Straight answers
ISO 27001, answered
The questions UK organisations actually ask about ISO 27001, answered plainly by the practitioners who run readiness programmes and sit in the audits. If yours is missing, bring it to a scoping call.
Is ISO 27001 mandatory in the UK?
No law requires it. What requires it, increasingly, is commerce: enterprise procurement, public sector frameworks, insurer questionnaires and investor due diligence all treat ISO 27001 as expected assurance. Most UK certifications happen because a contract demanded one, which is a good reason to certify before the contract that demands it arrives.
What is ISO 27001 in one sentence?
ISO 27001 is the benchmark international standard for how organisations manage information security: it certifies that your organisation runs a working, independently audited system for assessing security risks, operating justified controls and improving continuously.
How much does ISO 27001 certification cost in the UK?
Three costs: readiness (our fixed bands by headcount, published on the cost page), the certification body's audit (around £1,250 per auditor day at 2026 UK rates, with a floor of roughly £6,250 for the smallest organisations under ISO 27006 day minimums), and annual surveillance from around £1,500. Budget the whole journey, not just the first invoice.
How long does ISO 27001 take?
Typical UK projects run three to four months for organisations under about 50 staff and five to eight months at 150 to 500. The audits are days; the calendar goes on building the ISMS and letting evidence accrue. Promises of certification in weeks should make you ask what, exactly, is being certified.
How long does ISO 27001 certification last?
Certificates run a three year cycle: annual surveillance audits in years two and three, then full recertification. A lapse or a failed surveillance means the certificate your contracts depend on stops being valid, so the ISMS needs an owner year-round.
What are the requirements of ISO 27001?
Clauses 4 to 10 of the standard, mandatory for everyone: scope, leadership, risk-based planning, support, operation, performance evaluation and improvement. Annex A's 93 controls are then applied selectively, with every inclusion and exclusion justified in your Statement of Applicability.
Who needs ISO 27001?
Organisations whose customers, frameworks or investors demand independently verified security: SaaS and data processors, suppliers into enterprises and the public sector, and any business whose due diligence questionnaires keep getting longer. If nobody external is asking yet, the question is when they will, not whether.
Who actually issues the certificate?
A certification body, and in the UK the certificates buyers trust come from UKAS-accredited bodies. CyPro is not a certification body: we build your readiness and support you through the audit, and the assessment stays genuinely independent, which is what makes the certificate worth holding.
What happens in the certification audit?
Two stages. Stage 1 reviews your documentation: scope, risk assessment, Statement of Applicability and internal audit results. Stage 2, weeks later, tests the system in practice through interviews and evidence sampling. Minor findings are normal; majors pause certification until fixed.
How many controls does ISO 27001 have?
Annex A of the 2022 edition lists 93 controls in four themes: organisational, people, physical and technological. You consider all 93 and implement the ones your risks, contracts and legal duties justify.
How difficult is ISO 27001 certification?
Less difficult than its reputation and more work than its salesmen admit. The standard asks for organised, evidenced security management, not perfection. The difficulty concentrates in three places: a genuine risk assessment, evidence that accrues over weeks, and the independent internal audit, all of which are solvable with a plan.
Do we need Cyber Essentials before ISO 27001?
No, there is no dependency between the schemes. Cyber Essentials verifies baseline technical controls; ISO 27001 certifies a whole management system, and each satisfies different contract clauses. Many UK companies hold both. The full comparison lives on our sister site.
What is the latest version of ISO 27001?
ISO/IEC 27001:2022. It reorganised Annex A from 114 controls into 93 across four themes and added controls for cloud, threat intelligence and data leakage prevention. The transition window from the 2013 edition has closed, so all current audits run against 2022.
Is ISO 27001 certification ever free?
No. The certification body's audit is a paid, accredited assessment with day-count minimums set by ISO 27006. Free or near-free certificates come from unaccredited issuers, and they fail at the moment they are needed: inside a customer's due diligence review.
One question left?
Ask it on a free discovery call
Forty-five minutes, no obligation, and you will leave knowing your gap, your timeline and your number either way.