ISO 27001 Certification Process — Step by Step
| Step | What It Is | Duration | Cost (indicative) |
|---|---|---|---|
| 1. Gap Assessment | Compare current security posture against ISO 27001 Annex A controls (93 controls in ISO 27001:2022) | 2–4 weeks | £2,000–£8,000 (consultant) |
| 2. ISMS Design | Define scope, policies, procedures, risk assessment methodology, and asset register | 4–8 weeks | £5,000–£20,000 (consultant) |
| 3. Risk Assessment | Identify information assets, threats, vulnerabilities, and residual risk after controls | 2–4 weeks | Included in ISMS or £2,000–£5,000 separate |
| 4. Statement of Applicability | Document all 93 Annex A controls — justify inclusions and exclusions | 1–2 weeks | Included in ISMS |
| 5. ISMS Implementation | Implement controls, train staff, test procedures, remediate gaps | 4–12 weeks | £5,000–£20,000 (implementation cost) |
| 6. Internal Audit | Independent internal review before external audit | 1–2 weeks | £1,500–£4,000 (internal auditor) |
| 7. Stage 1 Audit (document review) | UKAS-accredited CB reviews ISMS documentation — confirms readiness for Stage 2 | 1 week | £2,000–£6,000 (certification body) |
| 8. Stage 2 Audit (implementation review) | CB assesses whether ISMS is implemented and effective — interviews staff, tests controls | 1–3 days on-site/remote | £3,000–£8,000 (certification body) |
| 9. Certificate issued | UKAS-accredited ISO 27001 certificate issued (valid 3 years, annual surveillance audits) | 2–4 weeks post audit | Certificate fee included |
ISO 27001 Annex A Controls — Relevant to UK Software Companies
| Control | Description | UK Software Relevance |
|---|---|---|
| A.5.7 Threat intelligence | Monitor sources of information about threats | NCSC Cyber Alert Service subscription |
| A.5.24 Information security incident management | Incident response plan, reporting procedure | ICO 72-hour breach notification — ISO 27001 incident procedure satisfies this |
| A.8.2 Privileged access rights | Control of administrator/root access | AWS IAM least privilege, MFA for all admin access |
| A.8.8 Management of technical vulnerabilities | Patch management, vulnerability scanning | Dependabot, AWS Inspector, quarterly CREST pen test |
| A.8.9 Configuration management | Secure baseline configurations | Terraform IaC — infrastructure config in code, version controlled |
| A.8.15 Logging | Security event logging, log retention | CloudWatch, CloudTrail, 12-month log retention |
| A.8.25 Secure development lifecycle | Security requirements in software development | SSDLC — security requirements from Sprint 1 |
| A.8.32 Change management | Controlled change to information systems | GitHub pull request approval process as change management evidence |
UKAS-Accredited Certification Bodies in the UK
| Certification Body | Notes | Typical Cost (Stage 1 + 2) |
|---|---|---|
| BSI (British Standards Institution) | ISO 27001 original publisher — most recognised in UK | £6,000–£15,000 |
| Bureau Veritas | International CB, strong UK presence | £5,000–£12,000 |
| Alcumus ISOQAR | UK-focused, competitive pricing for SMEs | £4,000–£10,000 |
| NQA | UK CB, good for software companies | £4,000–£9,000 |
| Applus+ | International, competitive for larger companies | £5,000–£12,000 |