ISO/IEC 27001 is the world’s leading standard for information security management. Unlike a checklist of fixed controls, it certifies that an organisation runs a complete, risk-based Information Security Management System (ISMS) — a living framework of policies, processes and controls that is measured, audited and continually improved.
For a buyer, ISO 27001 is one of the strongest signals that a provider treats security as an organisation-wide discipline rather than a box-ticking exercise. But — and this is the part most guides skip — an ISO 27001 certificate is only as credible as the body that issued it. This guide explains both: what the standard is, and why UKAS accreditation is what really matters.
What ISO 27001 actually certifies
ISO 27001 doesn’t hand an organisation a fixed list of controls and tell it to comply. Instead, it requires the organisation to identify its own information-security risks and manage them systematically. The certificate confirms that this management system exists, is appropriate to the risks, and is genuinely operating.
In practice an ISMS includes:
- A risk assessment and treatment process — identifying threats to confidentiality, integrity and availability, and deciding how to address each one.
- Documented policies and procedures — covering access control, supplier management, incident response, business continuity and more.
- Defined roles and accountability — leadership ownership of security, not just an IT afterthought.
- Controls drawn from Annex A — a catalogue of security controls, applied where the risk assessment justifies them.
- Monitoring, internal audit and continual improvement — the system is reviewed and refined over time, not certified once and forgotten.
Certification involves an external audit in stages, followed by ongoing surveillance audits across a typical three-year cycle. It is a meaningful, sustained commitment — which is exactly why it carries weight.
ISO 27001 vs Cyber Essentials
The two are complementary, not competing. Cyber Essentials certifies five specific baseline technical controls; it is quick, inexpensive and an excellent floor. ISO 27001 certifies an entire, risk-based management system, audited over a multi-year cycle. Cyber Essentials answers “are the basics in place?” ISO 27001 answers “is security genuinely managed across the whole organisation?” Mature providers often hold both.
Why UKAS accreditation is what really matters
Here is the crucial nuance. Anyone can audit an organisation and print a certificate with “ISO 27001” on it. What separates a credible certificate from a near-worthless one is who accredited the certification body that issued it.
UKAS — the United Kingdom Accreditation Service — is the sole national accreditation body recognised by the UK government. A UKAS-accredited certification body has itself been independently assessed to prove it is competent, impartial and audits to the standard properly. So a UKAS-accredited ISO 27001 certificate carries two layers of assurance: the organisation was audited, and the auditor was itself accredited.
By contrast, a certificate issued by a non-accredited body — sometimes presented under self-styled marks such as “ASCB” or other in-house schemes that are not the UK national accreditation body — has had no such independent oversight of the auditor. The audit may have been light-touch, and there is no recognised authority standing behind it. The logo can look almost identical; the assurance is not.
Look on the certificate for the UKAS accreditation mark (the “tick and crown”) alongside the certification body’s name and a certificate number, then confirm it with the issuing body or the UKAS register. If the only mark is an unfamiliar in-house logo, or there is no accreditation mark at all, treat the certificate as unaccredited until proven otherwise.
A provider advertising “ISO 27001 certified” with no UKAS-accredited body named — or a logo that resembles UKAS but isn’t — should prompt a direct question: “Which UKAS-accredited body issued it, and what’s the certificate number?” A genuine holder answers instantly.
We go deeper on this in our dedicated guide to UKAS vs other accreditation.
How WhatMSP scores ISO 27001
ISO 27001 contributes to the Security & Compliance category of our independent /50 score, and we don’t take it on a footer logo. We confirm it through the UKAS-accredited certification body. A UKAS-accredited certificate is treated as far more credible than a non-UKAS or ASCB one — which simply reflects how much more assurance it genuinely provides. That way the points map to real, verifiable security maturity.
Compare providers on verified credentials
Every provider on the register is independently scored out of 50, with credentials like ISO 27001 checked against the accredited issuing body. The score is earned, not bought. Free for buyers.
Frequently asked questions
What is ISO 27001?
ISO/IEC 27001 is the leading international standard for information security management. Rather than certifying a fixed set of technical controls, it certifies that an organisation runs a complete, risk-based Information Security Management System (ISMS) — a managed framework of policies, processes and controls that is continually monitored and improved. It is a sign of mature, organisation-wide security.
What is the difference between ISO 27001 and Cyber Essentials?
Cyber Essentials certifies five specific baseline technical controls and is quick and inexpensive to obtain. ISO 27001 certifies an entire management system built around your own risk assessment, audited over time. Cyber Essentials is a floor; ISO 27001 is a comprehensive, audited security programme. Many mature IT providers hold both.
Why does UKAS accreditation matter for ISO 27001?
A certificate is only as credible as the body that issued it. A UKAS-accredited certification body has itself been independently assessed by the UK national accreditation body to prove it audits competently and impartially. A non-accredited or self-styled "ASCB" certificate has not had that independent oversight, so it carries far less assurance — even though the logo can look similar.
How can I check if an ISO 27001 certificate is UKAS-accredited?
Look for the UKAS "tick and crown" accreditation mark together with the certification body's name and a certificate number on the certificate itself, then confirm it with the issuing body or the UKAS register. A certificate without the accreditation mark may have been issued by an unaccredited body, so always check rather than assuming.
Does my IT provider need ISO 27001?
It is not mandatory, but for providers handling sensitive data or serving regulated sectors it is a strong signal of maturity. The key is that it should be UKAS-accredited. An unaccredited certificate offers limited assurance, so treat UKAS accreditation — not the ISO 27001 label alone — as what actually matters.
How does WhatMSP score ISO 27001?
ISO 27001 contributes to the Security & Compliance category of our independent /50 score, and we verify it through the UKAS-accredited certification body rather than accepting a logo. A UKAS-accredited certificate is treated as far more credible than a non-UKAS or ASCB one, which reflects how much more assurance it genuinely provides.