ISO 27001
International standard for information security management systems; widely required for handling personal or sensitive data in UK public sector contracts.
Definition
ISO 27001 is the international standard for information security management systems (ISMS). It specifies a comprehensive set of controls covering information security policy, governance, risk management, asset management, access control, cryptography, physical security, operations security, communications security, system acquisition, supplier relationships, incident management, business continuity, and compliance. Certification is widely required by UK public sector buyers for contracts handling personal or sensitive information, and is increasingly a baseline expectation for technology and managed-services contracts even where not strictly mandated.
How it works in practice
ISO 27001 certification involves implementing the controls relevant to the organisation's context, building a documented ISMS, and being audited by an accredited certification body. The process typically takes 6-12 months for a first-time certification on a small or medium organisation, plus ongoing annual surveillance audits and triennial recertification audits. The control set is comprehensive: Annex A lists 93 controls (in the 2022 version) covering everything from supplier security to cryptographic key management. Organisations implement the controls proportionate to their risk profile; the standard is risk-based rather than checklist-based. The cost varies substantially with organisational size and complexity: an SME can typically achieve certification for £15-£40K plus internal effort; large organisations spend £100K+ on initial certification and ongoing maintenance. Public sector buyers often request ISO 27001 alongside Cyber Essentials Plus: Cyber Essentials covers baseline technical hygiene; ISO 27001 covers organisational maturity. For NHS contracts the NHS Data Security and Protection Toolkit substantially overlaps with ISO 27001 and is sometimes accepted in lieu; the specific requirement is set by the buyer. KimonBids tracks ISO 27001 expiry dates and surfaces renewal reminders so suppliers do not lose certification mid-tender.
Common questions
When is ISO 27001 mandatory in UK public procurement?
For most central government contracts handling personal data at OFFICIAL classification, ISO 27001 is either mandated or strongly expected alongside Cyber Essentials Plus. For NHS contracts the equivalent NHS Data Security and Protection Toolkit is often required. Local government and the wider public sector increasingly require ISO 27001 for technology and managed services contracts.
How does ISO 27001 relate to Cyber Essentials?
They are complementary. Cyber Essentials covers a focused set of baseline technical controls (firewalls, secure configuration, access control, malware protection, patch management). ISO 27001 is a comprehensive ISMS covering policy, governance, risk management, and operations. Buyers often request both: CE for baseline technical hygiene, ISO 27001 for organisational maturity.
How long does ISO 27001 certification last?
The certificate is valid for three years subject to annual surveillance audits passing. Recertification audit at the three-year point is more comprehensive than the surveillance audits. Letting the certificate lapse during a live procurement is grounds for disqualification, so the renewal cycle sits in every compliance manager's calendar.