How much does ISO 27001 cost? A plain guide to the real first year spend

The short version

People ask what ISO 27001 costs as though there is a price list. There is not, and any provider who quotes a flat figure before they understand your business is guessing. ISO 27001 is the international standard for an information security management system, an ISMS, which is the set of policies, risk decisions, and routines that govern how you protect information across the whole organisation. Certifying to it is a programme of work, not a purchase, so the cost reflects how much of that work you still have to do.

It helps to split the spend into three parts: the certification body that audits you and issues the certificate, the internal effort to build and run the management system, and any consultancy you bring in to help. The certification fee is usually the smallest of the three. For most small and mid sized firms the biggest cost is time, your own people's and an adviser's, spent getting ready.

• The certificate fee is a minor line. Budget for the readiness work, which is where the real money and time go.
• Three things move the figure most: how big you are, how much you put in scope, and how mature your security already is.
• ISO 27001 is an ongoing cost, not a one off. Surveillance audits and recertification continue every year after.

What actually drives the cost

Two businesses of similar size can pay very different amounts, and both figures can be fair, because they describe different starting points and different scopes. These are the factors that move the number.

• The size of your organisation. Headcount and the number of sites are the main inputs a certification body uses to set audit time, and audit time drives their fee. A ten person firm on one site is a far smaller audit than a hundred and fifty people across three offices.
• The scope you certify. You decide what the ISMS covers: the whole company, one division, or a single product and the team behind it. A tight, well chosen scope is cheaper to build, audit, and maintain. An over broad scope inflates every cost that follows, so this is one of the most important early decisions.
• Your current security maturity. This is the single biggest variable. If you already run things well, with patching, access control, monitoring, and some documented process in place, much of the evidence exists and you are tidying and formalising it. Starting closer to a blank page means building most of the system from scratch, which costs far more in effort.
• How much you do in house versus buy in. Internal effort has a real cost even when no invoice is raised, because your people spend weeks on it instead of their day job. Consultancy converts some of that time into a fee, and good help usually shortens the timeline and reduces the risk of failing the audit.
• Tools and remediation. Closing gaps can mean new spend: a policy and risk platform, better logging or monitoring, multi factor authentication, or staff training. How much depends entirely on what you already have.

The three costs, separated

Quotes become much easier to read once you split them into these three buckets and ask which the figure in front of you includes. A cheap number that covers only the certificate is not comparable with one that includes the readiness work.

Cost area	What it covers	Who you pay	What moves it
Certification body fees	The two stage initial audit and the certificate itself, then annual surveillance and recertification	A UKAS accredited certification body (separate from any consultant)	Your headcount, number of sites, and scope, which together set the audit days
Internal effort	Building the ISMS, writing policies, running the risk assessment, gathering evidence, internal audits, and management review	Your own people's time, costed honestly	Your current maturity and how much of the work you keep in house
Consultancy or implementation help	Gap analysis, building the system with you, preparing for the audit, sometimes acting as your interim security lead	A consultant or a managed provider	How much you outsource, and how far you are from ready
Tools and remediation	Fixing the gaps the assessment finds: software, monitoring, MFA, training	Vendors, or bundled into a managed service	What controls you already have in place

Base certification versus surveillance and recertification

ISO 27001 runs on a three year cycle, and the costs do not stop once you hold the certificate. The first year carries the heaviest spend: the readiness work plus the two stage initial audit, the Stage 1 documentation review and the Stage 2 assessment of the system in action. After that, the certification body returns for a lighter surveillance audit in each of the next two years to confirm the ISMS is still being run, and a full recertification audit in year three. Surveillance and recertification fees are smaller than the initial audit, but the internal effort continues throughout, because an ISMS only works if you keep running it. Treat ISO 27001 as an ongoing operating cost, not a one off project cost.

A realistic range, clearly labelled indicative

With the caveat that your figure depends on the factors above, it helps to have a sense of the orders of magnitude. The ranges below are indicative market figures for UK businesses, not a quote, and they are the kind of numbers worth sense checking against your own scope and a current proposal.

• Certification body fees for a small organisation are commonly in the low thousands of pounds for the initial audit, with surveillance audits costing less in the following years. The figure scales with audit days, so it rises with size and scope.
• Consultancy or implementation support is usually the largest single line where a firm brings in help, and for a small to mid sized business it commonly runs from several thousand into the low tens of thousands of pounds, depending on how much of the build you outsource and how far you start from ready.
• Internal effort is real even though it rarely appears on an invoice. Building an ISMS from a low base can absorb a meaningful share of someone's role for several months. Cost it at their day rate and it is often comparable to the consultancy line.
• All in, first year, a small UK business with a reasonable starting point and a sensible scope commonly lands somewhere in the low to mid five figures once fees, help, and internal time are added together. A larger firm, a broad scope, or a low starting maturity pushes it higher. A genuinely well run small firm with a tight scope can come in lower.

The honest way to get a real figure is a short gap analysis. An hour or two understanding your size, your scope, and what you already have in place turns these indicative ranges into a number you can actually budget against, and it usually pays for itself by stopping you from over scoping.

How to keep the cost sensible

Most of the waste in an ISO 27001 programme is avoidable, and it comes from a handful of mistakes. Avoid them and the spend stays proportionate to the value.

• Scope deliberately. Certify what the buyer or the risk actually requires, not the whole company by reflex. Scope is the lever with the largest effect on every other cost.
• Do the gap analysis first. Knowing where you stand before you commit stops you paying to build things you already have, and tells you which gaps carry real risk.
• Use a UKAS accredited certification body. A certificate from a non accredited body can be cheaper and is worth much less, because the buyers who ask for ISO 27001 usually expect accreditation. Paying less for a certificate that does not satisfy the contract is the most expensive saving of all.
• Reuse what you have. If you already hold Cyber Essentials, the technical work behind it feeds directly into the standard's controls, so very little of that effort is wasted.
• Plan for the running cost. Budget for the surveillance and recertification cycle from the start, so year two does not arrive as a surprise.

We are not the cheapest route to ISO 27001, and we are not trying to be. Our view is simple: the figure that matters is the all in cost of a certificate a buyer or regulator will actually accept, run by a system you can keep alive. A cheap quote that covers only the audit, or a certificate from a body nobody recognises, costs far more once the contract you were chasing asks the question properly. Price the readiness and the running of it, not just the badge.