Last Updated: 09/05/2026
Written by Alan Parker – ISO 27001 Consultant

Quick Cost Summary

If you want the headline numbers before getting into the detail, here’s where most organisations land in 2026:

Cost Component	Small Org (<50 employees)	Mid-Sized (50-250 employees)
Implementation support (consultancy)	£2,000 – £8,000	£8,000 – £20,000
Internal audit (if outsourced)	£1,000 – £4,000	£3,000 – £8,000
Certification audit (non-accredited)	£3,500 – £6,000	£5,000 – £10,000
Certification audit (UKAS-accredited)	£6,250 – £10,000	£10,000 – £20,000
Surveillance audit (annual, years 2-3)	£1,500 – £3,000	£3,000 – £6,000

These are real-world figures based on what I see in client engagements and quotes auditors are issuing in 2026. They’re not the whole picture, though, because they don’t capture your internal time, the cost of any new tooling, or the differences in how you choose to implement. The calculator below provides an estimate.

ISO 27001 Cost Calculator

The calculator gives you a comparison across three routes – DIY, hybrid, and fully-assisted – alongside typical UK market ranges so you can see what the same outcome would cost from a typical day-rate consultancy. My fixed-fee approach is a deliberate counter to the prevailing model, and the comparison makes that visible.

What’s Changed in 2026 (And What It Means for Your Budget)

The cost of ISO 27001 certification has shifted noticeably in 2026, and not in the customer’s favour. If you’re budgeting from a 2024 or 2025 quote, you’re likely working with numbers that no longer reflect what auditors are charging.

UKAS auditor day rates have risen by around 20%

The benchmark UKAS-accredited auditor day rate in the UK has settled at approximately £1,250 per day for 2026, with some larger certification bodies charging £1,500 or more. That’s roughly a 20% jump on 2025 rates, I’m afraid.

Two things are driving the sharp increase: a genuine shortage of qualified UKAS Lead Auditors and the residual workload from the ISO 27001:2022 transition. I’m certainly seeing an uptick of international clients now valuing 27001, and UK-based auditors.

Non-accredited day rates have moved less sharply, but they’ve moved. Expect £800- £1,000 per day from a reputable non-accredited body, whereas £600- £750 was common just a couple of years ago.

In practice, a small organisation (1-10 employees) needing the minimum five audit days for ISO 27006 (the ISMS auditing standard) now faces a UKAS audit floor of around £6,250.

The 2022 transition is now complete

The transition deadline from 27001:2013 to 27001:2022 (the latest version) was 31 October 2025. After that date, all 2013 certificates were withdrawn. If you’re getting certified now, you’re being audited against the 2022 version, full stop.

What this means in practice for 2026 budgeting: there’s no transition cost to plan for if you’re new to ISO 27001. You’re not paying twice (once for the legacy version, once to upgrade), the way some organisations did during 2024-2025. That’s one cost that’s actually come off the table for new certifications this year.

There is a knock-on effect, though. The auditor capacity tied up handling transition audits during 2024 and 2025 has only partially freed up because demand for new certifications has risen at the same time. That’s part of what’s driving the 20% day-rate increase I mentioned above. So the transition itself is over, but its effect on the auditor market is still being felt.

Procurement pressure has tightened

I’m certainly hearing evidence from clients that NHS, defence and central government procurement now routinely demand UKAS-accredited certification rather than accepting non-accredited certificates (and they should!).

That said, for most B2B SaaS clients I work with, non-accredited remains perfectly adequate. It’s cheaper, faster, and the same standard – but gets you through an easier route. It’s worth checking your top three target buyers’ procurement requirements before you commit to a route, though.

UKAS vs Non-Accredited Certifications Explained

What stays the same

The core formula hasn’t changed: audit days are still set by ISO 27006 (the ISMS auditing standard) based on your headcount; the standard itself is still ISO 27001; and a tightly scoped ISMS is still the single biggest lever you have to keep costs down. Minimise data, offices, business functions, etc., and it’ll reduce the overall calculated costs.

The fundamentals are stable. The price tag on each component is what’s moved.

Where the Money Actually Goes

ISO 27001 certification is not one cost. It’s really in six parts. Understanding which line items you can control, which you can’t, and which you can avoid entirely is key to tackling costs and keeping them from spiralling out of control.

1. Gap analysis (optional, £0-£5,000)

A gap analysis compares your current security posture against ISO 27001 requirements and identifies what’s missing. This is useful if you’re a more mature organisation with existing security processes; less useful if you’re starting from scratch and already know you need everything.

If you’re a startup with no existing ISMS, my advice is to just save your money. You know instinctively where you stand (nowhere), so skip the formal gap analysis and put the budget towards implementation.

If, however, you’re a 100-person business with existing policies, a framework, and something like Cyber Essentials already in place, then a proper gap analysis (£3,000-£5,000) will save you double that in misdirected effort.

I cover when you actually need one in my gap analysis article.

2. Implementation (£250-£20,000)

This is the big one, and it varies the most because it depends entirely on how you choose to do it. There are essentially three routes:

Regarding pricing for the Hybrid and Fully-Assisted options, I offer a 20% discount to micro-organisations with fewer than 3 people.

I’ll dig into the trade-offs between these routes further down.

3. Internal audit (£0-£5,000)

ISO 27001 requires an internal audit before certification, and annually after. If you have a qualified, independent auditor in-house, this costs you nothing but their time. If you don’t (and most SMEs don’t), you can:

• Use external services for the internal audit, typically £1,500-£5,000 per year
• Bring in an independent auditor (cough, like me) for a one-off engagement

Internal audits often surface issues that would otherwise blow up at certification, so this isn’t somewhere I’d cut corners.

My internal audit service (if taken separately from my other options) is £2,500.

Explore my internal audit service

4. Certification audit (£3,500-£15,000+)

The fee paid to your accredited certification body for the Stage 1 + Stage 2 audit. This is the cost you have least control over because it’s set by ISO 27006 audit-day requirements multiplied by the body’s day rate.

Recognised UKAS-accredited certification bodies in the UK include BSI, NQA, Alcumus ISOQAR, URS, and LRQA. Their day rates sit in the £1,250-£1,500 range in 2026.

Non-accredited bodies (often perfectly adequate for B2B SaaS, professional services, and most SME contexts) charge less, typically £800-£1,000 per day, and often have shorter record-keeping requirements. Nine times out of ten, a non-accredited certificate is all anyone actually asks for.

Always get at least two or three quotes. The same audit can vary by 30-40% across certification bodies.

5. Surveillance audits (£1,500-£3,000 per year, years 2 and 3)

After initial certification, you’ll have a yearly surveillance audit for two years. These are shorter than the initial audit (typically 1-2 days on-site for a small org). Budget for these from day one – they’re not optional.

Like any project delivery (and I would always look at 27001 as a project), you should consider and explore the ongoing running costs of anything you are implementing, because it is never ‘one and done’.

6. Recertification (year 3, comparable to year 1)

Every three years, the cycle restarts with a full recertification audit, similar in scope to the original Stage 2. Costs are typically 80-100% of the original audit fee. If you’ve maintained the ISMS properly between cycles, recertification is uneventful. If you haven’t, it’s painful.

What Drives Costs Up or Down

Several factors move the needle, especially if you are going for a UKAS audit. The person pulling the quotation together will likely use a spreadsheet calculator to ask some questions, which will then determine your final quotation. They can include;

Which Route Is Right for You?

Most people instinctively know which approach is right for them. Do it yourself, or do it with increasing levels of support. The answer depends on three things: your budget, your time, and how much information security expertise sits inside your organisation today.

DIY (Toolkit + Course)

Total cash cost: £370 + audit fees
Total time investment: 80 hours of internal effort (estimate)
Best for: Organisations with someone internal who has time, basic information security knowledge, and the discipline to follow through.

You buy my Information Security Toolkit (£85, includes every mandatory document template) and online course (£285). You implement it yourself, run your own internal audit, and book your certification directly with your certification body. I’d estimate that around 1 in 4 organisations have the right internal person to make this work. The other 3 try and either give up or burn far more time than the consultancy fee would have cost them.

Hybrid (Coaching)

Total cash cost: £3,500 + audit fees
Total time investment: 60-80 hours of internal effort for a small company
Best for: Organisations with a capable internal lead who needs expert input on the technical bits and a sanity check before audit.

You do the documentation work, and I review it. I run risk assessment workshops, help you nail the Statement of Applicability, and conduct a mock audit before the real one. This is the lowest-risk way to get certified without paying for full consultancy.

Fully-Assisted Consultancy (Fixed Fee)

Total cash cost: £7,500 (up to 250 employees) + audit fees
Total time investment: 20-40 hours of internal effort
Best for: Organisations where leadership wants certification done quickly, with minimal internal disruption, and a known cost.

I run the implementation end-to-end. You give me inputs (asset list, current practices, who does what), I build the ISMS, draft the documentation, run your internal audit, and prepare you for certification. Fixed fee of £7,500, regardless of whether you have 10 or 250 employees. Micro businesses (1-2 people) get a 20% discount.

The fixed fee is the differentiator. Most UK consultancies charge by the day, so a 100-person organisation pays significantly more for the same outcome. My approach is structured so I know what good looks like, and the fee reflects that, not your headcount.

Book a discovery call if you want to talk it through.

Should You Use a Compliance Automation Tool?

A lot of people ask me about compliance tooling, such as Vanta. Or Drata. Or Sprinto. Or Secureframe. The pitch is seductive: connect your tools, automate evidence collection, and sail through your audit. The reality is more nuanced; I’m not saying they are good or bad, but they can be a high cost for a small business.

Here’s a clear-eyed take on when these platforms genuinely earn their keep, and when they’re a sledgehammer cracking a walnut.

What they actually cost in 2026

Pricing on these platforms is rarely on their websites and almost always quoted in USD, but here’s where the market sits based on my research (but please do not take these as official pricing quotations):

• Sprinto: from around $4,000/year (~£3,200) for a small organisation
• Vanta: from around $10,000/year (~£8,000) for the entry tier, scaling to $80,000+ for larger orgs
• Drata: from around $15,000/year (~£12,000), scaling to $100,000+ for enterprise
• Secureframe: broadly similar to Vanta

Three things to know before you sign anything:

The platform is on top of audit fees, not instead of them. So, you still pay £6,000-£10,000+ to a certification body. The platform is an additional cost.

Year 2 pricing is rarely the same as year 1. Multiple buyers have reported staggering 15-20% renewal increases as standard, with some seeing year-2 fees double. If you are in a position to, always negotiate either a price cap (a 5% maximum uplift is reasonable) or a fixed price for 3 years before you sign.

Add-on frameworks cost extra. If you’re sold on a SOC 2 base plan and later want to add ISO 27001, the cost typically jumps by 30-45% if added mid-contract rather than bundled at signing. Bundle upfront if you’ll need multiple standards.

For an SME spending on consultancy and the audit, adding £8,000-£15,000/year for a platform on top is a substantial uplift. It needs to earn its keep.

When a platform genuinely helps

There are real scenarios where the maths works:

• You’re chasing multiple frameworks at once. ISO 27001 plus SOC 2 plus HIPAA plus GDPR? A platform that maps controls across all of them and collects evidence once will save real time. The unit economics start to make sense at three or four frameworks, less so at one. Certainly, if I were doing that, I’d look at a tool rather than trying to manage multiple controls across different standards in spreadsheets, etc.
• You have a tech-forward, cloud-native infrastructure. Vanta and Drata excel when your stack includes AWS, GitHub, Okta, and a handful of SaaS tools that integrate cleanly with those platforms. Continuous monitoring of cloud configuration is genuinely useful, but probably more than most smaller businesses need.
• You have continuous compliance demands. If you’re frequently reissuing trust reports to enterprise customers, a platform’s “trust centre” feature (where prospects can self-serve your compliance evidence) reduces sales-cycle friction.
• You have a security team but no compliance specialist. Engineers can interpret a Vanta dashboard and like data/actions, etc. They can’t always interpret an ISO 27001 standard easily in my experience as they often don’t like reading things (no joke). The platform translates between them.

When it’s a sledgehammer for a walnut

For most of the SMEs I work with, a platform is overkill on year one. Specifically, if you are just looking to get 27001 with no fuss, no frills, then a compliance tool could be overkill. If your tech stack isn’t one of the key SaaS tools, then the integrations might not work as well, and if you are a small team with simple needs, then a spreadsheet will probably be enough.

The big myth: “The platform will do it for you”

This is where I push back hardest, and people simply assume the tool will help you navigate the standard like a ‘to-do list’. These platforms are excellent at automating evidence collection for technical controls. They are not excellent at:

• Defining your scope properly (still a human judgement call)
• Running your risk assessment (the platform helps, but you still need to understand your business)
• Writing your Statement of Applicability (the platform suggests, you decide)
• Conducting a real internal audit (the platform’s “audit readiness” check is not the same as an ISO 27001 internal audit)
• Embedding security culture in your organisation (no software fixes this)
• Sitting in front of an auditor and explaining how your ISMS actually works (you do this)

The platform is a tool. It is not a substitute for thinking, deciding, and owning your security posture. 27001 is a lot about human practices, not automated measurements and controls.

How to Keep ISO 27001 Costs Down (Without Cutting Corners)

Here’s some basic advice when it comes to controlling costs;

1. Be realistic about whether you need UKAS accreditation. If your customers don’t insist on it (and most B2B customers don’t), a reputable non-accredited certifier will save you £5,000-£10,000 and several months. You can always upgrade later if a major contract requires it. It’s the same standard, just audited to a lighter level. This is the biggest area of quick cost savings, and a reasonably easy decision for most.
2. Scope tightly. Certify the part of your organisation that customers actually care about. A startup doesn’t need to certify the marketing team to win an InfoSec questionnaire from an enterprise prospect.
3. Use templates instead of writing from scratch. Free or low-cost toolkits cover every mandatory document. Customise them to match your reality (auditors can spot generic templates that aren’t followed in practice). My toolkit covers everything mandatory.
4. Get three audit quotes. Auditor pricing varies more than people expect. Same audit, different certification body, 30%+ price difference is common.
5. Negotiate fixed-fee consultancy. Day-rate consultancy is open-ended by design. Fixed fees give you certainty and align the consultant’s incentives with finishing the job rather than extending it.
6. Run a thorough internal audit before certification. Failed audits can lead to re-audits (check with your provider about their approach), which may incur another fee. Spending a few hundred pounds on a robust internal audit is far cheaper than a re-audit charge.
7. Don’t over-engineer. ISO 27001 asks for “appropriate” controls, not maximum security. A spreadsheet-based asset register meets the standard if you actually maintain it. You don’t need a £15,000 GRC platform in year one. I talk a lot about my approach to Minimal Viable Compliance when coaching people, with a focus on keeping it simple from day one.

Frequently Asked Questions

Final Thoughts

ISO 27001 in 2026 is more expensive than it was two years ago. Day rates are up, the auditor market is tight, and procurement pressure is pushing more organisations into the UKAS-accredited route whether they need it or not.

What hasn’t changed: the fundamental cost levers are scope, route, and the amount of help you bring in. A focused scope and a fixed-fee consultant can get a small business certified for under £10,000 all-in. A sprawling scope, a day-rate consultancy and a UKAS audit can easily push you past £25,000 for the same outcome.

If you want to talk through where you’d land, book a discovery call or grab the free toolkit and start having a look. No pressure either way.

---

Additional Perspectives From Other Sources

To get a fully rounded opinion of ISO 27001 certification costs, here are some curated articles that may help you;

1. IT Governance – Typical ISO 27001 Certification Costs: Offers a comprehensive cost table based on organisation size, with estimates ranging from £6,250 to £33,750 for initial certification. It also explains audit durations and the factors that influence pricing.
2. YourISO – UK Business Guide to ISO 27001 Costs: Breaks down costs into certification body fees, consultancy, internal resources, and recertification. Includes a case study and comparison between UKAS and non-UKAS certification bodies.
3. Cyber Sierra – Complete Cost Breakdown: Provides real-world insights from CISOs, covering hidden costs, employee time, and consulting fees. Estimates total costs from $6,000 to $75,000+, depending on company size and approach.
4. OneTrust – ISO 27001 Certification Cost Breakdown Compares three approaches: DIY, consultant-led, and platform-based, with cost ranges for each. Includes audit costs and long-term maintenance, plus tips for minimising expenses.

---