PECB / BSI / IRCA · GRC · Management Systems

ISO/IEC 27001 Lead Implementer / Lead Auditor

The global ISMS standard. ISO 27001 Lead Implementer / Lead Auditor certifications signal you can build or audit a certified information security management system end-to-end.

// exam format
Lead Implementer: 12-question essay, 3 hours, 70% to pass. Lead Auditor: 100-question MCQ, 3 hours.
// cost
≈ £1500
// prerequisites
  • Familiarity with information security concepts; no formal prerequisite
ISO/IEC 27001:2022 is the international standard for Information Security Management Systems (ISMS). Lead Implementer certifies you to design and run an ISMS programme; Lead Auditor certifies you to audit one against ISO 19011 audit principles. Both are mandatory currency for GRC analysts, consultants, and ISMS managers in regulated sectors and any organisation seeking UKAS-accredited certification. ## What the exam covers - ISMS scope, context, and leadership commitment (clauses 4–5) - Risk assessment and treatment (clauses 6, 8.2–8.3, Annex A) - Statement of Applicability and the 93 Annex A controls - Internal audit, management review, continual improvement (clauses 9–10) - Stage 1 and Stage 2 certification audit mechanics ## Prerequisites - Familiarity with information security concepts; no formal prerequisite ## Study plan Plan 5 days intensive (instructor-led) + 2 weeks self-study before exam. Read ISO 27001:2022 and ISO 27002:2022 cover-to-cover; build a sample SoA against a fictional company; rehearse the 12 essay prompts. ## Cost (UK 2026) Exam fee approx. £1500 (vendor list price; bundles + corporate discounts vary). ## Format Lead Implementer: 12-question essay, 3 hours, 70% to pass. Lead Auditor: 100-question MCQ, 3 hours.

Frequently asked questions

ISO 27001 Lead Implementer or Lead Auditor first?

Implementer if you will design or run an ISMS in-house; Auditor if you will audit clients (consultancy, certification body) or join an internal audit team.

Is ISO 27001 mandatory in the UK?

Not legally, but it is contractually mandatory across UK public sector, financial services, and most large enterprise procurement frameworks (G-Cloud, NHS DSPT alignment).

How does ISO 27001:2022 differ from 2013?

Annex A controls reduced from 114 to 93, restructured into 4 themes (organisational, people, physical, technological), with 11 net-new controls covering threat intelligence, cloud security, ICT readiness for business continuity, etc.

Does the certification transfer between bodies (PECB vs BSI)?

The qualification transfers in spirit; specific badges do not. Most employers accept any accredited body. PECB is the most cost-effective; BSI carries the strongest UK enterprise brand.

Practice ISO/IEC 27001 Lead Implementer / Lead Auditor interview questions

Run AI-graded mock interviews keyed to the ISO/IEC 27001 Lead Implementer / Lead Auditor body of knowledge.

Start free
// related
grc-analystsecurity-consultantcisoframework · iso-27001framework · iso-27701framework · iso-42001