What does ISO 27001 really cost?

Total cost of a first-time ISO 27001 certification for a mid-size organisation typically sits between £22,000 and £130,000 over three years. This range covers: external audit fees (£13,000-£35,000 over three years), internal effort for project management, implementation and evidence collection (typically 50-80 person-days), tooling (ISMS software from £450/month up to £4,500/month), optional consultancy (£18,000-£90,000). Internal effort drops 40-70% when modern ISMS software is used.

External audit cost depends on organisation size, number of sites, scope, and certification body. Typical day rates for accredited auditors: £1,300-£2,200. For a mid-size single-site organisation with ~100 staff: Stage 1 audit (1-2 days, £2,600-£4,400), Stage 2 audit (3-5 days, £6,600-£11,000), annual surveillance audits (1-2 days each), recertification after 3 years. Over the 3-year cycle: approximately £13,000-£26,000 in external audit cost alone.

The largest costs often hide in internal effort — and are routinely underestimated. Typical line items: project management (20-40 days at £700/day = £14,000-£28,000), information security specialists for implementation (30-60 days), documentation and policies (15-25 days), staff training (0.5 day × headcount), management reviews (4-8 days of leadership time). For a typical mid-size firm this totals £35,000-£70,000 of internal effort in year one.

ISMS software is the single biggest lever for reducing cost. Without a tool you lose 50-80% more time on evidence collection, policy maintenance and audit preparation. Typical price ranges: standard ISMS tools (verinice, Fuentis, Antares) £450-£1,800/month, enterprise GRC platforms (ServiceNow GRC, RSA Archer) £2,700-£13,500/month, modern multi-framework platforms like Matproof £900-£4,500/month with significantly higher automation. Annual cost: £5,400-£54,000 depending on ambition.

Not strictly — but a consultant typically shortens certification from 12-18 months to 6-9 months. Consultant costs for first-time certification: fixed-scope advisory £18,000-£35,000, 6-month embedded support £45,000-£70,000, full-project implementation £70,000-£130,000. Alternative: modern ISMS software with built-in templates and expert components (e.g. Matproof's partnership model at £1,800-£3,500/month) reduces consultant need by 60-80%.

Five levers: (1) Tight scope — certify only critical areas, not the whole organisation. (2) Modern ISMS software with evidence automation reduces internal effort 50-70%. (3) Combine with other certifications (SOC 2, NIS2, TISAX) for cross-framework reuse. (4) Run internal audits before the external Stage 1 — reduces surprises. (5) Get three quotes from certification bodies — prices vary 30-50%. Matproof customers typically report 30-50% cost reduction versus classic ISO projects.

Recertification (mandatory every three years) is usually 30-50% cheaper than the first certification: external audit cost £7,000-£16,000, internal effort 15-30 person-days (because processes are established), and for Matproof customers often minimal because the system shows current compliance status on demand. Annual surveillance audits (£3,500-£7,000 each) fall between certification cycles — the system must be maintained continuously.

An ISO 27001 accredited certification is one issued by a certification body that is itself accredited by a national accreditation authority (UKAS in the UK, DAkkS in Germany, RvA in the Netherlands). Only accredited certifications are recognised by regulators and enterprise buyers. Non-accredited certificates are typically 40-60% cheaper but carry no regulatory weight. Always check UKAS (or local equivalent) accreditation before paying for an audit.