ISO 27001 Cybersecurity: UK Implementation Guide

What is ISO 27001?

ISO/IEC 27001 is the internationally recognised standard for Information Security Management Systems (ISMS). Certification demonstrates that an organisation has identified its information security risks, implemented appropriate controls to manage them, and established a process for ongoing review and improvement. It is published by the International Organisation for Standardisation (ISO) and the International Electrotechnical Commission (IEC), with the most current version being ISO 27001:2022.

Unlike Cyber Essentials — which verifies specific technical controls — ISO 27001 is a management system standard. It is concerned with whether an organisation has a systematic, documented approach to information security risk management, not just whether specific technical tools are in place. Annex A of the standard provides a reference set of controls (114 in the 2013 version, restructured to 93 in the 2022 version) from which organisations select those relevant to their risk profile.

Why UK businesses pursue ISO 27001

Demand for ISO 27001 certification among UK businesses has grown significantly, driven by several factors:

• Client contractual requirements: Larger businesses and public sector organisations increasingly require suppliers handling their data to hold ISO 27001 certification. IT services providers, law firms, accountants and any organisation in a supply chain position frequently encounter this requirement.
• Regulatory alignment: ISO 27001 certification provides documented evidence of systematic security management that supports compliance with UK GDPR, FCA operational resilience requirements, and sector-specific frameworks.
• Cyber insurance: Insurers view ISO 27001 certification as a positive signal of security maturity and may offer preferential terms.
• Competitive differentiation: In markets where security credentials matter to clients, certification provides a credible, independently verified differentiator.

The ISO 27001 implementation process

Phase 1: Gap assessment

The starting point is understanding the distance between your current security posture and the requirements of the standard. A gap assessment identifies which controls are already in place, which are partially implemented, and which are absent. This informs the implementation plan and resource requirements.

Phase 2: Scope definition

The ISMS scope defines which parts of the organisation, which information assets, and which processes are covered by the certification. Organisations often start with a limited scope — a specific service line, a data centre, or a defined set of information assets — and expand it over time. A clear scope statement is a formal requirement of the standard.

Phase 3: Risk assessment and treatment

ISO 27001 requires a formal information security risk assessment methodology. This involves identifying information assets, identifying threats and vulnerabilities applicable to each, assessing the likelihood and impact of each risk, and deciding on treatment: accept, mitigate, transfer (insure), or avoid.

The risk treatment plan documents which controls from Annex A have been selected to address identified risks, and the Statement of Applicability (SoA) records which controls are included and why, and which are excluded with justification.

Phase 4: Policy and procedure development

ISO 27001 requires documented policies covering information security governance, acceptable use, access control, incident management, business continuity, and supplier relationships, among others. These must be appropriate to the organisation's size and risk profile — a ten-person business does not need the same documentation overhead as a 500-person firm, but the core policies must exist and be actively followed.

Phase 5: Implementation of controls

Technical controls identified in the risk treatment plan are implemented during this phase. This may include configuring encryption, deploying MFA, establishing patch management processes, setting up security monitoring, formalising access review procedures, and implementing backup and recovery capabilities. AMVIA supports clients through this phase, implementing the technical controls that the ISMS requires.

Phase 6: Internal audit and management review

Before external certification, the ISMS must have completed at least one internal audit cycle and management review. These demonstrate that the management system is operating — not just documented.

Phase 7: Certification audit

An accredited certification body conducts a two-stage audit: a documentation review (Stage 1) and an on-site assessment (Stage 2). If the auditor is satisfied, ISO 27001 certification is granted for three years, subject to annual surveillance audits. Certification bodies accredited by UKAS provide the most widely recognised certification in the UK.

ISO 27001 costs

Implementation costs for UK SMEs vary significantly based on starting position, scope, and whether an external consultant is engaged. A rough guide: gap assessment and consultancy support, £5,000–£20,000; internal resource time; certification audit fees, £3,000–£10,000 depending on scope and certification body. Annual surveillance audits are typically £1,000–£3,000. Total first-year cost for a small to medium business is often £15,000–£40,000 including consultancy and audit fees.