What is an ISO 27001 certification body?

A certification body, sometimes called a registrar, is an accredited organization that audits your ISMS and issues your ISO 27001 certificate if you pass. Examples include BSI, DNV, TÜV, Schellman, Coalfire ISO, and A-LIGN.

What does accreditation mean and why does it matter?

Accreditation is independent oversight of the certification body itself. Accreditation bodies like UKAS in the UK and ANAB in the US audit certification bodies to ensure they are competent and impartial. A certificate from a non-accredited body has limited value in enterprise procurement.

How much does an ISO 27001 certification body cost?

Certification audit costs typically range from $15,000 to $40,000 for Stage 1 and Stage 2 combined, depending on scope, complexity, and auditor location. Annual surveillance audits typically run $8,000 to $20,000. Recertification in year three is similar in scale to the original audit.

Should I pick the cheapest certification body?

No. The cheapest option is rarely the best. Accreditation status, industry familiarity, auditor availability, and customer reputation usually outweigh small price differences. A cheap audit that your customers do not respect is worse than no audit.

Can the same firm that helped us prepare also certify us?

No. ISO 27001 requires certification bodies to be independent. A firm that provided consulting, gap analysis, or implementation support cannot also perform your certification audit. Many firms have separate consulting and certification arms, and the accreditation rules still prohibit overlap on the same client.

ISO 27001 Certification Body Selection — UKAS, ANAB & More

You cannot self-certify ISO 27001. A certificate is only meaningful if it is issued by an accredited certification body that audited your ISMS against the standard and found it conforming. The certification body you choose will be your audit partner for at least three years through the initial audit, two surveillance audits, and eventual recertification. The decision deserves more care than most teams give it.

This guide walks through what a certification body actually is, how accreditation works, how to evaluate options, and what to ask before signing.

What a certification body does

A certification body, sometimes called a registrar, is an organization accredited to audit management systems against ISO standards and issue certificates. For ISO 27001, the certification body:

Plans the audit engagement based on your scope.
Conducts Stage 1 and Stage 2 audits during initial certification.
Issues your certificate if Stage 2 passes.
Conducts annual surveillance audits.
Conducts full recertification every three years.
Maintains your certificate in their public register.

The certification body's authority comes from its accreditation, not from the certification body itself. Without accreditation, the certificate is essentially a vendor's opinion.

Accreditation explained

Accreditation is the layer above certification. Accreditation bodies assess certification bodies for competence and impartiality. They do not audit your ISMS directly. They audit the firms that audit your ISMS.

Major accreditation bodies relevant to ISO 27001 include:

UKAS (United Kingdom Accreditation Service). The UK national accreditation body. UKAS accreditation is well-respected globally and often specified in enterprise procurement.
ANAB (ANSI National Accreditation Board). The US equivalent, part of ANSI. ANAB accreditation is the default for US-headquartered buyers.
JAS-ANZ (Joint Accreditation System of Australia and New Zealand). Covers Australia and New Zealand.
DAkkS (Deutsche Akkreditierungsstelle). Germany.
A2LA (American Association for Laboratory Accreditation). Another US accreditation body covering some certification bodies.

All legitimate accreditation bodies are members of the International Accreditation Forum (IAF), which operates a multilateral recognition arrangement. An IAF MLA certificate from one member body is recognized by the others. When evaluating a certification body, the core question is: are they accredited for ISO/IEC 27001 by an IAF member?

Non-accredited "certificates" exist. Some are issued by firms that never sought accreditation. Some are issued by firms whose accreditation was withdrawn. Enterprise procurement teams increasingly verify accreditation through the IAF CertSearch database before accepting a certificate. A non-accredited certificate may be worse than no certificate because it signals that the customer expected compliance and the supplier cut a corner.

Major certification bodies in the ISO 27001 market

Without recommending any specific provider, the ISO 27001 market includes:

Multinational certification bodies such as BSI, DNV, TÜV, SGS, and Bureau Veritas, which originated in broader quality and standards certification.
Security-focused firms such as Schellman, Coalfire ISO, A-LIGN, and Prescient Assurance, which also offer SOC 2 and other security attestations.
Regional firms with strong accreditation from specific bodies.

Each has tradeoffs. Larger firms offer geographic coverage and brand recognition. Security-focused firms tend to have deeper technical auditors but may have longer lead times due to demand. Regional firms often offer faster scheduling and lower cost but may lack the brand recognition enterprise customers look for.

Evaluation criteria

Use the following criteria to evaluate certification bodies.

Accreditation scope

Confirm the certification body is accredited specifically for ISO/IEC 27001. Some bodies are accredited for ISO 9001 or other standards but not 27001. Check the accreditation body's register directly, such as the UKAS or ANAB directories, rather than relying on marketing material.

Industry and technology experience

Auditors vary dramatically in their familiarity with modern technology estates. A cloud-native SaaS company benefits from an auditor who understands AWS shared responsibility, CI/CD security, and SaaS identity patterns. A financial services firm benefits from auditors familiar with PCI overlap. Ask for example clients in your sector and for auditor bios.

Auditor availability and scheduling

Lead times vary by certification body and by season. Some firms are booking new ISO 27001 clients three to six months out during peak periods. If you have a customer deadline driving certification timing, confirm availability before shortlisting.

Geographic coverage

If you have multi-site operations, a certification body that can audit all locations is more efficient than coordinating multiple firms. For remote-first companies, ask how the certification body handles remote audits and travel expectations.

Cost structure and transparency

Request a detailed proposal that breaks out:

Stage 1 audit days and fees.
Stage 2 audit days and fees.
Surveillance audit days and fees for years one and two.
Recertification audit days and fees.
Travel and expenses policy.
Scope change fees.
Certificate maintenance fees.

Be wary of quotes that only cover the initial audit. The full three-year cycle is what matters.

Customer reputation

Ask for references from existing clients, ideally in your industry and size bracket. Talk to those references about audit quality, auditor professionalism, scheduling responsiveness, and how disputes were handled. Social proof from peers matters more than vendor testimonials.

Audit approach

Different certification bodies emphasize different audit styles. Some are heavily documentation-focused. Others are more interview-driven. Some are collaborative. Others are adversarial. Ask how they handle findings, how disputes are resolved, and what the escalation path looks like.

Typical cost ranges

For a small to mid-sized technology company with a single-site ISMS scope:

Stage 1 audit. One to two auditor days. $3,000 to $8,000.
Stage 2 audit. Three to ten auditor days depending on scope complexity. $10,000 to $35,000.
Surveillance audits. One to three auditor days per year. $5,000 to $15,000 annually.
Recertification. Similar to Stage 2. $10,000 to $30,000 every three years.

Across a three-year cycle, total certification body fees usually land between $40,000 and $90,000 for a mid-sized company. Multi-site scopes and global audits can push this significantly higher.

Independence from consulting

ISO 27001 accreditation rules prohibit the same firm from providing consulting or implementation services and then certifying the same client. Many certification bodies have consulting affiliates or offer related services, but the accreditation rules force separation between those and the audit engagement.

If you engaged a consultancy for gap analysis or ISMS implementation, that firm cannot also be your certification body for the same engagement. Plan accordingly and select the certification body independently of your consulting partner.

How this fits into your ISMS

Certification body selection sits between ISMS implementation and the certification process. Ideally, the certification body is selected three to six months before you plan to begin Stage 1, giving time for scheduling and any pre-audit conversations.

After initial certification, the relationship continues through surveillance audits. Changing certification bodies is possible but carries some friction: the new firm will usually require a transfer audit to confirm your certificate is valid and in good standing. Most organizations stay with their initial certification body for at least one three-year cycle.

The certification body's audit approach also interacts with your ISMS scope. A clear scope statement reduces audit days and audit cost. Ambiguous scope drives longer audits.

Common pitfalls

Choosing based on price alone. A cheap audit from an unfamiliar body can fail to carry weight in enterprise procurement and end up costing more in lost deals.
Not verifying accreditation. Marketing sites sometimes overstate accreditation. Check the accreditation body's register directly.
Ignoring auditor tenure. Newly minted ISO 27001 auditors may not spot the issues experienced auditors do. Ask about specific auditors likely to be assigned.
Selecting too late. Scheduling pressure pushes organizations to accept the first available body rather than the best-fit body.
Assuming the same firm can audit across all frameworks. Some certification bodies also issue SOC 2 reports, but ISO 27001 and SOC 2 require different qualifications. Evaluate each separately.
Ignoring surveillance audit cost. A low initial audit with high surveillance fees can be more expensive over three years than a higher initial quote.

How episki helps

episki helps by keeping your ISMS in an audit-ready state regardless of which certification body you choose. The platform generates the scope statement, Statement of Applicability, evidence pack, and audit trail that every accredited certification body expects. Customers entering certification body conversations can share a clean summary of their programme to get faster, more accurate proposals.

Return to the ISO 27001 framework overview for the full certification journey and how certification body selection fits in.

Choosing an ISO 27001 Certification Body