Guide

ISO 27001 checklist for UK companies (2026 controls)

ISO 27001 is the international standard for an Information Security Management System (ISMS). This checklist covers the mandatory clauses (4-10), the 93 Annex A controls in the 2022 revision, and the evidence UKAS-accredited auditors actually ask to see.

Mandatory clauses (4-10)

You can't skip these — they define the ISMS itself.

  • Context of the organisation and interested parties
  • Leadership commitment and information security policy
  • Risk assessment and risk treatment plan with Statement of Applicability
  • Support: resources, competence, awareness, documented information
  • Operation: implemented controls with evidence
  • Performance evaluation: internal audit and management review
  • Improvement: nonconformities and corrective actions

The 93 Annex A controls (2022 revision)

Grouped into four themes: Organisational (37), People (8), Physical (14), Technological (34). You do not have to implement all 93 — you justify inclusions and exclusions in the Statement of Applicability based on your risk assessment.

Typical UK certification timeline

For a 50-200 person UK SaaS company: 4-6 months of implementation, a Stage 1 documentation audit, then a Stage 2 evidence audit 4-8 weeks later. Recertification every three years with surveillance audits in years one and two.

Frequently asked questions

How much does ISO 27001 certification cost in the UK?
Certification body fees are typically £8,000-£25,000 depending on scope and headcount. Add internal effort and, for most first-time implementations, a consultant or fractional CISO — total spend usually lands between £25k and £80k for a mid-sized SaaS.
Do I need ISO 27001 if I already have Cyber Essentials Plus?
They cover different things. Cyber Essentials is a UK technical baseline. ISO 27001 is a management system that governs how you make security decisions across the whole business. Enterprise procurement and international buyers usually require both.
What's changed in ISO 27001:2022 vs 2013?
The Annex A control set was restructured from 114 to 93 controls across four themes, and 11 new controls were added — threat intelligence, cloud security, ICT readiness for continuity, data masking, and secure coding among them.

Book an ISO 27001 readiness review

Talk to the GoaTech team. We'll map your current position and show what a tailored UK-focused programme looks like.

Get started