the outset.

SureCloud's GRC platform is built to reduce internal workload and lower the total cost of getting and staying certified. Explore SureCloud's plans.

Documentation burden

ISO 27001 requires evidence that your policies and controls exist and are operating. Without a clear system, documentation becomes unmanageable quickly. Focus on what the standard actually requires and use a consistent structure from the start. A GRC platform that centralises evidence collection makes this significantly more manageable.

Proving your ISMS works

Auditors do not just read documents -- they look for evidence of operation. Maintain audit logs, training completion records, incident reports, and access review outputs consistently. If it is not recorded, it did not happen.

Getting sustained staff engagement

Security is not a project; it is an ongoing practice. One-off training is rarely sufficient. Integrate security awareness into onboarding, annual reviews, and team communications. Make the relevance to each team's day-to-day work explicit.

Keeping your ISMS current

Certification is not the finish line. Your ISMS needs to evolve as your business changes, new threats emerge, and the regulatory landscape shifts. Schedule regular reviews and assign clear ownership for maintaining the system between audits.

Scoping decisions

Getting scope wrong -- too broad or too narrow -- is a common early mistake. A scope that is too wide creates unnecessary work; one that is too narrow may not satisfy clients or auditors. Involve your certification body early in the scoping conversation.

ISO 27001 is the certifiable standard. It defines the requirements for an ISMS -- the management framework your organisation must build and maintain to achieve certification.

ISO 27002 is a supporting guidance document. It provides detailed implementation guidance for the Annex A controls referenced in ISO 27001. It is not certifiable on its own.

In practice: you get certified to ISO 27001. You use ISO 27002 to understand how to implement the controls that ISO 27001 requires.

Both standards were updated in 2022. ISO 27002:2022 was published in February 2022, and the updated Annex A in ISO 27001:2022 reflects those changes directly.

ISO 27001 involves a significant amount of ongoing activity: risk assessments, control tracking, asset registers, evidence management, internal audits, and surveillance preparation. Managing this across spreadsheets and shared drives creates risk and adds unnecessary time to every stage of the process.

SureCloud is an AI-powered GRC platform built for organisations that need to move beyond manual compliance. Rather than being a system of record that documents what has happened, SureCloud is both a system of record and a system of action -- with workflows that govern the process and AI that reduces manual effort across your connected data.

For ISO 27001 specifically, SureCloud:

1. Provides a pre-built ISO 27001 framework with controls and templates aligned to ISO/IEC 27001:2022
2. Automates evidence collection and continuous controls monitoring, reducing the time and effort needed to stay audit-ready
3. Supports risk assessment, Annex A control mapping, and Statement of Applicability management within a single platform
4. Connects with tools including Microsoft 365 and Jira, reducing duplication across your existing workflows
5. Maps efficiently to multiple frameworks -- including ISO 27001, SOC 2, GDPR, NIS2, and DORA -- through a proprietary Controls Framework, so you are not duplicating effort across standards
6. Maintains an evidence trail for internal and external audits, with simplified reporting that makes audit preparation faster

SureCloud is recognised as a Representative Vendor in the Gartner Hype Cycle for Cyber-Risk Management 2025, named an Enterprise Solution in the Chartis RiskTech Quadrant for eGRC Solutions 2025, and included as a Major Player in the QKS SPARK Matrix for GRC Platforms 2025.

Book a demo to see the platform in action.

Everton FC manages data on over 32,000 season ticket holders and more than 600,000 registered fans, alongside sensitive information on players, employees, agents, and suppliers. Before working with SureCloud, all of this was tracked manually across Excel spreadsheets -- an approach that was unsustainable as GDPR obligations grew.

Working with NCC Group, Everton deployed SureCloud's GRC platform to centralise its data management and GDPR compliance programme. The results were significant: Everton reduced the time spent on documenting processing activities and completing data protection impact assessments by 75%. All data is now mapped, risk-assessed, and tracked in a single system, with changes and requests automatically recorded so activity reports and data audits can be produced on demand.

Read the full Everton FC case study