Blog
Compliance
ISO 27001
April 16, 2026
Approx 7 min read

ISO 27001 Certification: The UK Business Guide for 2026

When a procurement team at an NHS trust, a defence prime, or a regulated financial services firm reviews your bid, one of the first things they check is your information security posture. ISO 27001 certification UK businesses pursue is the internationally recognised way to prove it. For the end user, whether a patient uploading medical records or a banking customer linking their account, the certificate means their information is handled under a tested, audited system.

This guide covers what ISO 27001:2022 requires, what it costs, how long certification takes, and why the evidence you build carries across multiple UK frameworks.

What ISO 27001:2022 requires

The 2022 revision restructured the standard around 93 controls in four themes: organisational (37), people (8), physical (14), and technological (34). The previous version used 114 controls across 14 domains. BSI and ISO.org published the updated Annex A in October 2022, and the transition deadline for existing holders passed on 31 October 2025.

Eleven controls are new. These include threat intelligence, information security for cloud services, ICT readiness for business continuity, data masking, data leakage prevention, monitoring activities, web filtering, and secure coding. New certifications are assessed against the 2022 standard only.

The core requirement: build and operate an information security management system, known as an ISMS. That means documented policies, risk assessments, controls, and continuous improvement processes covering your workforce, operational procedures, and technical infrastructure. Management must review the ISMS at defined intervals.

Why UK businesses need the certificate now

Demand is sharpest in sectors where procurement frameworks have hardened their security requirements.

Healthcare suppliers face overlapping requirements

NHS England's Data Security and Protection Toolkit version 8 aligns directly with ISO 27001 principles. Achieving ISMS certification automates over 80% of applicable DSPT items, saving more than 140 hours of manual evidence gathering ahead of the 30 June 2026 DSPT v8 deadline. The Digital Technology Assessment Criteria version 2 (DTAC v2), published by NHSX (now part of NHS England), explicitly asks whether suppliers hold the certificate.

The NHS Cyber Security Supply Chain Charter, published in May 2025, sets eight mandatory expectations for suppliers, with active engagement required from January 2026. The standard provides the structural evidence base to meet those expectations.

For the patient or clinician at the end of this chain, the effect is practical. Their data flows through systems where security controls have been independently audited, not self-declared.

Defence supply chains are tightening access

The Ministry of Defence published a mapping between DefStan 05-138 Issue 4 and ISO 27001, enabling direct evidence reuse. DEFCON 658 flows security requirements down through the supply chain, meaning sub-contractors increasingly need the same certification as prime contractors.

MOD annual industry spend sits at £40.6 billion across approximately 9,200 supplier organisations (GOV.UK MOD Trade, Industry and Contracts statistics, 2024). The Defence Industrial Strategy 2025 sets a target of increasing SME spend by £2.5 billion by May 2028 (GOV.UK, Defence Industrial Strategy, 2025). Smaller firms entering the defence supply chain for the first time will find that prime contractors treat the standard as a procurement prerequisite.

Cyber Security Model version 4 through IASME's Defence Cyber Certification scheme does not mandate it. But the evidence overlap is substantial, and holding both signals maturity to prime contractors running JOSCAR assessments. For detail on defence supplier requirements, see our [MOD Secure by Design supplier guide].

Financial services regulators expect it

The FCA's operational resilience policy statement PS21/3, fully in force since March 2025, states that firms should align "with recognised security frameworks, including ISO 27001" (FCA, PS21/3, 2021). This is recommended guidance rather than a legal mandate: PS21/3 uses "should" language, meaning the FCA expects compliance but firms retain discretion over how they demonstrate operational resilience. The Senior Managers and Certification Regime places personal accountability on the SMF24 Chief Operations function holder for resilience failures.

The PRA mirrors these expectations for dual-regulated firms. Holding the certificate provides auditable evidence that a firm has identified information security risks, implemented controls, and established review cycles. See our [PRA/FCA operational resilience blog] for the full regulatory picture.

Cross-sector policy is moving in the same direction

DSIT published an official mapping between its Cyber Governance Code of Practice and ISO 27001 (GOV.UK, 2025). The proposed Cyber Security and Resilience Bill is progressing through Parliament and would expand the scope of regulated entities and reporting obligations. Procurement Policy Note 014 already makes Cyber Essentials the baseline for government contracts handling certain data types. The standard is the logical next step above Cyber Essentials Plus.

The certification process

Certification follows six stages.

Gap analysis

Compare your current security posture against the 93 controls. Identify where you meet requirements, where partial controls exist, and where gaps need new policies or technical measures.

ISMS build and implementation

Write policies, implement controls, conduct risk assessments, train staff, and establish the management review cycle. For SMEs, expect three to six months.

Stage 1 audit: documentation review

A UKAS-accredited certification body reviews your ISMS documentation, scope, risk assessment, and Statement of Applicability before visiting your operations.

Stage 2 audit: implementation review

The auditor verifies that your ISMS is operating as documented. They interview staff, review records, and test controls. This typically happens four to eight weeks after Stage 1.

Certification decision

If no major non-conformities are found, the certification body issues a three-year certificate. Minor non-conformities require corrective action within an agreed timeframe.

Surveillance and recertification

Annual audits in years two and three confirm the ISMS remains effective. A full recertification audit occurs at the end of the three-year cycle.

Total elapsed time from gap analysis to certificate is typically six to twelve months for an SME. Organisations with existing frameworks such as Cyber Essentials or a partial DSPT submission can move faster.

What the certificate costs

Cost varies by organisation size, complexity, and existing security maturity. The figures below are based on published figures from UK certification bodies and compliance consultancies, 2024-2025, and should be treated as indicative ranges.

For organisations under 50 employees, year one typically falls between £10,000 and £25,000 covering gap analysis, implementation support, internal resource, tooling, and certification body fees. Auditor day rates for UKAS-accredited bodies average around £1,250 per day. Ongoing surveillance runs £2,000 to £4,000 per year.

For suppliers bidding into NHS, defence, or government contracts, certification must come from a UKAS-accredited body. Non-accredited certificates may satisfy internal policies but will not meet procurement requirements.

The commercial case: the certificate replaces or reduces individual security questionnaires, client audits, and bespoke assurance requests. Organisations fielding ten or more security reviews per year often find it pays for itself in reduced procurement friction.

How ISMS evidence maps across UK frameworks

The strongest commercial case for the certificate in 2026 is evidence reuse. Building the management system generates policies, risk assessments, technical controls, training records, and audit logs that apply directly to other frameworks.

DSPT. ISMS evidence auto-completes applicable DSPT items and reduces additional work for your annual toolkit submission. See our [DSPT v8 deadline guide].

Cyber Essentials. The five CE technical controls are a subset of the standard's 34 technological controls. Evidence gathered for the ISMS covers CE requirements without duplication.

GDPR. The standard supports compliance with Articles 5, 24, 25, 28, 30, and 32 of the UK GDPR. The ICO's Guide to the UK GDPR, section on security (ICO, Guide to the UK GDPR, "Security", last updated 2024), references ISO 27001 as an example of appropriate technical and organisational measures.

DTAC v2. The Digital Technology Assessment Criteria version 2 asks directly whether suppliers hold the certificate. Valid ISMS certification simplifies the assessment for NHS digital health suppliers.

DefStan 05-138. The MOD's published mapping enables suppliers to reuse evidence directly for DefStan 05-138 Issue 4 compliance, avoiding duplicate documentation.

An organisation certifying to the standard while also needing DSPT, CE, and GDPR compliance builds a single evidence library that maps across all four frameworks.

Getting started with ISO 27001 certification

Map what you already have, existing policies, technical controls, training records, risk registers, against the 93 controls. That gap analysis determines scope and timeline. If your organisation already holds Cyber Essentials or submits the DSPT annually, existing evidence can be mapped into the ISMS rather than rebuilt.

The operational bottleneck for most organisations is building and maintaining evidence across multiple frameworks simultaneously. Each standard asks for overlapping but differently structured proof. Keeping that documentation current across annual cycles consumes hundreds of hours.

Naq's compliance platform automates ISO 27001 implementation across the full 93-control framework. Evidence gathered through over 300 integrations with your existing tools maps automatically to overlapping standards, including DSPT, Cyber Essentials, GDPR, and DTAC v2. Organisations using the platform report saving over 200 hours per standard and more than £20,000 compared to traditional consultancy approaches. The platform covers 20 or more compliance frameworks from a single dashboard, so the evidence you build for the certificate carries directly into your next framework without rework.

For organisations that need additional support, Naq provides in-house compliance experts, including certified auditors, penetration testers, and dedicated account managers, as a complementary layer on top of the platform.

Book a demo to see how the platform maps your current security posture against the standard and identifies the fastest path to certification.

FAQs

How long does ISO 27001 certification take for a UK SME?

Most SMEs complete the process in six to twelve months. Organisations with existing frameworks such as Cyber Essentials can reach certification faster, often within six months.

How much does ISO 27001 certification cost?

Year one costs for organisations with fewer than 50 employees typically range from £10,000 to £25,000, including implementation and audit fees. Annual surveillance costs £2,000 to £4,000. These are industry estimates based on published figures from UK certification bodies and compliance consultancies, 2024-2025.

Do I need a UKAS-accredited certification body?

For NHS, defence, and government contract work, yes. Procurement frameworks in these sectors require UKAS-accredited certification.

Does the certificate replace Cyber Essentials?

No. Cyber Essentials covers five technical controls and is the government procurement baseline under PPN 014. ISO 27001 is broader, covering governance, risk management, physical security, and technology. The evidence overlaps substantially, but one does not replace the other.

Does ISO 27001 help with DSPT compliance?

Yes. ISMS evidence auto-completes applicable DSPT items. Organisations holding the certificate report reduced effort on their annual toolkit submission.

Is ISO 27001 mandatory for MOD suppliers?

The standard is not formally mandated across all MOD contracts. DefStan 05-138 Issue 4 maps directly to it, and DEFCON 658 flows requirements down the supply chain. In practice, prime contractors increasingly expect it.

Written by
The Naq Team
Share
Share
Compliance
GDPR
What does 2023 have in store for EU data compliance?
February 25, 2024
Compliance
NHS DSPT
NHS DTAC
Cyber Essentials
How Does the NHS Innovator Passport Help Digital Health Companies Scale Faster?
December 2, 2025
Compliance
GDPR
Cyber Essentials
NHS DSPT
Securing Trust: Building Cyber Resilience in FemTech
April 22, 2025
Compliance
Cyber Essentials
NHS DSPT
ISO 27001
Scaling Responsibly: Managing Risk & Compliance in Technology-Enabled Care
April 22, 2025
Newsletter

The latest in compliance and cybersecurity direct to your inbox

Sign up now
Connect with us

Streamline compliance & accelerate your growth

Book a 15-minute demo and discover how Naq can take the complexity out of your compliance.
Book a demo
arrow_forward
Product
Platform OverviewAutomated ComplianceRisk ManagementClinical Risk ManagementTrainingMulti-framework ManagementComprehensive SupportFrameworks
Solutions
BuildGrowScaleHealthDefenceFinanceBusiness to EnterpriseBusiness to Government
Resources
All ResourcesBlogCase StudiesGuidesNaq in the News
Company
ContactAboutVacanciesPartnershipsMedia
Taking complexity out of compliance.
Connect with us
© Copyright 2024 - Naq Cyber UK Ltd.   © Copyright 2024 - Naq Cyber B.V.
Responsible Disclosure
Cookie Policy
Terms of Service
Privacy Policy