You are currently viewing Is Your Buyer Asking for ISO 27001 – Or Just Security?

Is Your Buyer Asking for ISO 27001 – Or Just Security?

Lets’ define when practical certification suffices. Picture the scene. It is Tuesday morning. The coffee is still hot, the office is humming with customary efficiency, and then – ping – an email lands in your inbox. 

It is from that massive prospective client you have been courting for six months. The one that could double your turnover. You open it, expecting a contract, but instead, you find a Vendor Risk Questionnaire. And there, staring back at you in bold, uncompromising Arial font, is the question that sends shivers down the spine of every SME director: 

“Are you ISO 27001 certified?” 

Panic sets in. You frantically Google “ISO 27001 cost UK” and “how long does ISO certification take”. You see numbers like “£20,000” and “9 months”. You see phrases like “Stage 1 Audit” and “UKAS Accreditation”. You look at your bank balance. You look at the deadline on the tender. The maths doesn’t work. 

But before you resign yourself to losing the deal, stop. Take a breath. 

You are asking the wrong question. You are asking, “How do I get a UKAS certificate?” when you should be asking, “What does my buyer actually need?” 

Because here is the industry secret that the big, bureaucratic certification bodies won’t tell you: Your buyer likely doesn’t care about the logo on the certificate. They care about the security of their data. 

Welcome to the world of Practical Certification. It is the smart, targeted business decision that is saving UK businesses thousands of pounds and months of stress, all while arguably making them more secure than the “tick-box” alternative. 

The “Crown and Tick” Myth: Do You Really Need UKAS? 

Let’s address the elephant in the room immediately. We are an unaccredited certification body. We do not hold the “Crown and Tick” from the United Kingdom Accreditation Service (UKAS). 

“Aha!” cry the purists. “Then your certificate is worthless!” 

Well, not quite. That is like saying a private surgeon is worthless because they don’t work for the NHS. It depends entirely on what you need the surgery for. 

If you are bidding for a direct contract with the UK Government, the Ministry of Defence, or a major public sector framework (like PAS-91 in construction), then yes, you absolutely need UKAS accreditation. It is mandatory. It is non-negotiable. If that is you, stop reading now and go call BSI or SGS. We will wave you off with our blessing. 

But – and this is a massive “but” – if you are a SaaS company, a marketing agency, a consultancy, or a tech provider selling to the private sector, the rules are completely different. 

Most private sector “Vendor Risk Management” teams are not obsessed with political bureaucracy. They are obsessed with liability. They need to know that if they send you their customer data, you aren’t going to leave it on an unencrypted USB stick on the Northern Line. They need assurance

Assurance comes in many forms. It can come from a UKAS certificate. It can come from a SOC 2 report. Or, it can come from an Independent ISO 27001 Compliance Audit issued by a reputable, technically competent third party (that’s us). 

We have helped UK businesses pass due diligence with their customers using our “Practical Certification”. Why? Because we provide the evidence they actually ask for: a valid certificate, a comprehensive audit report, and proof of a working Information Security Management System (ISMS). 

Compliance Theatre vs. Actual Security 

Let’s talk about “Compliance Theatre”. 

We have all seen it. The company that spends six months formatting documents to ensure the margins are correct for the external auditor. They have a binder full of policies that nobody has read since 2018. They have a “Clean Desk Policy” that is strictly enforced for the one day a year the auditor visits, and then immediately ignored the next day. 

This is the trap of the traditional, accredited route. The pressure to conform to the rigid administrative requirements of UKAS often forces businesses to focus on passing the audit rather than securing the business

Accredited auditors are bound by strict rules. They must spend a certain number of days auditing you, calculated by a complex formula based on your employee count. They must check specific document trails. They are often more interested in whether your “Internal Audit Procedure” has the correct version number than whether your cloud storage buckets are actually locked down. 

We take a different approach. We call it Risk-Based Auditing

Because we are not bound by the bureaucratic overhead of accreditation, we can focus our time where the real risk is. 

  • Less time checking if your font sizes match. 
  • More time checking if Multi-Factor Authentication (MFA) is enabled on your admin accounts. 
  • Less time reviewing the minutes of your “Management Review Meeting”. 
  • More time verifying your backup restoration process actually works. 

We don’t want to help you build a “Paper Shield” – a defence that looks good on a certificate but crumbles the moment a hacker sends a phishing email. We want to help you build valid, robust security that just happens to align with ISO 27001. 

The Logic of the “Smart Choice” 

Let’s look at this purely as a business investment. 

Option A: The Accredited Route 

  • Cost: £2,500 – £12,000+ for the audits alone (not including consultancy). 
  • Timeline: 3 to 9 months. 
  • Surveillance: Mandatory annual visits with rigid day-rates. 
  • Outcome: A certificate with a tick on it. 

Option B: The Practical (Unaccredited) Route 

  • Cost: Often 50% to 70% less. 
  • Timeline: Weeks, not months. 
  • Surveillance: Flexible remote audits that respect your time. 
  • Outcome: A certificate, an audit report, and a secure business. 

If you are a small business, cash flow is oxygen. Spending £10k on a certificate just to satisfy a client who pays you £5k a year is bad business. It is vanity. 

Our clients choose us because they have done the maths. They realise that compliance is a tool to win business, not a religious calling. If you can satisfy your buyer’s security requirements for a third of the cost and in half the time, why would you choose the harder path? 

It’s like buying a car for the school run. You could buy a tank. It’s incredibly safe, built to military standards, and government-approved. But a Volvo does the job just as well, costs a fraction of the price, and is much easier to park. We are the Volvo of certification. 

“But Will My Buyer Accept It?” 

This is the fear, isn’t it? The nightmare scenario where you hand over your certificate and the buyer laughs you out of the room. 

Is this largely a ghost story told by expensive consultants to keep their fees high or your actual prospect’s concerns? 

Modern supply chain due diligence is changing. Buyers are moving away from binary “Do you have ISO?” questions. They are moving towards Evidence-Based Assessments

They send you a questionnaire (often based on the Standardised Information Gathering or SIG). It asks: 

  • “Do you have an Information Security Policy?” (Yes). 
  • “Is it aligned with ISO 27001?” (Yes). 
  • “Has it been audited by an independent third party?” (Yes, by us). 
  • “Can you share the executive summary of the audit?” (Yes, here it is). 

When a procurement manager sees a professional, detailed audit report from us, identifying non-conformities and verifying controls, they tick the box. They have their “Assurance”. They have covered their backside. 

In the instance a buyer pushes back and demands UKAS specifically, you have still won. You have built a fully functioning ISMS with us. You have done the hard work. You can then call in a UKAS body for the final “stage 2” audit, and you will pass with flying colours. You have lost nothing. 

But most of the time? You won’t need to. 

The “2022” Factor: Agility Matters 

The ISO 27001 standard was updated in 2022. It introduced new controls for things like Cloud ServicesThreat Intelligence, and ICT Readiness

As an agile, independent body, we pivoted instantly. Our audits re-focused heavily on these modern controls. We aren’t checking if you have a physical server room logbook (because you probably don’t have a server room). We are checking your AWS Security Groups and your Azure AD conditional access policies. 

We speak the language of modern tech businesses, not the language of 1990s manufacturing plants. 

Conclusion: Don’t Let Perfection Be the Enemy of Profit 

Look, we respect the UKAS system. It plays a vital role in national infrastructure. If you are building nuclear power stations, please, get the accredited certificate. 

But if you are a dynamic UK business looking to close deals, improve your security, and prove your worth without bankrupting yourself? You have a choice. 

You can pay for the logo. Or you can pay for the result. 

Don’t let the “Compliance Industrial Complex” bully you into overspending. Check your contracts. Ask your buyers. If they just want security assurance, choose the path that makes business sense. 

Practical Certification. Real Security. Real Results. Zero Waffle. 

Let’s get you certified and back to business by Swift Certification – the practical compliance experts: 


Leave a Reply