ISO 27001 Certification Guide — UK Software Companies (2025)

🔒 ISO 27001💷 GBP Costs⏱️ 6–9 Months⚖️ UKAS🆓 Free Assessment
August 202512 min readJames Whitmore, CTO

Direct Answer

ISO 27001 certification for a UK software company typically takes 6–9 months and costs £15,000–£40,000 including UKAS-accredited certification body. The certification requires: an Information Security Management System (ISMS), risk assessment, Statement of Applicability (SoA), and an external audit (Stage 1 + Stage 2). ClickMasters holds ISO 27001 and helps clients achieve certification as part of software projects.

ISO 27001 Certification Process — Step by Step

StepWhat It IsDurationCost (indicative)
1. Gap AssessmentCompare current security posture against ISO 27001 Annex A controls (93 controls in ISO 27001:2022)2–4 weeks£2,000–£8,000 (consultant)
2. ISMS DesignDefine scope, policies, procedures, risk assessment methodology, and asset register4–8 weeks£5,000–£20,000 (consultant)
3. Risk AssessmentIdentify information assets, threats, vulnerabilities, and residual risk after controls2–4 weeksIncluded in ISMS or £2,000–£5,000 separate
4. Statement of ApplicabilityDocument all 93 Annex A controls — justify inclusions and exclusions1–2 weeksIncluded in ISMS
5. ISMS ImplementationImplement controls, train staff, test procedures, remediate gaps4–12 weeks£5,000–£20,000 (implementation cost)
6. Internal AuditIndependent internal review before external audit1–2 weeks£1,500–£4,000 (internal auditor)
7. Stage 1 Audit (document review)UKAS-accredited CB reviews ISMS documentation — confirms readiness for Stage 21 week£2,000–£6,000 (certification body)
8. Stage 2 Audit (implementation review)CB assesses whether ISMS is implemented and effective — interviews staff, tests controls1–3 days on-site/remote£3,000–£8,000 (certification body)
9. Certificate issuedUKAS-accredited ISO 27001 certificate issued (valid 3 years, annual surveillance audits)2–4 weeks post auditCertificate fee included

ISO 27001 Annex A Controls — Relevant to UK Software Companies

ControlDescriptionUK Software Relevance
A.5.7 Threat intelligenceMonitor sources of information about threatsNCSC Cyber Alert Service subscription
A.5.24 Information security incident managementIncident response plan, reporting procedureICO 72-hour breach notification — ISO 27001 incident procedure satisfies this
A.8.2 Privileged access rightsControl of administrator/root accessAWS IAM least privilege, MFA for all admin access
A.8.8 Management of technical vulnerabilitiesPatch management, vulnerability scanningDependabot, AWS Inspector, quarterly CREST pen test
A.8.9 Configuration managementSecure baseline configurationsTerraform IaC — infrastructure config in code, version controlled
A.8.15 LoggingSecurity event logging, log retentionCloudWatch, CloudTrail, 12-month log retention
A.8.25 Secure development lifecycleSecurity requirements in software developmentSSDLC — security requirements from Sprint 1
A.8.32 Change managementControlled change to information systemsGitHub pull request approval process as change management evidence

UKAS-Accredited Certification Bodies in the UK

Certification BodyNotesTypical Cost (Stage 1 + 2)
BSI (British Standards Institution)ISO 27001 original publisher — most recognised in UK£6,000–£15,000
Bureau VeritasInternational CB, strong UK presence£5,000–£12,000
Alcumus ISOQARUK-focused, competitive pricing for SMEs£4,000–£10,000
NQAUK CB, good for software companies£4,000–£9,000
Applus+International, competitive for larger companies£5,000–£12,000

Frequently Asked Questions

Common questions about iso 27001 certification guide — uk software companies (2025).

ISO 27001 certification satisfies and exceeds NHS DTAC Domain 3 (Technical Security) requirements. DTAC Domain 3 minimum: Cyber Essentials. ISO 27001 provides a comprehensive ISMS that includes all Cyber Essentials controls plus many additional controls. ClickMasters recommends: obtain Cyber Essentials Plus first (quick win, NHS contract requirement), then pursue ISO 27001 for enterprise contract eligibility. Many NHS trusts now prefer ISO 27001 for larger software contracts.

Yes — ClickMasters has helped pre-Series A UK startups achieve ISO 27001 in 6 months. The ISMS scope can be defined narrowly (the software product and supporting infrastructure) rather than the entire organisation — reducing the control set and audit burden. Cost for a 5–10 person startup: £10,000–£20,000 total (consultant + certification body). ISO 27001 at pre-Series A is a strong signal to enterprise buyers and investors — and increasingly required for NHS and government contract pre-qualification.

About the Author

James Whitmore, CTO ISO 27001 and UK security compliance specialist ClickMasters holds ISO 27001 certification. We help clients achieve ISO 27001 as part of software development projects.

Free ISO 27001 Gap Assessment ClickMasters...

Free ISO 27001 Gap Assessment ClickMasters will assess your current security posture against ISO 27001 and provide a gap report with prioritised action plan. → clickmasterssoftwaredevelopmentcompany.co.uk/contact/

Book a Free Consultation