ISO 27001 certification costs in the UK are typically 5-6 figures. For most UK organisations, the external certification cost alone usually runs into the low-to-mid thousands, with implementation, tooling, and internal time often exceeding the audit fees themselves.
A realistic all-in ISO 27001 budget for a small UK business is often £6,000–£20,000+, and materially more for larger or regulated organisations.
Below is a detailed, numbers-driven breakdown.
The main ISO 27001 cost components
ISO 27001 costs fall into five clear categories:
- Certification body audit fees
- Surveillance and recertification audits
- Implementation support (optional consultancy)
- Training and competence
- Internal time and security tooling
1. Certification body audit fees (UK third-party certification)
ISO 27001 certification follows the same 3-year cycle as other ISO standards:
- Stage 1 audit – readiness, scope, documentation review
- Stage 2 audit – full certification audit
- Surveillance audits – years 1 and 2
- Recertification audit – year 3
Audit fees are primarily driven by:
- employee numbers
- number of locations
- IT complexity
- data sensitivity and regulatory exposure
Indicative UK ISO 27001 audit fees (ex VAT, one site)
Across UK certification bodies, commonly quoted ranges look like this:
| Organisation size | Stage 1 audit | Stage 2 audit | Annual surveillance |
|---|---|---|---|
| 1–10 employees | £900–£1,200 | £1,200–£1,800 | £900–£1,200 |
| 11–25 employees | £1,200–£1,500 | £1,800–£2,500 | £1,200–£1,500 |
| 26–50 employees | £1,500–£2,000 | £2,500–£3,500 | £1,500–£2,000 |
| 51–100 employees | £2,000–£3,000 | £3,500–£5,000 | £2,000–£3,000 |
Typical admin / certificate issue fees:
- £200–£400 ex VAT (one-off, common in UK quotes)
Example: external audit costs over 3 years (ex VAT)
Micro business (1–10 staff, one site):
- Stage 1 + Stage 2 + admin: £2,300–£3,400
- Surveillance (years 1 & 2): £1,800–£2,400
- Recertification (year 3): £1,200–£2,000
3-year external audit total:
£5,300–£7,800 ex VAT
25-person business (one site):
- Initial certification: £3,500–£4,800
- Surveillance (2 years): £2,400–£3,000
- Recertification: £1,800–£3,000
3-year external audit total:
£7,700–£10,800 ex VAT
VAT note: if VAT is not reclaimable, add 20% to most certification fees.
2. Buying the ISO 27001 standard
Most organisations purchase the official standard for reference.
Indicative UK pricing:
- BS EN ISO/IEC 27001:2022: typically £130–£170 for a single-user digital copy
- Printed or multi-user licences cost more
This is a minor cost, but usually unavoidable.
3. ISO 27001 implementation consultancy (optional, but common)
ISO 27001 is significantly more complex than ISO 9001. Many UK SMEs use consultants to:
- define scope and Statement of Applicability (SoA)
- perform risk assessments
- design policies and controls
- prepare for certification audits
Typical UK ISO 27001 consultant costs
- Day rates: £700–£1,500 per day
- Security specialists with regulatory experience often sit at the upper end
Common consultancy spend scenarios
| Business profile | Consultant days | Typical cost |
|---|---|---|
| Micro business, limited IT | 4–8 days | £2,800–£12,000 |
| Small business, cloud + SaaS | 8–15 days | £5,600–£22,500 |
| Medium business, mixed IT | 15–30 days | £10,500–£45,000 |
Many UK providers also sell fixed-price ISO 27001 packages:
- £3,000–£6,000 (very small firms)
- £6,000–£12,000 (typical SME)
- £15,000+ (complex or regulated environments)
4. ISO 27001 training costs
Training is not mandatory but is strongly recommended, particularly for internal auditors and ISMS owners.
Typical UK training prices
| Course type | Typical cost (per delegate) |
|---|---|
| ISO 27001 awareness | £300–£500 + VAT |
| ISO 27001 internal auditor | £800–£1,200 + VAT |
| ISO 27001 lead implementer | £1,200–£1,800 + VAT |
Example training budgets
- 1 internal auditor trained: £800–£1,200 + VAT
- 2 staff trained: £1,600–£2,400 + VAT
5. Internal time and security tooling (often the biggest cost)
Internal staff time
ISO 27001 requires ongoing effort, including:
- asset inventories
- risk assessments
- incident management
- supplier security reviews
- management review and internal audit
A conservative internal time model:
| Role | Hours | Cost per hour | Cost |
|---|---|---|---|
| ISMS lead | 80 | £40 | £3,200 |
| IT/security staff | 60 | £45 | £2,700 |
| Management input | 20 | £60 | £1,200 |
Internal time subtotal: £7,100
Security tools and controls (often overlooked)
ISO 27001 does not mandate specific tools, but many organisations invest in:
| Control area | Typical annual cost |
|---|---|
| Password manager | £50–£150 per user |
| Endpoint security | £30–£80 per device |
| Backup solutions | £300–£1,500 |
| Security awareness training | £20–£50 per user |
| Vulnerability scanning | £500–£3,000 |
Typical annual tooling spend (small business):
£1,000–£5,000+
What drives ISO 27001 costs up?
ISO 27001 costs increase sharply when:
- you handle personal data, financial data, or health data
- you have multiple cloud platforms or hybrid IT
- you operate multiple sites or remote workforces
- you lack documented security processes
- customers require tight scoping and supplier controls
Regulated sectors (finance, SaaS, healthcare, defence supply chains) almost always sit at the top end of cost ranges.
Realistic all-in ISO 27001 budgets (UK examples)
Example A: micro SaaS business (8 staff, cloud-only)
- External audit (3 years): £5,500–£7,500
- Consultant support: £3,000–£6,000
- Training + standard: £1,000–£1,400
- Internal time + tooling (year 1): £4,000–£7,000
Estimated total:
£13,500–£21,900
Example B: 25-person professional services firm
- External audit (3 years): £7,700–£10,800
- Consultancy: £6,000–£12,000
- Training (2 people): £1,600–£2,400
- Internal time + tooling: £6,000–£10,000
Estimated total:
£21,300–£35,200
Example C: 60-person business with mixed IT
- External audit (3 years): £9,000–£13,000
- Consultancy: £12,000–£25,000
- Training: £2,000–£3,500
- Internal time + tooling: £10,000–£20,000
Estimated total:
£33,000–£61,500
Simple ISO 27001 cost calculator
External certification (3 years, ex VAT)
Stage 1 £____
Stage 2 £____
Admin £____
Surveillance Y1 £____
Surveillance Y2 £____
Recertification Y3 £____
Implementation and operation
Consultant days ____ × £____ = £____
Training ____ × £____ = £____
Internal hours ____ × £____ = £____
Security tools (annual) £____
Add VAT if not reclaimable (+20%)
FAQ for ISO 27001 certification cost
A realistic all-in ISO 27001 budget for a small UK business is often £6,000–£20,000+, and materially more for larger or regulated organisations.
Yes. ISO 27001 audits take longer, require deeper technical evidence, and often involve higher consultancy and tooling costs. UK businesses typically spend 30–100% more overall compared with ISO 9001.
Yes, but most UK SMEs still use at least light-touch consultancy. Poor scoping, weak risk assessments, or an incomplete Statement of Applicability are common causes of failed first audits.
Yes. Surveillance audits are usually 30–60% of the Stage 2 cost, but they recur annually and must be budgeted for.
Every three years, with a full recertification audit required to maintain certification.