UKAS-accredited ISO 27001 certification | A Tempo Audits guide

This guide explains UKAS-accredited ISO 27001 certification clearly, helping you understand requirements, risks, audit processes, and what buyers actually expect.

Key takeaways

UKAS accreditation adds recognised oversight and independent verification, giving your ISO 27001 certificate stronger credibility with buyers.
In many UK tenders and regulated sectors, UKAS-accreditation is expected. It helps you avoid rejection or repeat certification later.
UKAS audits follow clear rules and evidence stand

What is UKAS - and why does it matter for ISO 27001?

The United Kingdom Accreditation Service (UKAS) is the UK’s sole government-appointed national accreditation body. It is recognised by the UK Government to assess and accredit organisations that provide certification, testing, and inspection services.

Certification bodies seeking UKAS accreditation are assessed against ISO/IEC 17021-1, the international standard that sets requirements for competence, impartiality, and consistent operation.

It is important to separate two things clearly:

ISO 27001 is the international standard for information security management.
UKAS does not certify businesses to ISO 27001. Instead, it accredits certification bodies to confirm they are competent, impartial, and operating according to internationally agreed-upon rules.

When you choose a UKAS-accredited certification body for ISO 27001, your certificate is subject to structured oversight, defined audit rules, and international recognition through the IAF (International Accreditation Forum) network.

Without UKAS (or another premium accreditation body) accreditation, certification may be challenged or rejected - particularly in regulated sectors, public procurement, and enterprise supply chains.

Other national accreditation bodies

Before we continue, it’s worth noting that UKAS is not the only respected accreditation body in the world.

Most developed economies have their own national accreditation body, all operating within the framework of the International Accreditation Forum (IAF). Germany's DAkkS (Deutsche Akkreditierungsstelle), the United States' ANAB (ANSI National Accreditation Board), and France's COFRAC (Comité Français d'Accréditation) are among the most well-regarded.

Each accredits certification bodies in their respective markets, and because they are all IAF members, certificates issued under their oversight are generally recognised internationally.

In practice, the core audit rules are aligned — all members follow ISO/IEC 17021-1 and ISO/IEC 27006 — though how strictly requirements around audit duration, evidence sampling, and auditor oversight are enforced can vary between bodies and jurisdictions.

UKAS is widely regarded as one of the most rigorous national accreditation bodies in the world, which is part of why UK public sector and enterprise buyers often specify it by name rather than simply accepting any IAF-accredited certificate. If your customers or target markets are primarily based in the UK, UKAS accreditation is the clearest way to meet that expectation - plus because UKAS is such a high bar for accreditation, you can be confident that it will work well with clients in all other regions too.

This article specifically focused on UKAS-accredited certification compared to non-UKAS-accredited certification throughout, but we want to acknowledge that there are other respected accreditation bodies available, depending on your location.

Why UKAS-accredited ISO 27001 matters to buyers

When buyers ask for ISO 27001, they want assurance, not just a certificate.

UKAS-accredited certification shows your audit was conducted under strict oversight and internationally recognised rules.

For UK public sector and enterprise procurement, accreditation is often expected and sometimes explicitly required. It reduces the risk of your certificate being challenged or rejected during due diligence.

It also enables instant public verification through UKAS CertCheck, allowing customers to confirm your certification is genuine, current, and properly accredited. That transparency builds trust and speeds up procurement decisions.

Is UKAS ISO 27001 required for your business?

UKAS-accredited ISO 27001 is not mandatory for every organisation. However, in certain UK sectors, it is consistently expected and often written directly into contracts.

You will typically need UKAS accreditation if you:

Supply to UK government departments, local authorities or public sector frameworks.
Operate in regulated sectors such as financial services, healthcare, legal or critical national infrastructure.
Bid for enterprise contracts with formal supplier assurance requirements.

In these environments, accreditation often moves from “preferred” to “explicitly required”.

If you only serve SMEs, private tech firms, or overseas markets, UKAS may not be demanded.

However, if it becomes a requirement later, un-accredited certificates cannot be converted. You would need to start the certification process again with a UKAS-accredited body.

UKAS vs un-accredited ISO 27001 certification

A certification body accredited by the United Kingdom Accreditation Service (UKAS) operates under strict surveillance and monitoring rules. UKAS validates that all its accredited certification bodies enforce audit day calculations, auditor competence requirements, and independent technical review before a certificate is issued.

Some certification bodies are not UKAS-accredited but are accredited by another national body that is a member of the International Accreditation Forum (IAF). For example, Germany’s DAkkS (Deutsche Akkreditierungsstelle) and France’s COFRAC (Comité Français d’Accréditation) are both IAF members. While the rules are aligned on paper for all IAF members, how strictly audit duration, evidence sampling, and auditor oversight are applied can vary slightly between countries.

Unaccredited certification bodies operate without recognised external oversight. This can affect consistency, audit rigour, and market acceptance.

This table sets out potential differences in approach between UKAS-accredited, other IAF-accredited and unaccredited certification:

Risks of choosing a non-UKAS or unaccredited certification body

Choosing a non-UKAS or unaccredited certification body can appear cheaper at first. However, the commercial risks often emerge later.

The most common issue is certificate rejection during RFPs (Requests for Proposal) or due diligence.

A customer may review your ISO 27001 certificate and require accredited - or specifically UKAS-accredited - certification. In that situation, an existing unaccredited certificate cannot usually be transferred. A full certification audit is required, creating additional cost, delay, and disruption.

There is also reputational risk. If certification was issued without robust oversight, gaps in the ISMS may only become visible during customer audits or after an incident.

In practice, initial savings can be outweighed by lost contracts, duplicate audit fees, and avoidable operational disruption.

What happens during a UKAS ISO 27001 audit?

A UKAS-accredited ISO 27001 audit is structured, evidence-based, and independently reviewed at multiple levels, following the rules set out in ISO 17021 and ISO 27006.

Stage 1 audit - Readiness review

Stage 1 assesses whether your Information Security Management System (ISMS) is ready for certification.

The auditor reviews:

The defined scope of your ISMS
Core policies and documented processes
Risk assessment and Statement of Applicability
Internal audit and management review evidence

This stage identifies gaps and confirms that the system is operational before moving to full assessment.

Stage 2 audit - Certification audit

Stage 2 is the detailed audit against ISO 27001:2022. Auditors collect objective evidence for clauses and applicable controls. This may include:

Access review records
Backup logs
Training completion records
Change approvals
Incident logs

Evidence must be verifiable, relevant, sufficient and current. Interviews and sampling are used to confirm controls are working in practice, not just documented.

Before a certificate is issued, an independent technical reviewer - separate from the audit team - reviews the report and evidence to confirm conclusions are justified.

UKAS also oversees the certification body itself through witnessed assessments, file reviews, and competence checks. This layered oversight ensures consistency and prevents corners being cut.

Surveillance audits

Certification runs on a 3-year cycle, with annual surveillance audits to confirm continued compliance and effectiveness.

How UKAS ISO 27001 audit days are calculated

One common concern is whether certification bodies decide audit duration themselves. Under UKAS-accredited certification, they do not.

Audit days are calculated using defined rules set out in ISO/IEC 17021-1 and ISO/IEC 27006, which UKAS validates in their assessments of certification bodies. Certification bodies must justify audit time based on objective criteria. UKAS reviews this during assessments and file sampling.

Several factors influence audit duration:

Number of people covered by the ISMS - This is not your total headcount. It includes the people whose roles affect information security within the certified scope.
Scope complexity - For example, whether you operate cloud infrastructure, develop software, manage sensitive data, or provide critical services.
Number of sites or locations - This includes offices, data centres, or structured remote operations that need to be assessed.

The more complex or distributed the organisation, the more time is needed to sample controls properly.

Importantly, audit days cannot be reduced or increased without justification - and only within 30% of the amount listed in ISO 27006. Accredited certification bodies must document their calculations, and UKAS monitors this during oversight reviews.

How UKAS ISO 27001 certificates are verified

One of the strongest advantages of UKAS-accredited certification is independent verification.

Certificates issued by a certification body accredited by the United Kingdom Accreditation Service (UKAS) carry the official UKAS accreditation mark. This confirms the certificate has been issued under recognised oversight and international rules.

More importantly, UKAS certificates appear on the public UKAS CertCheck database. Buyers can search by company name or certificate number and instantly confirm:

Certificate validity
Scope of certification
Issuing certification body
Current status (active, suspended, or withdrawn)

This matters to procurement teams and security reviewers. During due diligence or a Request for Proposal (RFP), they do not rely on a PDF alone. They verify it independently.

Without accreditation, certificates typically do not appear in recognised databases. That can create friction, delays, or rejection during supplier onboarding.

Why choose Tempo Audits as your UKAS certification body

Tempo Audits is a UKAS-accredited certification body for ISO 27001. That means our audits are independently overseen and issued under recognised accreditation rules.

Our team includes experienced ISO 27001 Lead Auditors who understand modern technology environments, including SaaS platforms, cloud infrastructure and distributed teams. Audits are delivered remotely by default, reducing disruption while maintaining a full evidence-based assessment.

We draw a strict line between audit and consultancy, as required under ISO/IEC 17021-1.

We will:

Explain findings clearly in plain English
Clarify what the standard requires
Confirm whether evidence is sufficient
Review corrective actions promptly
Issue reports quickly (Stage 1 typically within 1-2 days)

We will not design your ISMS, write your policies, or make implementation decisions. That independence protects the credibility of your certificate.

Who this is for

Tempo is suited to organisations that:

Need UKAS-accredited ISO 27001 for tenders or regulated sectors
Want a structured, fair, and consistent audit
Want a fast-moving and helpful audit experience
Value technical understanding without consultancy bias

Ready for UKAS-accredited ISO 27001 certification?

Share a few details about your organisation and ISMS scope. We will calculate your audit time in line with UKAS rules and provide a clear, transparent quotation.

Request your quote today and move forward with confidence.

UKAS ISO 27001 certification FAQs

No. UKAS accredits certification bodies (and other entities!) across many standards, including ISO 9001 (Quality), ISO 14001 (Environmental), ISO 42001 (Artificial Intelligence) and ISO 22301 (Business Continuity), not just ISO 27001.
Certification runs on a 3-year cycle. Annual surveillance audits are required to maintain validity, with a full re-certification audit completed at the end of the cycle.
If your current certificate is issued by another IAF-accredited body, transfer will be possible following a formal transfer review. Drop Tempo a line on hello@tempoaudits.com if you want to discuss transferring your certification.
Unaccredited certificates, unfortunately, require full re-certification.