Governance, Risk Management and Compliance
|
Information Security
|
ISO 27001
|
ISO 27001
FAQ
FAQ

Is there a legal requirement to comply with or be certified to ISO 27001?

There is, generally, no direct legal requirement as such.  Organisations choose whether or not to implement the requirements of ISO 27001 based upon the benefits that would be gained by doing so.  

However, you should pay close attention to any contractual obligations you may have for protecting the information of clients and other stakeholders.  

There is an increasing trend where customers require third party suppliers to implement or certify to ISO 27001, thus making it a legal requirement, by way of a contract.

Thank you for a very informative overview of the components in the revised Standard.
Contact the ISO 27001 Experts Today
Book FREE Consultation
URM is pleased to provide a FREE consultation on Transitioning to ISO 27001:2022 for any UK-based organisation.
Find out more
related BLog
Cyber
|
Cyber Security
|
ISO 27001

Critical Cyber Security Practices to Defend Against Ransomware Attacks

Published on
14 Aug
2025

URM’s blog examines how ransomware occur, and highlights practical cyber security measures you can implement to reduce your exposure and mitigate security risk.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
8/8/2025
ISO 27001: How Certification Works

URM’s blog breaks down the ISO 27001 certification process, the roles of certification bodies and UKAS, what auditors look for during assessments, and more.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
7/8/2025
ISO 27001:2022 - A.5 Organisational Controls (Business Continuity)

URM’s blog explores the ISO 27001 business continuity controls, why they matter, & how they can be effectively implemented to ensure conformance to the Standard

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
25/7/2025
Streamlining Asset Identification For Effective Risk Management

A question which comes up time and time again is ‘How do I approach asset identification within my information security risk assessment’.

Read more
"
I thought the training was very good. It was clear and logical. The trainer was very knowledgeable, approachable and friendly, which makes it easy to stop and ask questions or to clarify a point. I was particularly impressed by his explanation of why we need to be mindful of the language we use and what the standard is actually asking for; most of it is common sense, but understanding what it actually means and what is required is key, so that really resonated with me.
Provenir
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.