Skip to content
WhatMSP
Guide

UKAS vs other accreditation

A certificate is only as good as whoever stands behind it. Here’s why a UKAS-accredited certificate beats a non-accredited or ASCB one — and how to tell them apart.

Two providers can both wave an “ISO 27001” certificate, yet one may be worth far more than the other. The difference usually comes down to a single word most buyers have never heard of: accreditation. Understanding it is one of the most useful things you can learn when assessing an IT provider’s credentials.

This guide explains what UKAS is, why a UKAS-accredited certificate carries genuine assurance while a non-accredited or self-styled “ASCB” one often doesn’t, and exactly how to check.

Accreditation vs certification: the key distinction

These two words are easy to confuse, and the confusion is sometimes exploited. They sit at different levels:

  • Certification — a certification body assesses an organisation against a standard (say, ISO 27001) and, if it passes, issues a certificate.
  • Accreditation — an independent check, one level up, that the certification body itself is competent and impartial and audits to the standard properly.

Put simply: certification tells you a company was assessed; accreditation tells you the assessor can be trusted. Without accreditation, you have no independent reason to believe the audit behind a certificate was rigorous — or rigorous at all.

What UKAS is

UKAS — the United Kingdom Accreditation Service — is the sole national accreditation body recognised by the UK government. It is the authority that assesses and accredits certification bodies in the UK. UKAS does not certify ordinary businesses directly; instead it independently evaluates whether the bodies issuing certificates are competent, impartial and operating to international requirements.

This is what makes a UKAS-accredited certificate trustworthy: it comes with two layers of assurance. The organisation was audited, and the auditor was itself independently accredited by the recognised national authority. That chain — national accreditation body → accredited certification body → certified organisation — is what gives the certificate its weight.

The problem with non-accredited and “ASCB” certificates

Because certification is a commercial activity, there are bodies that issue official-looking certificates without UKAS accreditation. Some operate under self-styled marks — abbreviations such as “ASCB” or various in-house “accreditation” schemes — that are not the UK’s recognised national accreditation body. A certificate issued this way has had no independent, recognised oversight of the auditor.

The practical risk is twofold. First, the audit behind such a certificate may have been light-touch — there is no recognised authority checking that the certification body did a proper job. Second, the certificate looks broadly the same to an untrained eye: similar wording, a confident logo, the same standard number. The assurance, however, is not the same — which is precisely why some providers prefer the cheaper, easier route.

Red flag

A certificate that prominently displays an unfamiliar “accreditation” logo but not the UKAS mark deserves a closer look. If a provider can’t tell you which UKAS-accredited body issued its certificate, treat the certification as unaccredited until proven otherwise.

How to check a certificate is UKAS-accredited

It only takes a minute, and it’s worth doing for any credential a provider leans on:

  • 1. Look for the UKAS accreditation mark — the distinctive “tick and crown” symbol — on the certificate itself, not just a website.
  • 2. Identify the certification body — the certificate should clearly name the body that issued it, with a certificate number.
  • 3. Verify with the issuer or UKAS — confirm the certificate is genuine and current with the certification body directly, or check the body’s accreditation via UKAS.
  • 4. Check the dates and scope — confirm it is in date and that its scope actually covers the services you’re buying.

This matters most for ISO 27001. (Cyber Essentials follows a slightly different model — it’s overseen by IASME as the NCSC’s partner, and verified against the NCSC list of certified organisations rather than a UKAS mark.)

Pro tip

A genuine certificate holder answers “Which UKAS-accredited body issued it, and what’s the certificate number?” without hesitation. Evasiveness here is itself an answer.

How WhatMSP scores accreditation

This distinction is built into our /50 methodology. We verify certifications such as ISO 27001 through the UKAS-accredited certification body, and a UKAS-accredited certificate is scored as far more credible than a non-UKAS or ASCB one. That reflects the real difference in assurance — and means a provider can’t earn full credit simply by buying an unaccredited certificate. Credentials are checked at source, so the score reflects what’s genuinely there.

Let us check the certificates for you

Every provider on the register is independently scored out of 50, with accredited certifications verified at source. We don’t sell rankings — the score is earned. Free for buyers.

Browse the register Find my match

Frequently asked questions

What is UKAS?

UKAS — the United Kingdom Accreditation Service — is the sole national accreditation body recognised by the UK government. It does not certify businesses directly; instead it accredits the certification bodies that do, independently assessing whether they are competent, impartial and audit to the relevant standard. UKAS accreditation is the foundation that makes a certificate trustworthy.

What is the difference between accreditation and certification?

Certification is when a certification body assesses an organisation and issues it a certificate, such as ISO 27001. Accreditation is the layer above: an independent check, by UKAS, that the certification body itself is competent and impartial. In short, a certificate tells you a company was assessed; accreditation tells you the assessor can be trusted.

Why does a UKAS-accredited certificate matter more?

Because it carries two layers of assurance rather than one: the organisation was audited, and the auditor was itself independently accredited. A non-accredited certificate has had no recognised oversight of the auditor, so the audit may have been superficial and no authority stands behind it. The logos can look similar; the level of assurance is very different.

What is ASCB and is it the same as UKAS?

No. UKAS is the single national accreditation body recognised by the UK government. Bodies presenting certificates under other marks — sometimes self-styled abbreviations such as "ASCB" or various in-house schemes — are not the UK national accreditation body, and a certificate issued under them does not carry the same recognised assurance. Always check for the UKAS accreditation mark specifically.

How do I check whether a certificate is UKAS-accredited?

Look on the certificate for the UKAS "tick and crown" accreditation mark, the name of the certification body and a certificate number, then confirm it directly with the issuing certification body or via UKAS. If there is no accreditation mark, or only an unfamiliar in-house logo, treat the certificate as unaccredited until you have verified otherwise.

How does WhatMSP treat accredited vs non-accredited certificates?

We verify certifications such as ISO 27001 through the UKAS-accredited certification body, and a UKAS-accredited certificate is scored as far more credible than a non-UKAS or ASCB one within our independent /50 methodology. This reflects the genuine difference in assurance, and means a provider cannot earn full credit simply by buying an unaccredited certificate.

Keep reading

What is ISO 27001?

The standard where UKAS accreditation matters most.
What is IASME?

How Cyber Essentials is overseen, and by whom.
How we rate MSPs

The /50 methodology, in plain English.