ISO 22301 certification costs in the UK are influenced by organisation size, operational complexity, number of sites, and the criticality of services that must be protected. Because the standard focuses on business continuity planning, impact analysis, and resilience testing, organisations with complex operations or strict customer requirements usually face higher costs.
For most UK SMEs, external certification body fees typically fall between £4,000 and £16,000 over a three-year certification cycle, while total all-in costs (including internal time, training, exercises, and optional consultancy)often sit in the £7,000 to £40,000+ range.
Below is a detailed breakdown to help you budget accurately.
How ISO 22301 certification costs are structured
ISO 22301 certification follows a three-year cycle, made up of:
- Stage 1 audit – scope, documentation, and readiness review
- Stage 2 audit – full certification audit
- Surveillance audits – typically in years 1 and 2
- Recertification audit – year 3
You are charged mainly for auditor time and complexity, not for the certificate itself.
1. Certification body audit fees (UK market ranges)
Audit pricing is driven by:
- number of employees
- number of locations
- number of critical activities and dependencies
- IT, supplier, and recovery complexity
Typical UK ISO 22301 audit fees (ex VAT, single site)
| Organisation size | Stage 1 audit | Stage 2 audit | Annual surveillance |
|---|---|---|---|
| 1–10 employees | £900–£1,300 | £1,300–£1,900 | £900–£1,300 |
| 11–25 employees | £1,200–£1,700 | £1,900–£2,800 | £1,200–£1,700 |
| 26–50 employees | £1,700–£2,500 | £2,800–£4,200 | £1,700–£2,500 |
| 51–100 employees | £2,500–£3,800 | £4,200–£6,500 | £2,500–£3,800 |
Typical admin / certificate issue fees:
- £150–£400 ex VAT (usually one-off)
External audit costs over a full 3-year cycle (examples)
Small service business (1–10 staff)
- Stage 1 + Stage 2 + admin: £2,350–£3,600
- Surveillance audits (years 1 & 2): £1,800–£2,600
- Recertification (year 3): £1,300–£2,000
3-year external audit total:
£5,450–£8,200 ex VAT
25-person business with defined recovery requirements
- Initial certification: £3,500–£5,200
- Surveillance audits: £2,400–£3,400
- Recertification: £1,900–£3,200
3-year external audit total:
£7,800–£11,800 ex VAT
60-person organisation with critical services
- Initial certification: £6,700–£10,700
- Surveillance audits: £5,000–£7,600
- Recertification: £3,000–£5,500
3-year external audit total:
£14,700–£23,800 ex VAT
VAT note: if VAT cannot be reclaimed, add 20% to most certification body fees.
2. Buying the ISO 22301 standard
Most organisations purchase the official standard for reference.
Indicative UK pricing:
- BS EN ISO 22301:2019 (digital, single user): £120–£170
- Printed or multi-user licences cost more
This is a minor but common upfront cost.
3. ISO 22301 implementation consultancy (optional)
ISO 22301 requires business impact analysis (BIA), risk assessment, continuity strategies, plans, and exercises. Many UK organisations use consultants to accelerate this work and reduce audit risk.
Typical UK ISO 22301 consultancy costs
- Day rates: £650–£1,400 per day
- Consultants with crisis management or regulated-sector experience often sit at the top of this range
Typical consultancy spend ranges
| Organisation profile | Consultant days | Typical cost |
|---|---|---|
| Small service business | 4–7 days | £2,600–£9,800 |
| SME with multiple teams | 7–15 days | £4,600–£21,000 |
| Complex / regulated organisation | 15–30 days | £9,800–£42,000 |
Fixed-price UK ISO 22301 packages are commonly advertised at:
- £3,000–£6,000 (small, low-complexity firms)
- £6,000–£12,000 (typical SMEs)
- £15,000+ (complex or multi-site organisations)
4. ISO 22301 training costs
Training is not mandatory, but it significantly improves audit outcomes and plan effectiveness.
Typical UK training prices
| Training type | Typical cost (per delegate) |
|---|---|
| ISO 22301 awareness | £300–£500 + VAT |
| ISO 22301 internal auditor | £800–£1,200 + VAT |
| ISO 22301 lead implementer | £1,200–£1,900 + VAT |
Example training budgets
- 1 internal auditor trained: £800–£1,200 + VAT
- 2 staff trained: £1,600–£2,400 + VAT
5. Internal time, testing and continuity controls
Internal staff time
ISO 22301 is participation-heavy and typically requires:
- business impact analysis workshops
- dependency and supplier mapping
- plan development and review
- internal audits, exercises, and management review
A conservative internal time estimate:
| Role | Hours | Cost per hour | Cost |
|---|---|---|---|
| BCMS lead | 70 | £40 | £2,800 |
| Departmental input | 60 | £35 | £2,100 |
| Senior management | 20 | £65 | £1,300 |
Internal time subtotal: £6,200
Testing, exercises and resilience measures
ISO 22301 requires evidence of testing and exercising plans.
| Activity | Typical annual cost |
|---|---|
| Table-top exercises | £500–£2,000 |
| Continuity or crisis simulations | £1,000–£5,000 |
| Supplier resilience reviews | £300–£1,500 |
| Plan maintenance tools | £200–£1,000 |
Typical annual resilience spend:
£1,000–£7,000+
What increases ISO 22301 certification costs?
Costs rise when organisations:
- deliver time-critical or customer-critical services
- rely heavily on IT systems, cloud platforms, or key suppliers
- operate multiple sites or regions
- have regulatory or contractual continuity requirements
- lack existing continuity plans or testing evidence
Small, office-based service firms usually sit at the lower end of the ranges; complex or regulated organisations sit at the upper end.
Realistic ISO 22301 certification budgets (UK examples)
Example A: small professional services firm (10 staff)
- External audit (3 years): £5,450–£8,200
- Consultancy: £3,000–£6,000
- Training + standard: £1,000–£1,400
- Internal time + exercises: £4,000–£6,000
Estimated total:
£13,450–£21,600
Example B: 25-person organisation with defined recovery objectives
- External audit (3 years): £7,800–£11,800
- Consultancy: £5,000–£10,000
- Training (2 people): £1,600–£2,400
- Internal time + exercises: £5,000–£8,000
Estimated total:
£19,400–£32,200
Example C: 60-person organisation with critical operations
- External audit (3 years): £14,700–£23,800
- Consultancy: £10,000–£25,000
- Training: £2,000–£3,500
- Internal time + testing: £8,000–£15,000
Estimated total:
£34,700–£67,300
Simple ISO 22301 cost calculator
External certification (3 years, ex VAT)
Stage 1 £____
Stage 2 £____
Admin £____
Surveillance Y1 £____
Surveillance Y2 £____
Recertification Y3 £____
Implementation and operation
Consultant days ____ × £____ = £____
Training ____ × £____ = £____
Internal hours ____ × £____ = £____
Testing / exercises (annual) £____
Add VAT (+20%) if not reclaimable
FAQ for ISO 22301 certification cost
For most UK SMEs, external certification body fees typically fall between £4,000 and £16,000 over a three-year certification cycle, while total all-in costs (including internal time, training, exercises, and optional consultancy)often sit in the £7,000 to £40,000+ range.
No. ISO 22301 is voluntary, but it is commonly required by clients, regulators, and supply chains where service continuity is critical.
Yes. Surveillance audits typically cost 40–60% of the Stage 2 audit, but they recur annually.
Yes, particularly for smaller service businesses. However, weak BIAs, unrealistic recovery objectives, and lack of exercise evidence are common audit nonconformities.
Every three years, with annual surveillance audits required to maintain certification.