ISO 27001 is the international standard for information security management. It provides a framework for managing information security risks systematically, through an Information Security Management System (ISMS). For UK accounting practices, ISO 27001 certification demonstrates a high level of security governance to clients, regulators, and insurers — but it is a significant investment to achieve and maintain.
This guide helps you understand what ISO 27001 involves, who it is genuinely suited to among UK accounting practices, and how it compares to the more accessible Cyber Essentials certification.
What ISO 27001 covers
ISO 27001:2022 (the current version, updated from the 2013 edition) defines a systematic approach to managing information security risks. It requires an organisation to:
- Identify the information assets it needs to protect and the risks to those assets.
- Implement appropriate controls from the ISO 27001 Annex A control set (93 controls in the 2022 version, covering organisational, people, physical, and technological controls).
- Document policies, procedures, and evidence of control implementation.
- Monitor and measure the effectiveness of controls.
- Conduct internal audits and management reviews.
- Continuously improve the ISMS.
The standard is process-oriented: it requires you to have a documented, auditable system for managing security — not just implemented controls. The documentation burden is substantial compared to Cyber Essentials.
The certification process
Achieving ISO 27001 certification involves three stages:
Stage 1 audit (documentation review): an accredited certification body reviews your ISMS documentation — policies, risk assessment, Statement of Applicability (the document listing which Annex A controls apply and why), and evidence of implementation. The auditor identifies any major or minor non-conformities.
Stage 2 audit (implementation assessment): the auditor verifies that the documented ISMS is implemented and operating effectively. This involves interviews with staff, review of records, and testing of controls. This audit typically takes one to three days depending on the size of the scope.
Certification: if both audit stages are passed, the certification body issues an ISO 27001 certificate, valid for three years.
Surveillance audits: in years two and three of the certificate, shorter annual surveillance audits verify that the ISMS continues to operate effectively. A full recertification audit occurs at the three-year mark.
Is ISO 27001 right for your accounting practice?
ISO 27001 certification makes sense for UK accounting practices that:
Hold sensitive data at scale: practices managing payroll for hundreds of employees, handling high-net-worth client financial information, or managing complex corporate transactions where data confidentiality is critical.
Serve large corporate or public sector clients: many large corporate clients and public sector bodies require their suppliers and advisers to hold ISO 27001 certification as a condition of engagement. If you are targeting this market, certification may be commercially necessary.
Are growing rapidly: practices in a high-growth phase often benefit from the discipline that ISO 27001 brings — it forces systematic documentation of processes that would otherwise be informal as the organisation scales.
Have experienced a significant security incident: practices that have suffered a major breach and need to demonstrate to clients, regulators, and insurers that they have remediated the underlying security governance gaps.
ISO 27001 is probably not necessary for:
- Small practices (one to five staff) with straightforward IT environments and SME clients.
- Practices whose clients do not require it as a condition of engagement.
- Practices whose primary focus is cost efficiency rather than security differentiation.
For most small to mid-size accounting practices, Cyber Essentials is the more appropriate starting point: it is significantly cheaper, faster to achieve, and addresses the most common attack vectors relevant to the practice's risk profile. For a broader view of AI tools and technology for UK accountants and how to compare cybersecurity options, see our AI and Tech hub.
The cost of ISO 27001 for an accounting practice
The costs of ISO 27001 certification are substantially higher than Cyber Essentials:
Consultant costs: most practices use an external ISO 27001 consultant to help design the ISMS, draft documentation, and prepare for audit. For a small to mid-size practice, this typically costs £5,000 to £20,000.
Certification body audit costs: Stage 1 and Stage 2 audits from a UKAS-accredited certification body typically cost £3,000 to £8,000 for a small practice scope. Annual surveillance audits add £1,500 to £3,000 per year.
Internal time: the ISMS documentation, risk assessment, staff training, internal audits, and management reviews require significant staff time over the initial implementation period — typically 100 to 200 person-hours for a small practice.
Ongoing maintenance: the ISMS is not a one-time project. It requires ongoing management, periodic review, and continuous improvement. Budget for 20 to 40 person-hours per year for ongoing maintenance in a small practice.
Total first-year cost for a small accounting practice: £10,000 to £30,000 or more, depending on the consultant used, the scope, and the certification body. Ongoing annual costs: £3,000 to £8,000.
ISO 27001 vs Cyber Essentials: key differences
| Cyber Essentials | ISO 27001 | |
|---|---|---|
| Scope | Five specific technical controls | Comprehensive ISMS covering all information security risks |
| Documentation | Minimal | Extensive (policies, procedures, risk register, audit records) |
| Audit | Self-assessment questionnaire reviewed by certifier | Two-stage independent audit by accredited certification body |
| Time to achieve | 2 to 8 weeks | 6 to 18 months |
| Cost | £300 to £500 (basic) | £10,000 to £30,000+ first year |
| Annual maintenance | Annual recertification questionnaire | Annual surveillance audits + ongoing ISMS management |
| Free insurance | Yes (£25,000 for qualifying organisations) | No |
| Suitable for | All accounting practices | Larger practices or those with specific market requirements |
Implementing ISO 27001 without full certification
Some practices adopt the ISO 27001 framework and controls without pursuing formal certification. This is a valid approach for practices that want the discipline of a systematic ISMS but do not have clients or contracts requiring the certification itself.
Implementing the framework without certification still requires: a risk assessment, a Statement of Applicability, documented policies, and evidence of control implementation. The benefit over full certification is the saving on certification body audit costs. The downside is that you cannot demonstrate to clients that your security has been independently verified.
Key takeaways
- ISO 27001 is a comprehensive information security management standard requiring a documented ISMS, a two-stage independent audit, and ongoing surveillance; it is significantly more demanding than Cyber Essentials.
- ISO 27001 makes sense for accounting practices that serve large corporate or public sector clients requiring it, hold sensitive data at scale, or are growing rapidly and need security governance discipline.
- First-year costs for a small practice are typically £10,000 to £30,000 including consultant costs and certification body audit fees.
- For most small to mid-size UK accounting practices, Cyber Essentials is the more appropriate and cost-effective starting point.
- The ISO 27001 framework can be adopted without formal certification if the discipline is the goal rather than a marketable credential.
Frequently asked questions
Do accounting firms need ISO 27001?
ISO 27001 is not a regulatory requirement for UK accounting firms. It is a commercial differentiator and may be required by specific clients or contract frameworks (particularly government procurement and large corporate supplier requirements). For most small to mid-size UK accounting practices, Cyber Essentials is the more appropriate and achievable certification.
How long does ISO 27001 certification take for an accounting practice?
The implementation and certification process typically takes six to eighteen months for a first-time implementation, depending on the starting security maturity, the availability of internal resources, and the pace of consultant-led implementation. Practices with good existing security documentation and processes can achieve certification at the faster end of this range.
Can a small accounting practice with three or four staff achieve ISO 27001?
Yes, technically — ISO 27001 does not have a minimum size requirement. However, the documentation, audit, and maintenance burden is significant relative to the size of a very small practice. The investment is typically hard to justify unless the practice has specific client or market requirements for ISO 27001 certification.
What is a Statement of Applicability?
The Statement of Applicability (SoA) is a core document in an ISO 27001 ISMS. It lists all 93 Annex A controls, states whether each control is applicable or not applicable to the organisation's scope, justifies inclusions and exclusions, and describes the implementation status. The SoA is reviewed by the certification body auditor and updated whenever the risk assessment or control implementation changes.
Is ISO 27001 compatible with Cyber Essentials?
Yes — they are complementary. Cyber Essentials covers five specific technical controls that also appear in ISO 27001's Annex A control set. Achieving Cyber Essentials first is a practical way to address the most common technical risks before embarking on the broader ISO 27001 programme. Many practices hold both certifications.