ISO 9001 vs ISO 27001: Which Does Your Business Need?

ISO 9001 vs ISO 27001 is one of the most common questions UK small businesses ask when a customer, tender, or supply chain questionnaire demands "ISO certification" without specifying which standard. The two standards cover fundamentally different things — quality management and information security — but they share more structural DNA than most people realise. This guide covers the practical differences, where they overlap, and how to decide which one your business actually needs.

What Each Standard Covers

ISO 9001: Quality Management

ISO 9001 is a quality management system (QMS) standard. It defines requirements for consistently delivering products and services that meet customer expectations and applicable regulations. The standard covers how you plan work, control processes, manage suppliers, handle complaints, measure performance, and improve over time.

ISO 9001 applies to any organisation, in any sector, of any size. In the UK, it is the most widely held management system certification — over 30,000 UK organisations hold active certificates according to ISO Survey data. It is routinely required in public sector procurement, construction supply chains, manufacturing, and professional services tenders.

The current edition is ISO 9001:2015, with a revised 2026 edition projected for September 2026. Certification is awarded by UKAS-accredited certification bodies following a two-stage audit process.

ISO 27001: Information Security Management

ISO 27001 is an information security management system (ISMS) standard. It defines requirements for protecting the confidentiality, integrity, and availability of information — whether that information is digital, paper-based, or held in people's heads.

The standard has two components: management system clauses (4–10), which structure the ISMS, and Annex A, which lists 93 security controls across four categories (organisational, people, physical, technological). You don't implement all 93 — your risk assessment determines which apply, and you document your decisions in a Statement of Applicability.

The current edition is ISO 27001:2022. In the UK, it is increasingly demanded by customers in IT services, financial services, healthcare, and any sector handling personal or commercially sensitive data. UK GDPR compliance is not the same as ISO 27001 certification, but the two reinforce each other heavily.

ISO 9001 vs ISO 27001: Side-by-Side Comparison

This table summarises the practical differences that matter when you are deciding which to pursue.

Factor	ISO 9001	ISO 27001
Scope	Quality of products and services	Protection of information assets
Current edition	ISO 9001:2015 (2026 revision imminent)	ISO 27001:2022
Clause structure	Clauses 4–10 (Annex SL)	Clauses 4–10 (Annex SL) + Annex A (93 controls)
Risk focus	Risks to product/service quality and customer satisfaction	Risks to confidentiality, integrity, and availability of information
Key documentation	Quality policy, quality objectives, process maps, procedures, records	Information security policy, risk assessment, Statement of Applicability, security procedures, records
Typical documentation volume	30–80 pages for a 20-person company	50–120 pages for a 20-person company (Annex A adds volume)
Certification body fees (Year 1)	£2,000–£7,000	£3,500–£7,000
Total first-year cost (UK SMB, 10–50 staff)	£5,000–£15,000	£8,000–£25,000
Typical audit days (Stage 1 + 2)	3–5 days	4–7 days
Time to certify (from scratch)	3–9 months	4–12 months
Surveillance audits	Annual (1–2 days)	Annual (1–2 days)
Certification cycle	3 years	3 years

For detailed cost breakdowns, see the dedicated guides: ISO 9001 certification cost UK and ISO 27001 certification cost UK.

ISO 27001 typically costs more and takes longer because Annex A adds a layer of control-by-control assessment that ISO 9001 does not have. The risk assessment methodology is more prescriptive, the documentation volume is higher, and auditors spend more time verifying technical controls.

Where ISO 9001 and ISO 27001 Overlap

Both standards follow the Annex SL high-level structure — the common framework that ISO uses across all management system standards. This means significant structural overlap between the two.

Shared requirements

These clauses are structurally identical or near-identical in both standards:

• Context of the organisation (Clause 4): Both require you to identify internal and external issues, interested parties, and define the scope of your management system.
• Leadership (Clause 5): Both require a policy, defined roles and responsibilities, and top management commitment.
• Planning (Clause 6): Both require risk-based thinking, objectives, and planning for changes.
• Support (Clause 7): Both cover resources, competence, awareness, communication, and documented information (document control).
• Performance evaluation (Clause 9): Both require monitoring and measurement, internal audits, and management reviews.
• Improvement (Clause 10): Both require corrective action and continual improvement.

What the overlap means in practice

If you implement one standard properly, roughly 40% of the work for the second standard is already done. The shared elements — document control procedures, internal audit programmes, management review processes, corrective action workflows, competence records — carry across without modification or with only minor adaptation.

This is not a theoretical claim. Organisations running integrated management systems consistently report that adding a second Annex SL standard requires 50–60% of the effort of the first, not 100%. The management system backbone is already in place. What changes is the subject matter: quality processes for ISO 9001, security controls for ISO 27001.

If you hold ISO 9001 and want to add ISO 27001, you can reuse your existing document control, internal audit, management review, and corrective action procedures. You then build the ISMS-specific elements on top: risk assessment methodology, Statement of Applicability, and the applicable Annex A controls.

Who Needs Which Standard?

This is where sector and customer requirements matter more than abstract comparisons. Here is a practical guide based on typical UK market expectations.

ISO 9001 is the priority if you are in:

Manufacturing. Quality management is the baseline expectation. Supply chain requirements, product conformity, process control, and supplier management all sit squarely within ISO 9001. Most manufacturing supply chains — automotive (IATF 16949 builds on ISO 9001), aerospace (AS9100 builds on ISO 9001), general engineering — require it explicitly.

Construction. Principal contractors and tier-one subcontractors routinely require ISO 9001 from their supply chain. PAS 91 (the standard pre-qualification questionnaire for construction) asks about ISO 9001 certification. Information security certification is rarely requested unless you handle sensitive government project data.

Professional services (non-data-intensive). Management consultancies, training companies, recruitment firms, and similar businesses where the primary deliverable is a service rather than data. ISO 9001 demonstrates consistent service delivery. ISO 27001 may not be asked for unless you handle significant personal data or client IP.

Any business supplying the UK public sector. Procurement policy notes (PPNs) and framework agreements frequently reference quality management system certification. The ISO 9001 small business guide covers the public sector angle in detail.

ISO 27001 is the priority if you are in:

IT services and software development. If you build, host, or manage software, infrastructure, or data for clients, ISO 27001 is the standard they will ask about. It demonstrates that you protect their data systematically, not just with good intentions.

Professional services handling sensitive data. Accountancy firms, law firms, HR consultancies, payroll providers — anyone processing personal data, financial records, or commercially sensitive client information at scale. UK GDPR creates the legal obligation; ISO 27001 provides the structured framework to meet it.

Financial services supply chain. FCA-regulated firms increasingly require ISO 27001 from their technology and data suppliers. The PRA's operational resilience requirements push the same direction.

Healthcare and NHS supply chain. The NHS Data Security and Protection Toolkit (DSPT) aligns with ISO 27001 principles. Suppliers handling patient data or connecting to NHS systems benefit from certification.

You probably need both if you are:

A managed service provider (MSP) or IT outsourcer. Your clients expect quality service delivery (ISO 9001) and secure handling of their data and systems (ISO 27001). Holding both is increasingly table stakes for MSPs competing for mid-market and enterprise contracts.

A SaaS company. Your product is software (quality matters) and you host customer data (security matters). Larger customers — particularly in financial services, healthcare, and government — will ask for both. SOC 2 is an alternative for the security side if your market is US-focused, but UK and European customers default to ISO 27001.

A data-processing professional services firm. If you combine service delivery with significant data handling — payroll outsourcing, claims processing, document management — both standards address different dimensions of what your clients care about.

Any business running integrated operations where quality failures and security failures both represent material risks. If a data breach would be just as damaging as a quality failure, you need both systems.

Running Both Standards: The Integrated Approach

If you need both, do not build two separate management systems. An integrated management system (IMS) uses a single set of core processes — document control, internal audit, management review, corrective action, competence management — with standard-specific extensions for quality and information security.

Cost savings from integration

Integrated audits save 20–30% on audit days compared to separate audits. A certification body auditing both standards together avoids duplicating assessment of shared clauses. For a 25-person company, that might mean 6–8 combined audit days instead of 4–5 for ISO 9001 plus 5–7 for ISO 27001 separately.

The documentation effort is also lower. Instead of maintaining two sets of document control procedures, two internal audit programmes, two management review processes, and two corrective action workflows, you maintain one of each. The time saved compounds year after year through surveillance audits and recertification cycles.

Implementation sequence

Most businesses implement one standard first, then extend to the second. The typical sequence:

1. Implement your primary standard first. Choose based on the sector guidance above — whichever your customers are asking for most urgently.
2. Build the management system backbone properly. Document control, internal audit, management review, and corrective action procedures should be designed to accommodate multiple standards from the start, even if you are only certifying to one initially.
3. Add the second standard. With the backbone in place, you focus only on the standard-specific requirements: quality processes for ISO 9001, or risk assessment and Annex A controls for ISO 27001.
4. Certify to both. Either through a combined initial audit or by adding the second standard at your next surveillance or recertification audit.

If you already hold ISO 9001, the audit checklist covers what auditors assess during certification — and much of that framework transfers directly to ISO 27001 preparation.

How Certification Works for Each Standard

The certification process follows the same pattern for both standards, because UKAS applies the same accreditation framework (ISO 17021-1) to all management system certification bodies.

Stage 1 Audit (Document Review)

The auditor reviews your documented management system: policies, scope, risk assessment, procedures, records. They confirm you are ready for the Stage 2 audit and identify any significant gaps. Typically 1 day for ISO 9001, 1–2 days for ISO 27001 (the Statement of Applicability and risk assessment add review time).

Stage 2 Audit (Implementation Audit)

The auditor assesses your system in practice: interviewing staff, reviewing records, observing processes, testing controls. For ISO 9001, this focuses on process effectiveness and customer-related outcomes. For ISO 27001, it includes testing security controls — access management, incident response, backup and recovery, supplier security. Typically 2–3 days for ISO 9001, 3–5 days for ISO 27001 (Annex A controls add scope).

Surveillance and Recertification

Both standards follow a three-year certification cycle: initial certification, then annual surveillance audits, then recertification in year four. Surveillance audits sample different areas each year. Recertification covers the full scope again.

Decision Framework: Which Standard Do You Need?

Work through these questions in order. They should give you a clear answer within five minutes.

1. Have customers or tenders explicitly asked for a specific standard? If yes, that is your answer. Customer requirements override general guidance. If they asked for ISO 9001, start there. If ISO 27001, start there. If both, plan an integrated approach.

2. Does your business handle sensitive client data, personal data at scale, or connect to client IT systems? If yes, ISO 27001 should be on your roadmap. The volume and sensitivity of data you handle determines urgency.

3. Is your primary deliverable a physical product, a constructed asset, or a non-data-intensive service? If yes, ISO 9001 is likely your first priority. Quality of output is what your customers are evaluating.

4. Are you in IT services, software, managed services, or data processing? If yes, plan for both. Your market increasingly expects both quality and security certification. Start with whichever your most important customer is asking for.

5. Are you bidding on UK public sector contracts? Check the specific framework requirements. Many require ISO 9001. Some — particularly in digital, technology, and data services — require ISO 27001 or equivalent. Defence and national security contracts may require both.

6. Do you have budget and bandwidth for one standard or two? If budget is constrained, start with the standard your market demands most urgently. Build the management system backbone to accommodate the second standard later. You do not need to implement both simultaneously.

Practical Checklist Before You Start

Whether you choose ISO 9001, ISO 27001, or both, these steps apply:

1. Check what your customers actually require. Read the tender documents, supplier questionnaires, and contract clauses. "ISO certified" is not specific enough — confirm which standard they mean.
2. Run a readiness assessment. The ISO 9001 readiness quiz gives you a quick baseline score for quality management. For ISO 27001, start with a gap analysis against the 93 Annex A controls to see where you stand.
3. Estimate costs. Use the ISO 9001 cost estimator to model quality certification costs. For ISO 27001, the certification cost guide breaks down the numbers.
4. Choose a UKAS-accredited certification body. Get at least three quotes. Prices vary 30–50% for the same scope. Use the UKAS directory to find accredited bodies.
5. Decide: sequential or simultaneous. If you need both, decide whether to implement them in sequence (less resource pressure, slower) or in parallel (faster, more intensive). Most SMBs with 5–50 employees prefer sequential implementation with an integrated backbone.
6. Allow realistic timelines. ISO 9001 from scratch: 3–9 months. ISO 27001 from scratch: 4–12 months. Both together: 6–14 months with an integrated approach.

Key Takeaways

1. ISO 9001 covers quality management — how you deliver consistent products and services. ISO 27001 covers information security — how you protect data and systems. They address different risks.
2. Both follow the Annex SL structure: shared clauses for context, leadership, planning, support, performance evaluation, and improvement. Running both is roughly 40% less effort than running them independently.
3. Your sector and customer requirements determine which you need. Manufacturing and construction typically need ISO 9001 first. IT services and data processors typically need ISO 27001 first. MSPs, SaaS companies, and data-intensive service firms usually need both.
4. Total first-year cost for a UK SMB: £5,000–£15,000 for ISO 9001, £8,000–£25,000 for ISO 27001. Integrated audits save 20–30% on audit days.
5. If you need both, build one integrated management system — not two separate ones. Design the backbone to accommodate multiple standards from day one.
6. Start with whichever standard your customers are asking for. Add the second when budget and bandwidth allow.

This article is for general informational purposes only and does not constitute legal, regulatory, or professional compliance advice. ISO certification requirements vary by scope, sector, and certification body. Always verify requirements with your UKAS-accredited certification body or a qualified consultant before making compliance decisions.