Home / Cyber Security / ISO 27001 / What is ISO 27001? A Plain English Guide for UK Businesses

What is ISO 27001? A Plain English Guide for UK Businesses

If you run a business in the UK and handle client data, supplier information, or sensitive internal records, chances are you have come across the term ISO 27001 — perhaps on a tender document, a client questionnaire, or a vendor’s website. It sounds technical, and the official documentation can be impenetrable, but the underlying concept is straightforward: ISO 27001 is an internationally recognised framework that tells you how to protect information properly, and then lets you prove to the outside world that you are doing so.

What is ISO 27001?

ISO 27001 (formally titled ISO/IEC 27001 — Information Security, Cybersecurity and Privacy Protection) is an international standard that specifies how an organisation should establish, implement, maintain, and continually improve an Information Security Management System (ISMS). It is published and maintained jointly by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC). The standard was first published in 2005, significantly revised in 2013, and updated again in 2022 — the current version is ISO/IEC 27001:2022.

The standard is part of a broader family known as the ISO 27000 series, which covers everything from vocabulary (ISO 27000) to sector-specific guidance for healthcare and finance. ISO 27001 itself is the certifiable standard — the one against which an independent auditor can assess your organisation and award a certificate.

What is an ISMS?

An Information Security Management System (ISMS) is not a piece of software or a single policy document. It is a systematic approach — a collection of policies, processes, procedures, plans, and controls — that an organisation uses to manage information security risks. Think of it as the management system for your security, in the same way that a quality management system (like ISO 9001) governs how you manage quality.

The ISMS sits at the heart of ISO 27001. The standard does not prescribe exactly what your security controls must look like in detail — instead, it requires you to identify your specific risks and put proportionate, documented controls in place to address them. This makes it scalable: a ten-person accountancy practice and a five-hundred-person software company can both achieve ISO 27001 certification, even though their ISMS will look quite different in practice.

What Does ISO 27001 Actually Require?

The standard is structured around a set of mandatory clauses (clauses 4 to 10) and a supplementary set of controls known as Annex A. Here is what each part involves.

Clauses 4–10: The Core Requirements

These clauses follow the Plan-Do-Check-Act (PDCA) cycle and cover the structural and governance requirements of the ISMS:

  • Clause 4 — Context: Understand your organisation, its objectives, and the internal and external factors that affect information security. Identify interested parties (clients, regulators, suppliers) and their requirements.
  • Clause 5 — Leadership: Senior management must demonstrate commitment. This means appointing ownership of the ISMS, establishing an information security policy, and ensuring security is integrated into organisational processes.
  • Clause 6 — Planning: Conduct a formal risk assessment to identify threats to confidentiality, integrity, and availability of information. Produce a risk treatment plan that documents which controls you will apply and why.
  • Clause 7 — Support: Ensure you have the resources, competence, awareness, and documented information (policies and records) necessary to run the ISMS.
  • Clause 8 — Operation: Implement the controls and plans defined in clause 6. This is where policies go live and processes are followed day to day.
  • Clause 9 — Performance Evaluation: Monitor, measure, analyse, and evaluate the ISMS. Internal audits and management reviews are mandatory.
  • Clause 10 — Improvement: Address non-conformities, take corrective action, and continually improve the ISMS over time.

Annex A: The Controls

Annex A is a reference set of security controls — in ISO 27001:2022 there are 93 controls organised into four themes: organisational controls, people controls, physical controls, and technological controls. Examples include access control policies, encryption requirements, supplier security assessments, incident response procedures, and business continuity planning.

You are not required to implement every single Annex A control. Instead, you produce a Statement of Applicability (SoA) — a document that lists each control, states whether it applies to your organisation, and explains your reasoning for including or excluding it. Auditors pay close attention to the SoA as it shows the logic behind your security decisions.

Who Needs ISO 27001?

There is no legal obligation for most UK businesses to hold ISO 27001 certification — it is a voluntary standard. However, in practice it has become a de facto requirement in a growing number of sectors and commercial situations:

  • Government and public sector supply chains: Central government frameworks (including G-Cloud and Crown Commercial Service contracts) increasingly require or strongly favour ISO 27001 certification from suppliers.
  • Financial services and insurance: Firms regulated by the FCA often require ISO 27001 from technology suppliers and outsourced service providers.
  • Healthcare and NHS supply chains: The NHS Data Security and Protection Toolkit aligns closely with ISO 27001 principles, and certification is often specified in procurement requirements.
  • Legal and professional services: Law firms handling sensitive client data are frequently asked to demonstrate ISO 27001 compliance by larger corporate clients.
  • Technology and SaaS businesses: If you sell software or managed services to enterprise clients, you will almost certainly encounter ISO 27001 on sales questionnaires.
  • Businesses processing large volumes of personal data: While ISO 27001 is separate from UK GDPR, implementing the standard provides strong evidence of the “appropriate technical and organisational measures” required under data protection law.

In short, if you want to win contracts with large organisations, regulated businesses, or the public sector, ISO 27001 is rapidly becoming a ticket to entry rather than a differentiator.

Conformance vs Certification: What is the Difference?

This distinction matters, and it is one that trips up many businesses.

Conformance (sometimes called self-declared conformance) means your organisation has implemented the requirements of ISO 27001 internally and believes it meets the standard. There is no independent verification — you are simply asserting compliance. This can be useful for internal governance, but most clients and procurement teams will not accept a self-declaration in place of a formal certificate.

Certification means your ISMS has been audited and verified by an independent, accredited Certification Body — sometimes called a Registrar. In the UK, certification bodies are accredited by UKAS (United Kingdom Accreditation Service). After a successful two-stage audit (a documentation review followed by an on-site or remote assessment), the certification body issues a certificate that is valid for three years, subject to annual surveillance audits.

When a client asks “are you ISO 27001 certified?”, they mean the full UKAS-accredited certification — not a self-declaration. Always clarify which is required before investing in the process.

What Do Auditors Look For?

ISO 27001 auditors are not trying to catch you out — their job is to determine whether your ISMS is genuine, effective, and proportionate to your risks. In practice, they will look for:

  • Evidence of documented processes: Policies, procedures, risk registers, and records must exist and be current. “We do this in practice but haven’t written it down” is not sufficient.
  • Management commitment: Are senior leaders genuinely engaged with the ISMS, or has it been delegated entirely to an IT manager with no board-level visibility? Auditors will want to speak with leadership.
  • A credible risk assessment: Your risk register should reflect the real threats your business faces — not a generic template. Auditors will probe whether you have thought carefully about your specific assets, threats, and vulnerabilities.
  • Effective internal audits and management reviews: These must have happened, findings must be documented, and corrective actions must be tracked to closure.
  • Staff awareness: Employees should be able to demonstrate a basic understanding of information security responsibilities. Auditors often speak informally to staff during site visits.
  • Continual improvement: The ISMS must evolve. Auditors look for evidence that you are learning from incidents, audit findings, and changes in your business environment.

How Long Does Certification Take?

For a small to medium-sized business starting from scratch, a realistic timeline is six to twelve months from project kick-off to certificate. Larger or more complex organisations may take longer. The process typically involves:

  • Scoping the ISMS (deciding which parts of the business are in scope)
  • Conducting the risk assessment and producing the risk treatment plan and SoA
  • Writing and implementing policies and procedures
  • Running the ISMS for a period (usually at least three months) to generate evidence
  • Completing an internal audit and management review
  • Undergoing the Stage 1 (documentation) and Stage 2 (implementation) external audits

Many businesses engage a specialist consultant to accelerate the process, particularly for the risk assessment and documentation phases. This adds cost but significantly reduces the risk of arriving at the Stage 2 audit with gaps that could result in non-conformities.

ISO 27001 and UK GDPR: How Do They Relate?

ISO 27001 and UK GDPR are separate legal and regulatory frameworks, but they complement each other closely. UK GDPR requires organisations to implement “appropriate technical and organisational measures” to protect personal data — but it does not specify exactly what those measures should be. ISO 27001 provides precisely that: a structured, internationally recognised approach to defining and implementing security measures.

Holding ISO 27001 certification does not automatically mean you are UK GDPR compliant — data protection involves additional obligations around lawful basis, data subject rights, and retention that sit outside the standard. However, a well-implemented ISMS significantly strengthens your data protection posture and can be cited as evidence of due diligence in the event of a data breach investigation by the ICO.

Summary

ISO 27001 is the international standard for managing information security, maintained by ISO and IEC. At its core, it requires businesses to build and operate an ISMS — a structured system of policies, risk assessments, and controls designed to protect the confidentiality, integrity, and availability of information. The standard is built around mandatory governance clauses and a comprehensive set of security controls in Annex A, with organisations producing a Statement of Applicability to document which controls they have implemented and why.

Certification — awarded by a UKAS-accredited body following an independent audit — is increasingly required in public sector supply chains, financial services, healthcare, and enterprise technology. It differs from self-declared conformance in that it carries independent verification. Auditors look for documented evidence, genuine management commitment, credible risk management, and continual improvement.

For most UK businesses, the question is not really whether ISO 27001 is a good idea — it clearly is — but when to pursue it. If your clients are starting to ask about it, or if you are targeting sectors where certification is expected, the time to start planning is now. Six to twelve months of structured work leads to a certificate that opens doors, builds client trust, and gives your security programme a solid, internationally recognised foundation.