Transparent pricing
What ISO 27001 actually costs in the UK (2026)
Three separate costs make up ISO 27001: getting ready, the certification body's audit, and keeping the certificate alive. Most of this market hides at least one of them. All three are on this page, with our own fees published in full.
Cost one: readiness
Our readiness fees, fixed by headcount
One fixed fee covering the gap analysis, the ISMS build, documentation, risk assessment, the clause 9.2 internal audit and support through both certification audit stages. No day rates and no scope creep: if it takes longer, that is our problem.
Up to 25 staff
REPLACE_WITH_PRICE_BAND_1
A focused ISMS, a small document set and the shortest route to Stage 1.
Start here76 to 200 staff
REPLACE_WITH_PRICE_BAND_3
Multiple departments in scope; more evidence, more interviews.
Start here200+ staff
REPLACE_WITH_PRICE_BAND_4
Scoped on the call; multi-site and group structures welcome.
Start hereFor context, published UK market analyses put consultancy-led readiness for organisations under 50 staff at roughly £8,000 to £15,000, rising with headcount. Prices exclude VAT.
Cost two: the audit itself
The certification body's fee, itemised
The audit is paid to your UKAS-accredited certification body, never to us, and it is priced in auditor days. Two independent UK market analyses put the 2026 UKAS rate at around £1,250 per day, and ISO 27006 sets minimum day counts by organisation size, which is why a genuine UKAS audit for even the smallest company starts around £6,250.
Beware quotes dramatically below that floor: they usually mean a non-accredited certificate, which your enterprise customers' due diligence teams will spot. Our guide to choosing a certification body covers how to compare quotes properly.
| Employees | Initial audit | Indicative fee |
|---|---|---|
| 1 to 10 | 5 audit days | around £6,250 |
| 11 to 25 | 7 audit days | around £8,750 |
| 26 to 45 | 8.5 audit days | around £10,625 |
| 46 to 100 | 11+ audit days | around £13,750+ |
Indicative figures from published 2026 UK market analyses at ~£1,250/day against ISO 27006 minimum day counts. Your chosen certification body quotes its own fee. Surveillance audits (annual) are smaller, typically £1,500 to £3,000.
Cost three: year two onwards
Certificates run on a three year cycle: annual surveillance audits in years two and three, then full recertification. Budget the surveillance fee plus the internal effort of keeping the ISMS true to how you actually operate, or a maintenance retainer if you would rather we carried it. The expensive version of ISO 27001 is the one rebuilt from scratch every third year because nobody owned it in between.
Sense-check us
The three routes, costed side by side
Year-one totals from published UK market analysis. We sell one of these routes; the full comparison is straight about when the other two are the better call.
DIY with a toolkit
Roughly £8,000 in year one
A few hundred pounds of templates, your own time in quantity, and the full UKAS audit fee. Cheapest on paper; the real cost is the months of internal effort and the risk of documents that do not match reality.
Compliance platform
Roughly £17,000 to £21,000 in year one
A software subscription that structures the work and collects evidence. Good tooling, but the subscription recurs every year, and the thinking is still yours to do.
Consultancy-led
Typically £21,000+ in year one all-in
Practitioners build the ISMS with you and carry you through the audit. The route we sell, and the right one when you need certification done properly, first time, without consuming your team.
Client results
What our clients say
Get your number
Get a fixed fee for your certification
A free 45 minute scoping call confirms your band, your certification body options and one firm figure for the whole journey.