April 18, 2026
Who Does ISO 27001 Apply To?
The honest answer is everyone and no-one. Here's what that actually means for your business and whether certification is worth the cost.
Read MoreApril 18, 2026
The honest answer is everyone and no-one. That probably isn't what you were hoping to read, but stick with me because it's actually a more useful answer than the usual "any organisation that handles data" response you'll find everywhere else.
Technically, ISO 27001 applies to any organisation, of any size, in any sector. There's no legal obligation to hold it in the UK unless a specific regulation or contract requires it. It's a voluntary standard. So the real question isn't whether it applies to you, it's whether you need it, and whether the cost is justified.
Those are two very different questions.
In most cases, businesses don't wake up one morning and decide to pursue ISO 27001 out of pure enthusiasm for information security. It's usually one of two things:
A tender lands on the desk that asks for it. Or a competitor gets certified and suddenly the market expects it.
That's not a criticism. External pressure is a legitimate reason to pursue accreditation. But it's worth being clear-eyed about the driver, because it affects how you approach it.
If you're chasing a specific contract, you need the certification. Full stop. If your market is moving towards expecting it as a baseline, you probably need it before the window closes. If neither of those applies right now, the more honest question is whether building to the framework without formal accreditation makes more sense for where you are today.
The certification process for ISO 27001 isn't cheap. For a business of ten people you're looking at over £4,000 for initial accreditation, around £2,000 per year to maintain it, and that's before you account for the internal time involved or any external support to help you get there. For a small business with no immediate commercial driver, that's a significant commitment.
This one comes up constantly, and it needs addressing.
Cyber Essentials and ISO 27001 are not the same thing. They're not even close to the same thing. Cyber Essentials covers five technical controls: firewalls, secure configuration, user access control, malware protection, and patch management. That's it. It doesn't touch your people, your processes, your suppliers, your incident response, your business continuity, or how your organisation actually thinks about and manages security risk.
ISO 27001 covers all of that and more. It's a management system, not a technical checklist. The difference matters enormously when you're responding to an enterprise procurement questionnaire or a client security audit.
If you've told a prospective client you take security seriously and your evidence is a Cyber Essentials certificate, and they're asking for ISO 27001, that conversation is going to be short.
If any of the following sound familiar, ISO 27001 is probably on your horizon whether you've planned for it or not:
You work with large enterprise clients or are trying to. Procurement teams in larger organisations increasingly expect it, and those that don't today often will in the next twelve to eighteen months.
You handle sensitive data, personal data, financial data, health data, anything that carries regulatory weight or client sensitivity. The framework will help you manage that properly, not just document it.
You're in a sector where security maturity is becoming a commercial expectation. SaaS, fintech, and data-driven businesses are feeling this more acutely than most right now.
You've lost a tender or been knocked out of a procurement process because of security questions you couldn't answer confidently. That's the market telling you something.
One thing worth knowing: you don't have to pursue formal accreditation to benefit from ISO 27001. Building your security programme around the framework, without going through the external audit process, can still significantly improve your security posture and put you in a much stronger position when the time comes to certify.
It's a reasonable middle ground for businesses that want to get the foundations right before committing to the full cost of accreditation.
ISO 27001 technically applies to any organisation. In practice, whether it's right for yours comes down to your market, your clients, and where you're headed commercially.
If you're not sure whether certification makes sense for your business right now, or whether a framework-based approach might be the smarter starting point, that's exactly the kind of conversation worth having before you commit.
Not sure if ISO 27001 is the right move for your business right now? Book a free consultation and we'll give you a straight answer.
April 18, 2026
The honest answer is everyone and no-one. Here's what that actually means for your business and whether certification is worth the cost.
Read More
April 18, 2026
Our pen testers exploited 8 serious vulnerabilities in AI-powered business tools using prompt injection. Here's what small businesses need to know about the hidden security risks of AI assistants.
Read MoreMarch 2, 2026
Think hackers wear hoodies? Think again. Explore 7 surprising facts about hacker history, viruses, social engineering and cybersecurity culture.
Read More
