The definition
What is ISO 27001?
ISO 27001 is the globally recognised benchmark for information security management systems. It certifies that your organisation runs a real, audited system for managing security risk, not that you own particular technology. Certificates are issued after a two-stage independent audit and run on a three year cycle.
The standard in four ideas
What the standard actually is
A management system standard
ISO 27001 does not prescribe technologies. It requires a working information security management system: risks assessed, controls justified, documents maintained, and an improvement loop that auditors can watch turning.
93 controls, applied selectively
Annex A lists 93 controls in four themes. You consider all of them and implement the ones your risks, contracts and legal duties demand, recording every decision in the Statement of Applicability.
Independently certified
A certification body audits you in two stages and, in the UK, the certificates buyers trust come from UKAS-accredited bodies. Certificates run a three year cycle with annual surveillance.
Commercially, an entry ticket
Nothing in UK law requires ISO 27001, but enterprise procurement, public frameworks and investor due diligence increasingly do. For most UK adopters it is a revenue decision before it is a security one.
The deeper layers each have a page: the clauses, the 93 controls, the ISMS itself and the audit process.
Who needs it in the UK
The four situations that create the need
ISO 27001 is voluntary in law and increasingly compulsory in practice. The pattern across our clients is consistent: the certificate gets bought when its absence starts costing revenue, and the smart version of that decision happens before the deal that forces it.
Selling to enterprises
Security questionnaires and vendor due diligence shorten dramatically when the answer is a certificate rather than a hundred bespoke answers.
Bidding into frameworks
Public sector and regulated-industry frameworks list ISO 27001 among their expected assurances with increasing frequency.
Handling data at scale
SaaS providers, processors and anyone holding other organisations' data inherit their customers' assurance requirements.
Raising or exiting
Investor and acquirer due diligence treats a certified ISMS as evidence the company's operational risk is managed like an adult's.
Quick answers
ISO 27001 questions, answered
What is ISO 27001 in one sentence?
ISO 27001 is the benchmark standard for information security management systems: it certifies that your organisation runs a working system for assessing security risks, operating justified controls and improving continuously, verified by an independent audit.
What does having ISO 27001 actually mean?
It means an accredited third party audited your information security management system, at Stage 1 and Stage 2, and found it genuinely operating. It does not mean unbreachable; it means managed, evidenced and independently checked, which is precisely what buyers want to know.
What is the current version of ISO 27001?
ISO/IEC 27001:2022, which reorganised Annex A into 93 controls across four themes. The transition window from the 2013 edition has closed, so all current certifications are against the 2022 standard.
Do we need Cyber Essentials before ISO 27001?
No formal dependency exists; they answer different questions. Cyber Essentials verifies baseline technical hygiene; ISO 27001 certifies a whole management system. Many UK companies hold both, and the comparison is covered thoroughly on our sister site.
From definition to decision
Find out what ISO 27001 would take for your business
A free 45 minute scoping call turns the standard into a plan: your gap, your timeline and one fixed fee.