There is, generally, no direct legal requirement as such. Organisations choose whether or not to implement the requirements of ISO 27001 based upon the benefits that would be gained by doing so.
However, you should pay close attention to any contractual obligations you may have for protecting the information of clients and other stakeholders.
There is an increasing trend where customers require third party suppliers to implement or certify to ISO 27001, thus making it a legal requirement, by way of a contract.
Book FREE Consultation
URM is pleased to provide a FREE consultation on Transitioning to ISO 27001:2022 for any UK-based organisation.
Find out more
related BLog
Implementing and Auditing ‘People Controls’ from ISO 27001:2022
Published on
9 Mar
2026
URM’s blog explains why ‘people’ warrants its own control theme in ISO 27001 and how to prepare for a people controls audit, offering advice for each control.
Read more
Information Security
Published on
6/3/2026
ISO 27001 Clause 5.1: Leadership and Commitment ExplainedURM’s blog explores Clause 5.1 of ISO 27001, what you must do to meet its requirements, and why leadership & commitment are vital to an effective ISMS.
Read more
Information Security
Published on
18/12/2025
ISO 27001:2022 - A.5 Organisational Controls (Access Management)URM’s blog explores why the access controls in ISO 27001 matter, and how to implement each control in full conformance with both the Standard and best practice.
Read more
Information Security
Published on
16/12/2025
ISO 27001 Control 8.17: Why Clock Synchronisation Is Critical for Security and ConformanceRead URM’s blog, where we explore the importance of clock synchronisation for cyber security and resilience, and how to meet the requirements of Control 8.17.
Read more
"
Without URM we would not have achieved our certification goals.
Director, Havas People
contact US
Let us help you
Let us help you in your compliance journey by completing the form and letting us know how we can best support you.