It's gunna cost ya

How much does ISO 27001 cost

We look at what is the cost of ISO 27001 certification.

How much does ISO 27001 cost

Ever notice how companies duck the actual question when it comes to answering how much does ISO 27001 cost. Well here they are. Buckle up because it is not cheap. Is it worth it? Most certainly. But it isn’t cheap.

You have 2 lots of cost. You have ISO 27001 implementation cost and you have ISO 27001 certification cost.


Expect to pay £8,000 to £15,000

This is what you would expect to pay with me. Your implementation costs using our recommended approach of using an experienced consultant with documents, process, intellectual property and experience of getting companies certified.


Expect to pay £6,000 to £8,000

Your certification costs for Year 1 for someone to tell you you are doing the right thing and issue that all important certificate are going to be between £6,000 and £8,000 depending on the certification body you chose. We can’t control these costs but we can help you find the right certification body.

ISO 27001 Implementation

Our costs for an ISO 27001 implementation.

Good Value


The fully documented Information Security Management System required for ISO 27001 including Risk Management, Context of Organisation, Audit Management, Business Continuity, Supplier Management, Communication Plans, Training Plans, How to Guides customised, tailored, implemented and trained on.

from £3,000

Prices are ex VAT


Policy Set

Proven policies honed over decades of continual improvement and external ISO 27001 audit.

The required ISO 27001 policies being 23 policies that you need for the information security management system customised, tailored, implemented and trained on.


FROM £3,000

Prices are ex VAT

Good Value


There are 114 business controls that you need to have, implement and evidence. Don’t get me wrong you have work to do. Some business processes you may have, some you may not have, some may need improving. We know what’s needed and will help you but be prepared, you have work to do on your business processes.

optional – Est: £6,000

Prices are ex VAT

Good Value


Audits are daunting, right? When you are ready we will take the ISO 27001 audit for you. We don’t certify you but relax, we take the test for you.

optional – Est: £6,000

Prices are ex VAT


You have options on how you do it. The most popular ways and costs are below.

Do it yourself 

‘Free’ – expect it to cost a lot of time

The main cost of doing it yourself is going to be time. Depending on your experience and ability there is an ISMS to build, 114 controls to implement and a lot, and we mean, a lot of documentation to write. You have the option to purchase templates from the internet which can range range from tens of pounds to hundreds of pounds but be warned these are generic templates that require some work and usually come with no guarantees. Your cost here is employee wage costs and opportunity costs.

Use a Consultant

expect to pay £8,000 up to £15,000

A consultant will usually specialise and come with all of the intellectual property and documents needed as well as the implementation experience. They are going to build and deliver your information security management system. Optionally they may take the certification for you as well. What they won’t do is implement the 114 required controls but they can advise on the best way to do it.

Employ a Contractor

expect to pay £30,000 up to £120,000

Contractor costs are on a day rate so this cost can soon add up. Like a consultant the end result is the same but the relationship is one of a contractor who will be on the project full time from anywhere from 3 months if they are good, to 6 months typical up to 12 months if they see it as a good revenue stream for them. So expect to pay at the low end £30,000 up to £120,000.

Employ someone full time

expect to pay £40,000 up to £120,000

Full time employee costs are similar to the contractor costs with overhead of finding, training and keeping a full time employee. Resources with relevant experience are scarce but this is a good option for a larger or more mature business. Keeping them is another matter.


The break down

We don’t certify you so these are not our costs. These are the expected costs of the certification only. This is just to take the test and hopefully be issued the certificate. Before you consider any cost of implementation. ISO 27001 certification costs are high and can be a barrier for smaller business. An accredited certification from an accredited certification body is required to have any value.

Total Certification Cost for 1 Cycle

Expect to pay £9,000 to £14,000

Your certification costs alone over 4 years for someone to tell you you are doing the right thing and issue that all important certificate are going to be between £9,000 and £14,000, roughly for 1 cycle.

The Breakdown

Year 1

expect to pay £6000 to £8000

For you to take the test and get the ISO 27001 certificate you are in the region of £6000 to £8000 year 1 cost.

Years 2 / 3

expect to pay  £1,500 to £3,000

Oh, they didn’t tell you they come back every year to make sure you are doing what you said you were? They do and it will cost you anywhere between £1500 to £3000 for the pleasure.

Year 4

expect to pay £6,000 to £8,000

What is year 4 you ask? Well every 3 to 4 years typically you have to fully re-certify which means doing the whole of year 1 over again. Fun isn’t it. So be sure to budget for it.

High Table ISO 27001

20+ years in companies like yours across hundreds of ISO 27001 implementations and audits meeting FCA regulations. We have your back. Proven ISO 27001 policies, ISO 27001 documents and processes honed over decades of continual improvement and external ISO 27001 audit.

Author Stuart Barker - The Data Security Guy

More posts by Stuart Barker - The Data Security Guy

Join the discussion One Comment