The route decision

Three routes to ISO 27001, costed

Every ISO 27001 journey takes one of three routes: do it yourself with a toolkit, run it on a compliance platform, or have a consultancy carry it. We sell the third, which is exactly why this page owes you a straight account of the first two.

Factor DIY toolkit Compliance platform Consultancy-led
Year-one cost (published UK analysis) Roughly £8,000 all-in, most of it the UKAS audit Roughly £17,000 to £21,000 including subscription Typically £21,000+ all-in
Recurring cost Audit and surveillance fees only Subscription every year, plus audit fees Audit fees; maintenance support optional
Your team's time Months of it: the toolkit gives structure, you do everything Substantial: the platform organises the work, you still do it Hours in workshops and decisions; the drafting is done for you
Quality risk Template documents that describe a business that is not yours Checklist-driven ISMS shaped by the tool's model, not your risks Depends entirely on the consultancy; ask who does the work
Best when You have in-house security expertise with genuine spare capacity You want continuous compliance tooling and expect SOC 2 too You need it done properly, first time, without consuming the team

Year-one figures from published UK market analyses (2026); every route also pays the certification body's audit fee, itemised on the cost page.

The failure mode of each route

How each route goes wrong

Toolkits fail as shelfware: documents describing a fictional company, exposed the first time an auditor interviews a real employee. Platforms fail as dashboards nobody owns: green ticks accumulating over an ISMS no one is actually managing. And consultancies fail as dependencies: an ISMS the client cannot operate the day the consultant leaves.

We engineer against the third one deliberately: your team makes every decision that matters, the documents describe your real operation, and handover is a milestone in the plan, not an afterthought.

A fair self-test

Choose the toolkit if someone senior owns security full-time and has months of capacity. Choose a platform if continuous compliance tooling and SOC 2 are both on your roadmap. Choose consultancy when the certificate is deadline-driven, the team is at capacity, or the ISMS needs to be right first time. If you are unsure which describes you, that is what the gap analysis is for.

Quick answers

Route questions, answered

Which route is cheapest overall?

The toolkit route, if your team's time is free, which it is not. Published UK analysis puts toolkit year-one totals around £8,000 against £17,000 to £21,000 for platforms and £21,000+ for consultancy, but the toolkit number excludes months of internal effort. Price your own hours before calling it the cheap option.

Do compliance platforms replace a consultant?

They replace the filing cabinet, not the thinking. Platforms are genuinely good at evidence collection and continuous monitoring, and if SOC 2 is also on your roadmap they earn their subscription. The risk assessment, scoping decisions and audit judgement still have to come from somewhere.

Can we mix the routes?

Yes, and the mixes are often the sweet spot: a consultant-led build that hands over to a platform for maintenance, or a toolkit start with a practitioner reviewing the output and running the internal audit. We will recommend a mix when it serves you better than our full engagement; the comparison only stays credible if we mean it.

Why should we trust a consultancy's comparison of consultancies?

A fair challenge. The figures here are from published third-party UK analyses rather than our marketing, we name the situations where the other two routes win, and we sell no toolkit and no platform, so nothing on this page earns us a commission either way.

3D rocket illustration for booking a free ISO 27001 scoping call

Route undecided?

Get a recommendation with no commission behind it

A free 45 minute scoping call weighs your team, deadline and budget against all three routes, including the two we do not sell.