ISO 27001 is the international standard for information security management. It is recognised in every English-speaking market — from the UK to Australia, the US to Singapore — and in most regulated sectors globally. In 2026, with supply chain security requirements tightening under the Cyber Security and Resilience Bill, cyber insurance underwriters demanding evidence of robust controls, and enterprise clients increasingly requiring certification as a condition of engagement, ISO 27001 certification has never been more valuable — or more demanded.

This guide covers everything UK businesses need to know about achieving and maintaining ISO 27001:2022 certification, including the process, timeline, costs, common pitfalls, and how our consultants support the journey.

Why ISO 27001 Matters in 2026

Three reinforcing factors make ISO 27001 essential for growing UK businesses:

Supply chain requirements. Large enterprises and government agencies increasingly require ISO 27001 certification from their suppliers. The CSRB expands this further by making supply chain security a statutory obligation for regulated entities. If you supply financial services, healthcare, energy, or government, ISO 27001 is no longer a differentiator — it is a baseline requirement.

Cyber insurance. Insurers now routinely require evidence of a functioning Information Security Management System (ISMS). ISO 27001 certification is the clearest, most widely recognised proof that an organisation takes information security seriously. Without it, organisations may face higher premiums, policy exclusions, or outright refusal of coverage.

Competitive advantage. In crowded markets, ISO 27001 certification differentiates you. It signals to prospects that your organisation has invested in security management, has independent verification of its controls, and treats security as an ongoing commitment rather than a one-off exercise. For B2B technology companies, ISO 27001 certification is often the deciding factor in procurement evaluations.

What Is ISO 27001:2022?

ISO/IEC 27001:2022 is the current version of the international standard for information security management systems. Published in October 2022, it replaced the 2013 edition with a three-year transition period that ended on 31 October 2025. All organisations holding ISO 27001 certification must now be certified against the 2022 edition.

The standard is structured around the Plan-Do-Check-Act (PDCA) continuous improvement cycle and consists of two main parts:

  • Clauses 4–10 — mandatory requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving the ISMS. These include context of the organisation, leadership, planning, support, operation, performance evaluation, and improvement.
  • Annex A — a reference set of 93 controls organised across four themes: organisational (37 controls), people (8 controls), physical (14 controls), and technological (34 controls). Organisations select which controls are applicable based on their risk assessment.

The 2022 edition introduced several important changes from the 2013 version, including the reorganisation of controls from 14 domains to four themes, the addition of new controls covering threat intelligence, information security for cloud services, ICT readiness for business continuity, physical security monitoring, and data masking, and a greater emphasis on the management of change.

The ISO 27001 Certification Process

Achieving ISO 27001 certification follows a structured path. For a typical UK SME, the full process takes 3–6 months from project initiation to certification, assuming reasonable starting maturity:

  1. Scoping (1–2 weeks) — define which parts of the organisation the ISMS will cover. A focused scope — for example, "the SaaS platform and supporting corporate functions" — is often better for first-time certification than attempting to cover the entire organisation.
  2. Risk assessment (2–3 weeks) — identify information security risks and determine treatment plans. The risk assessment methodology must be documented and repeatable. Our consultants use a risk assessment framework aligned with ISO 31000.
  3. Statement of Applicability (1 week) — document which Annex A controls are applicable and how they are addressed. This is a key document that the certification auditor will scrutinise.
  4. Control implementation (1–3 months) — implement the controls identified in the risk assessment and SoA. This typically includes policies, procedures, technical controls, and evidence collection processes.
  5. Documentation (ongoing throughout) — create the policies, procedures, and records required by the standard. Mandatory documents include the ISMS scope, information security policy, risk assessment methodology, SoA, risk treatment plan, and internal audit programme.
  6. Internal audit (1–2 weeks) — an independent internal audit verifies the ISMS is working as designed. Internal auditors must be independent of the areas being audited.
  7. Management review (1 week) — senior management reviews ISMS performance, risk assessment results, audit findings, and resource requirements. Evidence of active management engagement is critical.
  8. Stage 1 audit (1–2 days on-site or remote) — the certification body reviews documentation readiness. They assess whether the ISMS is adequately designed and ready for Stage 2.
  9. Stage 2 audit (2–4 days on-site) — the certification body verifies that the ISMS is implemented and operating effectively. They interview staff, review evidence, and test controls.
  10. Certification issued — valid for three years, subject to annual surveillance audits and a full recertification audit every three years.

Timeline and Cost for UK SMEs

Costs vary based on organisation size, scope complexity, and existing maturity. Typical ranges for a UK SME with 20–100 employees:

  • Consultancy support: £5,000–£15,000 (gap assessment, implementation guidance, documentation, audit preparation)
  • Certification body fees: £3,000–£8,000 (includes Stage 1, Stage 2, and certification maintenance for year 1)
  • Annual surveillance audit fees: £1,500–£3,500 per year (years 2 and 3)
  • Internal resource time: 2–4 hours per week during the implementation phase (project manager, control owners)

Total first-year investment typically falls in the range of £10,000–£25,000 for SMEs, with lower ongoing costs in years 2 and 3. Many organisations recover this investment within the first year through new business wins that required certification as a condition of engagement.

Choosing a UKAS-Accredited Certification Body

Not all ISO 27001 certificates are equal. To be recognised and trusted, your certificate must be issued by a certification body that is accredited by the United Kingdom Accreditation Service (UKAS) or an equivalent accreditor in your target market. This is not optional — many procurement policies explicitly require UKAS-accredited certification.

When selecting a certification body, consider: UKAS accreditation scope for ISO/IEC 27001, sector experience (especially if your industry has specific regulatory requirements), geographic coverage for multi-site organisations, references from similar-sized organisations in your sector, and cultural fit — you will work closely with your certification body for years.

Common Pitfalls

From our experience supporting dozens of organisations through ISO 27001 certification, the most common issues include:

  • Over-documenting — ISO 27001 requires evidence of an ISMS, not a library of policies nobody reads. Quality over quantity. Each document should serve a clear purpose and be accessible to the people who need it.
  • Scope creep — attempting to certify the entire organisation in the first pass is a common mistake. Start with a manageable scope, achieve certification, and expand in subsequent cycles.
  • Treating it as a one-off project — ISO 27001 requires continuous improvement. The ISMS must be a living system, not a one-time documentation exercise. Organisations that treat certification as a checklist rather than a management system typically struggle with surveillance audits.
  • Choosing the wrong certification body — ensure your chosen body is UKAS-accredited and has experience in your sector. A good certification body should challenge and support you, not just process paperwork.
  • Weak management engagement — auditors look for evidence that leadership is actively involved in the ISMS, not just reviewing it annually. Management review meetings must demonstrate genuine oversight and decision-making.
  • Internal audit independence — the person auditing cannot be the person who implemented or operates the controls being audited. For small organisations with limited internal resource, co-sourced internal audit support is an accepted approach.

Maintaining Certification: Year 2 and Beyond

Achieving certification is a milestone, but maintaining it requires ongoing commitment. The certification lifecycle works as follows:

  • Year 1 — initial certification achieved. The ISMS is embedded in operations.
  • Year 2 — first surveillance audit. The certification body returns (typically for 1–2 days) to verify that the ISMS remains effective and that the organisation is addressing continuous improvement requirements. The focus is on changes since the initial audit.
  • Year 3 — second surveillance audit. Same format as Year 2, with closer scrutiny on whether corrective actions from previous audits have been sustained.
  • Year 3+ — full recertification audit every three years. This is as comprehensive as the Stage 2 audit.

Surveillance audits are not a formality. Organisations that have neglected their ISMS may face significant non-conformities threatening their certification.

How Our Consultants Support ISO 27001 Certification

Our team provides end-to-end ISO 27001 support, from scoping and risk assessment through to Stage 2 audit readiness. We bring risk assessment templates, technical control implementation guidance, and audit preparation support. Through our fractional vCISO service, we provide ongoing ISMS management post-certification, including management review facilitation, internal audit support, and surveillance audit preparation. Whether you are starting from scratch or remediating existing controls, our consultants help you achieve certification efficiently and sustainably.

Get ISO 27001 certification support →

Check your compliance readiness for free →