ISO 27001 Certification Cost UK: What Small Businesses Actually Pay

How much does ISO 27001 certification cost in the UK? For most small businesses with 5–100 employees, the honest answer is £8,000–£25,000 in year one. The majority land somewhere between £12,000 and £18,000. That is more than ISO 9001 certification, and there are good reasons why. ISO 27001 certification cost in the UK is higher because the standard demands more audit days, a formal risk assessment methodology, a Statement of Applicability covering 93 Annex A controls, and — in most cases — penetration testing before you go anywhere near an auditor.

This is the full 2026 breakdown, covering every cost category a UK SMB will face on the road to ISO 27001 certification.

Why ISO 27001 Costs More Than ISO 9001

Before the numbers, it helps to understand why the price tag is higher. ISO 9001 is a process-focused standard. ISO 27001 is a controls-focused standard. That distinction drives cost at every stage:

• More audit days. An ISO 27001 certification audit typically requires 1–2 more auditor days than an equivalent ISO 9001 audit, because the auditor must assess your Statement of Applicability, test control implementation, and review your risk treatment plan.
• 93 Annex A controls. Each control must be assessed, implemented or justified as not applicable, and documented in the Statement of Applicability. That is a significant documentation effort before the auditor arrives.
• Mandatory risk assessment. ISO 27001 requires a formal information security risk assessment methodology — not a generic risk register, but a structured approach to identifying, analysing, and treating information security risks.
• Penetration testing. While ISO 27001 does not explicitly require pen testing, most certification bodies expect to see recent test results as evidence that technical controls are working. Skipping it is a risk most businesses cannot afford.
• Specialist knowledge. Information security consultancy commands higher day rates than quality management consultancy, because the skill set is more specialised.

If you have already been through ISO 9001 certification, you will recognise the structure. The management system clauses (4–10) overlap significantly. But the Annex A controls, risk assessment, and technical evidence requirements add layers that ISO 9001 simply does not have.

The Six ISO 27001 Certification Cost Categories

1. Certification Body Fees

This is the fee you pay to a UKAS-accredited certification body (CB) to conduct your Stage 1 and Stage 2 audits. UKAS — the United Kingdom Accreditation Service (ukas.com) — accredits certification bodies operating in the UK. Using a UKAS-accredited CB matters: many procurement frameworks, government contracts, and client due diligence processes specifically require UKAS accreditation.

ISO 27001 certification body fees are higher than ISO 9001 because the audit scope is broader. The Stage 1 audit (documentation review) focuses on your ISMS scope, risk assessment methodology, Statement of Applicability, and risk treatment plan. The Stage 2 audit (on-site or remote assessment) tests control implementation across every applicable Annex A control.

Typical UKAS-accredited certification body fees for UK SMBs:

Company Size (Employees)	Stage 1 + Stage 2 (Year 1)	Typical Audit Days
1–10	£3,500–£5,000	3–4 days
11–25	£4,500–£6,500	4–6 days
26–50	£5,500–£7,000	5–7 days
51–100	£6,500–£8,000	6–8 days

These figures are based on published rates and quotations from multiple UKAS-accredited CBs as of early 2026. Your actual quote depends on scope complexity, number of sites, and the maturity of your ISMS. Companies with complex IT environments or multiple locations will sit at the higher end.

Get at least three CB quotes. Prices for the same scope vary by 30–40% between accredited bodies. The UKAS directory lists all accredited certification bodies for ISO 27001.

2. Consultancy Costs

Information security consultancy is the biggest variable in ISO 27001 certification cost. You can do everything yourself, hire a consultant for the full implementation, or pick specific areas where you need help.

Typical UK consultancy costs for ISO 27001:

Service	Typical Cost
Full ISMS implementation support (15–25 days over 3–9 months)	£6,000–£12,000
Gap analysis only (1–2 days)	£1,000–£2,500
Risk assessment and Statement of Applicability (3–5 days)	£2,000–£4,000
Policy and procedure pack creation (5–8 days)	£3,000–£6,000
Internal audit (1–2 days)	£800–£1,500

ISO 27001 consultant day rates in the UK typically run £600–£1,400, higher than ISO 9001 rates because the work requires information security expertise rather than general quality management knowledge. London rates sit at the upper end.

You can reduce consultancy costs by doing preparation work yourself. Start with a gap analysis against all 93 Annex A controls and the management system clauses. If your team has someone with information security experience, they can handle much of the risk assessment and policy drafting. A consultant who arrives to a well-prepared organisation might need 8–12 days rather than 20+.

For organisations also pursuing ISO 9001, there is significant overlap in the management system clauses. If you have an existing QMS, your consultant can build on that foundation rather than starting from scratch. Our ISO 9001 cost estimator can help you model the quality management side if you are running both standards.

3. Internal Staff Time

This is the cost most businesses undercount. Someone — usually a combination of IT and management — needs to:

• Conduct the information security risk assessment
• Write or update information security policies (typically 15–25 policies)
• Create the Statement of Applicability, documenting decisions on all 93 Annex A controls
• Implement technical and organisational controls
• Set up evidence collection and record-keeping processes
• Conduct a management review
• Run an internal audit
• Train staff on information security awareness
• Manage corrective actions from internal audits

For a typical 20–30 person UK SMB, expect the person leading implementation to spend 3–5 days per week on it for 3–6 months. That is 150–300 hours of internal effort.

If that person earns £40,000–£55,000 per year, the internal cost of their time is roughly £3,000–£5,000. For smaller businesses where the founder or a senior manager handles it alongside their normal role, the cash cost may be lower but the opportunity cost is real. Those are hours not spent on revenue-generating work.

The documentation workload is heavier than ISO 9001. Where an ISO 9001 quality manual might be a single document with supporting procedures, ISO 27001 requires a risk assessment report, risk treatment plan, Statement of Applicability, and individual policies for areas like access control, cryptography, supplier relationships, and incident management.

4. Penetration Testing

Penetration testing sits in its own category because it is a significant cost that ISO 9001 does not require. While ISO 27001 does not contain the words "penetration test," Annex A control A.8.8 (Technical vulnerability management) requires organisations to identify and address technical vulnerabilities. In practice, most UKAS-accredited auditors expect to see a recent penetration test report as evidence.

Typical penetration testing costs for UK SMBs:

Scope	Typical Cost
External infrastructure (web applications, public-facing services)	£2,000–£3,500
Internal infrastructure and external	£3,000–£5,000
Web application testing (per application)	£1,500–£3,000

Most small businesses need at minimum an external infrastructure test and a web application test if they run customer-facing software. Budget £2,000–£5,000 for initial testing, depending on your footprint.

Penetration testing is also an ongoing cost. Annual retesting is standard practice, and your surveillance auditor will want to see current results. Some businesses reduce the scope in subsequent years if the environment has not changed significantly.

5. Tools, Training, and Miscellaneous

These individual items are modest but add up:

• Copy of the standard: ISO/IEC 27001:2022 costs £138 from BSI. You need at least one copy. If you are also working with ISO 9001, that is another £138 for ISO 9001:2015 (or the 2026 edition when it publishes — see our ISO 9001:2026 revision guide).
• Information security awareness training: ISO 27001 requires all staff to receive awareness training. Budget £500–£1,500 for initial training across a 20–30 person company, depending on whether you use an online platform or in-person sessions.
• Security tooling: You may need to invest in or formalise tools for vulnerability scanning, endpoint protection, SIEM, or backup monitoring. Many SMBs already have these in place but need to document and evidence them. Budget £0–£2,000 depending on gaps.
• Document management: Some businesses invest in an ISMS platform for policy management, risk registers, and audit tracking. Costs range from free (spreadsheets and shared drives) to £100–£400/month for dedicated platforms.
• Internal auditor training: ISO 27001 internal auditor courses typically run £400–£800 per person for a two-day course.

6. Surveillance Audits and Ongoing Annual Costs

Certification is a three-year cycle, not a one-off:

• Year 1: Initial certification (Stage 1 + Stage 2)
• Year 2: Surveillance audit 1 (typically 2–3 days)
• Year 3: Surveillance audit 2 (typically 2–3 days)
• Year 4: Recertification audit (similar to initial, 4–6 days)

Surveillance audit fees for a 10–50 employee company typically run £2,000–£3,500 per year. That is higher than ISO 9001 surveillance costs because the auditor needs time to sample Annex A controls and review your risk treatment plan updates.

Annual ongoing costs beyond CB fees:

Ongoing Cost	Annual Estimate
Surveillance audit (CB fees)	£2,000–£3,500
Annual penetration testing	£2,000–£4,000
Security tooling and licences	£500–£2,000
Staff awareness training (refresher)	£300–£800
Internal audit (staff time or external)	£500–£1,500
Total annual ongoing	£5,300–£11,800

Budget £5,000–£12,000 per year to maintain ISO 27001 certification. This catches businesses out — they plan for year one but not years two and three.

Total First-Year ISO 27001 Certification Cost UK: Summary

Cost Category	Low Estimate	High Estimate
Certification body (Stage 1 + 2)	£3,500	£8,000
Consultancy	£3,000	£12,000
Internal staff time	£2,000	£5,000
Penetration testing	£2,000	£5,000
Standard, training, tools, misc.	£500	£3,000
Total Year 1	£11,000	£33,000

Most UK SMBs with 10–50 employees, using some consultancy support, land between £12,000 and £18,000 in year one.

Cost estimates last verified February 2026 against published rates from UKAS-accredited certification bodies, UK-based information security consultancies, and CREST-accredited penetration testing firms. Actual costs vary by scope, complexity, and provider. Get quotes for your specific situation.

For comparison, ISO 9001 certification typically costs £5,000–£15,000 for the same size of business. The difference is driven by the additional audit days, penetration testing, and the specialist consultancy that ISO 27001 demands.

How to Reduce ISO 27001 Certification Cost

Get multiple CB quotes. This is the single easiest saving. Three quotes from UKAS-accredited bodies will show you the range. Do not assume the most expensive CB is the most thorough — accreditation ensures a baseline standard.

Do your gap analysis first. Before engaging a consultant, work through the 93 Annex A controls and the management system clauses yourself. Identify what you already have in place. A consultant who receives a completed gap analysis needs fewer days than one starting with a blank sheet.

Build on existing management systems. If you already hold ISO 9001, your management system clauses (context of the organisation, leadership, planning, support, operation, performance evaluation, improvement) are largely done. The integration saves both consultancy and audit time. Our ISO 9001 gap analysis checklist covers the management system foundation that both standards share.

Start with your biggest risks. Not all 93 controls require the same level of effort. Focus implementation time on controls that address your most significant risks. The Statement of Applicability lets you justify proportionate implementation — a 15-person consultancy does not need the same access control infrastructure as a bank.

Use the right level of documentation. ISO 27001 requires documented information for specific items (risk assessment, Statement of Applicability, policies, procedures for key controls). It does not require a 200-page manual. Write what is necessary, not what looks impressive. If you have been through the DIY ISO 9001 route, you already know the principle: document what you do, do what you document.

Bundle penetration testing with ongoing contracts. Many penetration testing firms offer discounted rates for annual retesting agreements. Negotiate the year-one and year-two tests together.

Use tools to reduce manual effort. For the ISO 9001 side of an integrated system, the readiness quiz gives you a baseline assessment in under five minutes.

ISO 27001 vs ISO 9001 Certification Cost: Quick Comparison

	ISO 9001	ISO 27001
Typical Year 1 total (10–50 employees)	£7,000–£15,000	£12,000–£18,000
CB fees (Stage 1 + 2)	£2,000–£7,000	£3,500–£8,000
Typical audit days (Stage 1 + 2)	3–5 days	4–8 days
Consultancy day rate	£500–£1,200	£600–£1,400
Penetration testing	Not required	£2,000–£5,000
Annual surveillance	£1,200–£2,500	£2,000–£3,500
Annual ongoing total	£2,000–£5,000	£5,000–£12,000

If you are considering both standards, an integrated audit typically saves 20–30% on CB fees compared with two separate audits.

Practical Checklist: Before You Spend Money

Use this checklist to avoid overspending on ISO 27001 certification:

1. Define your scope. A narrower scope means fewer audit days and fewer controls to implement. Certify the part of your business that handles information security-sensitive work, not necessarily the entire company.
2. Get three CB quotes. Compare UKAS-accredited bodies. Ask for a breakdown of audit days, not just a total price.
3. Run a gap analysis. Work through the 93 Annex A controls and Clauses 4–10 before engaging a consultant. Know what you already have.
4. Assess your risk. Conduct a basic risk assessment before consulting. Even a rough version clarifies where your biggest gaps are.
5. Budget for penetration testing. Get quotes early. If you have never had a pen test, expect findings that need remediation before your Stage 2 audit.
6. Plan for ongoing costs. Year one is the biggest outlay, but budget £5,000–£12,000 per year for surveillance audits, pen testing, and tooling.
7. Check for management system overlap. If you already hold ISO 9001, quantify what carries across. The management system clauses are nearly identical.
8. Model your costs. Use the ISO 9001 cost estimator for the quality management side if you are running an integrated system.

Key Takeaways

1. Total first-year ISO 27001 certification cost for a UK SMB typically ranges from £8,000 (small scope, experienced team) to £25,000 (larger scope, full consultancy support). Most land £12,000–£18,000.
2. Certification body fees run £3,500–£8,000 for initial certification, depending on company size and scope complexity.
3. Consultancy is the biggest variable: £3,000–£12,000 depending on how much preparation you do yourself.
4. Penetration testing adds £2,000–£5,000 that ISO 9001 does not require.
5. Ongoing annual costs of £5,000–£12,000 catch businesses out. Budget for surveillance audits, annual pen testing, and security tooling from day one.
6. If you also hold or plan to pursue ISO 9001, an integrated approach saves 20–30% on audit fees. See our ISO 9001 cost breakdown for the full comparison.

This article is for general informational purposes only and does not constitute legal, regulatory, or professional compliance advice. ISO certification requirements vary by scope, sector, and certification body. Always verify requirements with your UKAS-accredited certification body or a qualified consultant before making compliance decisions.