HomeGlossaryInformation Security Certificate (ISO 27001)
ESPD & Supplier Documentation

Information Security Certificate (ISO 27001)

An ISO 27001 information security certificate is an accredited third-party certification confirming that a supplier operates an information security management system meeting the international ISO/IEC 27001 standard, increasingly required as a selection criterion in European public procurement for IT, data processing, and professional services contracts.

Quick answer

An ISO 27001 information security certificate is an accredited third-party certification confirming that a supplier operates an information security management system meeting the international ISO/IEC 27001 standard, increasingly required as a selection criterion in European public procurement for IT, data processing, and professional services contracts.


The ISO 27001 information security certificate has become a near-universal selection criterion for European public sector IT and data-handling contracts. As EU institutions, member state governments, and regulated utilities process increasingly sensitive data through contracted services, information security certification has moved from a differentiating factor to a threshold requirement. Understanding the standard, the certification process, and how it is assessed in procurement is essential for any supplier in the technology, professional services, or data management sectors.

What is an information security certificate (ISO 27001)?

The standard. ISO/IEC 27001 (current version: ISO/IEC 27001:2022) specifies requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). The ISMS covers the management of information security risks across people, processes, and technology. Annex A of the standard provides a reference set of information security controls covering areas including access control, cryptography, physical security, incident management, supplier relationships, and business continuity.

Certification process. Certification is issued by an accredited certification body following a two-stage audit: Stage 1 (documentation review) and Stage 2 (on-site assessment of ISMS implementation). The certification body must be accredited by a national accreditation body (NAB) under the IAF multilateral recognition arrangement. Annual surveillance audits and a three-year recertification cycle apply.

Scope. As with other management system certificates, the ISO 27001 certificate specifies the scope of the ISMS. A certificate scoped to "provision of cloud hosting services" does not cover "software development services." Contracting authorities are entitled to verify that the certified scope is relevant to the contract being tendered.

Procurement context. ISO 27001 is referenced as a selection criterion under the technical and professional ability provisions of Article 58 of Directive 2014/24/EU, with Annex XII Part II providing the basis for requiring technical quality assurance evidence. It is routinely required for: IT infrastructure and managed services; cloud computing and data centre services; software development where personal data is processed; document management and archiving; and professional services involving access to government systems or classified information.

Related frameworks. In the UK, the Cyber Essentials and Cyber Essentials Plus schemes are government-mandated for some categories of central government IT contracts, alongside or in some cases instead of ISO 27001. For contracts involving processing EU classified information, the relevant national security authority may impose additional requirements beyond ISO 27001.

Why ISO 27001 matters for bidders

ISO 27001 certification is a gating criterion for a large proportion of European public sector IT frameworks. Without it, otherwise qualified suppliers are rejected at the selection stage. Certification also signals to the market generally that a supplier manages information security systematically, which has commercial value beyond public procurement.

The 2022 revision of the standard (ISO/IEC 27001:2022) introduced updated control categories and new controls relevant to cloud security, threat intelligence, and secure development. Suppliers certified to the 2013 version had until October 2025 to transition to the 2022 version. Confirm your certificate reflects the current version.

Example

A Finnish cybersecurity consultancy bids for a European Commission framework for IT security advisory services. The framework requires ISO/IEC 27001 certification with a scope covering information security consultancy and penetration testing. The Finnish company holds a current ISO/IEC 27001:2022 certificate from an EAL-accredited Finnish certification body, with its last surveillance audit completed three months ago. It submits the certificate as part of its selection criteria statement in its ESPD Response and produces it as means of proof upon being shortlisted.

Frequently Asked Questions

Is ISO 27001 the same as Cyber Essentials in the UK?

No. They are different frameworks with different scopes and assurance levels. Cyber Essentials focuses on five specific technical controls (firewall, access control, secure configuration, malware protection, patch management) and is a UK government scheme. ISO 27001 is a comprehensive management system standard covering the full range of information security risks. Some UK contracts require both; others specify one or the other. Check the ESPD Request or procurement documents carefully.

Can we demonstrate information security without ISO 27001 if we hold other security certifications?

Article 62(2) of Directive 2014/24/EU and its equivalent provisions allow submission of equivalent evidence. SOC 2 Type II reports, FedRAMP authorisations, or national security certifications may be accepted as equivalents by some contracting authorities. However, equivalence assessments are discretionary. ISO 27001 from an accredited body is always the lowest-risk approach. If relying on an equivalent, present a clear mapping between the alternative certification and the ISO 27001 requirements.

What if our ISO 27001 certificate does not cover a specific service line the contract requires?

You must either extend your ISMS scope to cover the relevant activities before submission or clarify with the contracting authority whether a different scope is acceptable. Submitting a certificate with an inapplicable scope and hoping the contracting authority does not check is a significant bid risk: scope mismatches are one of the most common causes of post-shortlisting rejection on information security criteria.

How Bidovate helps

Bidovate puts Information Security Certificate (ISO 27001) to work inside your capture and proposal workflow.

Tender discovery

See Bidovate in action

Book a demo and we will show you the platform using your actual contract data.

Related terms

Selection Criteria Statement

A selection criteria statement is a supplier's formal declaration within the ESPD Response confirming that it meets the contracting authority's minimum requirements for suitability, economic and financial standing, and technical and professional ability as defined under Articles 58 to 64 of EU Directive 2014/24/EU.

View

Certificates and Attestations

Certificates and attestations are official documents issued by competent national authorities or accredited third parties that verify a supplier's legal, financial, professional, or technical standing, serving as the primary means of proof for exclusion and selection criteria in European public procurement.

View

Means of Proof

Means of proof are the actual certificates, attestations, declarations, and other documents that a contracting authority requests from the winning or shortlisted tenderer to verify the self-declarations made in the ESPD Response, confirming compliance with exclusion and selection criteria before contract award.

View

Quality Management Certificate

A quality management certificate, most commonly ISO 9001, is an accredited third-party certification confirming that a supplier operates a documented quality management system meeting an internationally recognised standard, used as means of proof for technical and professional ability selection criteria in European public procurement.

View

Environmental Management Certificate

An environmental management certificate, principally ISO 14001 or the EU's EMAS registration, is an accredited third-party certification confirming that a supplier operates a structured environmental management system, used as means of proof for technical and professional ability selection criteria in European public procurement.

View