ISO 27001 cost calculator, what to budget for your ISO 27001 project and practical strategies to reduce your ISO 27001 costs.
Table of contents
- How much does ISO 27001 Certification Cost?
- ISO 27001 Certification Cost Calculator
- Preparation Costs
- Implementation Costs
- Certification Audit costs
- On Going Costs
- Mistakes People Make
- The 2025 Changes to ISO 27001 Costs
- Factors that affect ISO 27001 Certification Costs
- ISO 27001 Cost Video
- ISO 27001 Certification Cost FAQ
How much does ISO 27001 Certification Cost?
Audit preparation costs
| Audit preparation costs | £300 – £10,0000 |
|---|---|
| ISO 27001 + ISO 27002 Standard Documents | £300 |
| Gap Analysis [optional] | £3,500 – £10,000 |
Implementation costs
| Implementation costs | £500 – £40,0000 |
|---|---|
| ISO 27001 toolkit [optional] | £500 |
| ISO 27001 consultant [optional] | £40,000 |
| ISO 27001 platform [optional] | £40,000 |
| ISO 27001 Training cost [optional] | £2,500 |
| Staff Training Cost | £50 per employee |
| Internal Resource cost | varies |
Certification Audit costs
| Certification Audit Cost | £3,500 – £50,000 |
|---|---|
| Internal Audit | £3,500 – £10,000 |
| ISO 27001 Stage 1 + 2 certification audit | £8,000 – £40,000 |
| ISO 27001 Surveillance audit | £3,000 – £10,000 annually |
Total cost of ISO 27001 Certification £5,000 – £90,000
ISO 27001 Certification Cost Calculator
ISO/IEC 27006-1:2024 Information security, cybersecurity and privacy protection — Requirements for bodies providing audit and certification of information security management systems – sets out the audit approach and suggested audit days based on number of employees.
The number of audit days is usually based on the number of employees. Certification bodies are provided a guide for the number of audit days. This number will be consistent irrespective of which certification body you choose.
The table below outlines the recommended ISMS audit durations based on organisation size and an average day rate of £1,250 for simplicity and has been updated to reflect the 2025 costs.
| Number of employees | Number of Audit Days | Estimated ISO 27001 Cost |
|---|---|---|
| 1 -10 | 5 | £6250 |
| 11 – 15 | 6 | £7500 |
| 16 – 25 | 7 | £8750 |
| 26 – 45 | 8.5 | £11250 |
| 46 – 65 | 10 | £12500 |
| 66 – 85 | 11 | £13750 |
| 86 – 125 | 12 | £15000 |
| 126 – 175 | 13 | £16250 |
| 176 – 275 | 14 | £20625 |
| 276 – 425 | 15 | £21875 |
| 426 – 625 | 16.5 | £23125 |
| 626 – 875 | 17.5 | £24375 |
| 876 – 1175 | 18.5 | £25625 |
| 1176 – 1550 | 19.5 | £26875 |
| 1551 – 2025 | 21 | £28125 |
| 2026 – 2675 | 22 | £29375 |
| 2676 -3450 | 23 | £30625 |
| 3451 – 4350 | 24 | £31875 |
| 4351 – 5450 | 25 | £33125 |
| 5451 – 6800 | 26 | £34375 |
| 6801 – 8500 | 27 | £35625 |
| 8501 – 10700 | 28 | £36875 |
The list of the best ISO 27001 certification companies.
Preparation Costs
In the preparation phase you are getting a copy of the ISO 27001 standard so you know what must be done and you are doing an assessment of where you are in relation to the standard.
ISO 27001 and ISO 27002 Standard Documents: £350
ISO 27001 is the information security management system and ISO 27002 is the information security controls with implementation guidance. You will require a copy of both documents.
You can download ISO 27001 and download ISO 27002 from the ISO Standards website.
Gap Analysis (optional): free to £5,000
Once you have the standard you will then assess how close you are to meeting it, the gaps you have and the work required to close the gaps.
You have the option to engage an ISO 27001 professional or to conduct the gap analysis yourself.
Implementation Costs
Putting in place the documents, templates, policies and processes of the management system and the associated controls will take a combination of time and money.
Either you are going to pay in your time to do it yourself or in money for someone to do it for you.
ISO 27001 toolkit cost (optional): £500
Building an ISMS can be both costly and challenging. You can do it yourself and save considerable cost, time and effort by using a proven ISO 27001 Toolkit.
ISO 27001 consultant cost (optional): £5,000 to £40,000
Using an ISO 27001 consultant is a well proven strategy for achieving ISO 27001 certification. Consultants come with experience as well as the tools to do the job. They are best positioned to advise on the implementation of information security controls that are tailored to your organisation, you risks, your budget and your needs. An ISO 27001 consultant can do as little or as much as you need including sitting in on the ISO 27001 certification audit with you.
The typical ISO 27001 consultant cost is £20,000 or between £1,250 and £1,500 per day.
ISO 27001 platform cost (optional): £5,000 to £100,000
ISO 27001 platforms vary in capability but are usually targeted at larger organisations with their primary focus being on document storage and automation.
ISO 27001 Training cost (optional): £2,500
When you implement ISO 27001 you need to have someone that is trained and / or experienced in ISO 27001. If you are not using a consultant then official ISO 27001 training should be considered. You can choose between ISO 27001 Lead Implementor and ISO 27001 Lead Auditor.
Staff Training cost: ~£50 per employee
ISO 27001 has an information security training requirement and it is good practice when building your management system and implementing a culture of information security. There are many platforms providing comprehensive information security training packages.
Internal Resource cost: varies
It is difficult to estimate the internal resource costs but productivity costs are the highest ISO 27001 costs you will have. The impact of ISO 27001 is across the organisation and will require changes to operational processes that will inevitably mean people are not focused on core role activities. This is a culture change and an operational change to the entire organisation.
A Comparison of ISO 27001 Implementation Options and Costs
Considering the approaches of doing it yourself, getting a contractor or employing High Table let us compare typical expected costs side by side.
| Do It Yourself | Consultant | Employee | Contractor |
|---|---|---|---|
| circa £500 | £5k to £40k | £40k+ per year | £40k to £160k |
| 30 to 90 days duration | 6 to 12 months duration | 6 to 12 months duration | 6 to 12 months duration |
| Comes with all templates, policies, guides | Comes with all templates, policies, guides | Needs to write all policies | Will write all policies |
| Track record of delivery and certification | Track record of delivery and certification | ||
Certification Audit costs
Internal Audit: ~£3,500 to £10,000
Internal audits are a requirement of the ISO 27001 standard and you must conduct at least one full internal audit before going for the certification audit. You can do this yourself with certain caveats but most people choose to get external help.
ISO 27001 Stage 1 + 2 certification audit: £8,000 – £40,000
The ISO 27001 certification audit is broken down in 2 audits. The cost calculator was provided above and is based on the number of employees that you have.
The stage 1 audit will review your information security management system and documentation.
The stage audit is a show and tell where you will walk the auditor through your security controls with examples.
The certificate will be valid for 3 years and requires annual surveillance audits. These represent a recurring cost.
ISO 27001 Surveillance Audit Cost: £3,500 – £10,000 annually
ISO 27001 Surveillance Audits are the annual audits that are performed to maintain your ISO 27001 certification. Every year up to your recertification audit the certification body will come back and perform a mini audit to ensure that the management system is still working.
The cost of the ISO 27001 Surveillance Audit is roughly 1/3 the cost of your certification audit.
ISO 27001 Re-Certification Cost: £8,000 – £40,000
You will do a full re certification audit every 3 years. This is exactly the same as the ISO 27001 audit. The cost of the ISO 27001 re-certification audit is exactly the same as the ISO 27001 certification audit. You can expect to pay more due to the affects of inflation but the cost and process is exactly the same.
- Year 1 cost of £6,000 to £12,000
- Year 2 and year 3 cost of £2,000 to £5,000
- You then start the process over again and go back to Year 1.
On Going Costs
You would be forgiven for thinking that the costs for ISO 27001 end at certification. Sadly this is not the case. ISO 27001 is a management system that is based on continual operation and continual improvement. As a result of this there are several ongoing costs that you should consider. They include:
Resource cost: £12,000 – £60,000
There are many factors to consider but in brief, if you employ someone full time expect to pay £40,000 to £60,000 per year. If you outsource it expect to pay £12,000 to £36,000 per year. If you get an existing staff member to do it expect to pay training fees for them of around £2,000 to £5,000 per year.
Annual recertification audit cost: £3,500 – £10,000
To maintain the certification the certification body is going to audit you every year. It is actually a cycle of audits over 3 years but be prepared for audit costs for the next 2 years of around 33% of your year one cost. Then on the 3rd year you do the whole thing again from scratch with a full audit and at the full audit cost.
Annual operational cost: varies
The ISMS and associated controls have to be operated. This will come at a cost. The cost will either be in hiring new resources or in people’s time who will be diverted from their day job to complete the mandatory tasks required.
The biggest operational cost from the perspective of the standard will be the internal audit costs. I raise this here for special consideration as this is the one area that you are likely to require specialist resource that is independent of the areas being audited. Not only does the certification body audit you but you are expected to audit yourself on an ongoing basis. You can learn more about ISO 27001 Clause 9.2 Internal Audit to understand more on the requirement and read our guide on How to Conduct an Internal Audit to see what is involved and how you can do it yourself.
Mistakes People Make
Not knowing what you need
The number 1 mistake most people make is not knowing what they need and what their options are. They get sucked in by fancy marketing. They believe the hype, that it is hard, when in fact it is not. They accept the high prices that are banded around without question.
Not Shopping Around
The number 2 mistake most people make is not shopping around.An accredited certification is an accredited certification. Whilst you might belief the hype that they are not in it for profit, they are. The reality is costs vary wildly. Do your research. Get at least 3 quotes. Choose the ISO 27001 Certification Body that meets your finance requirements, your values and your needs.
The 2025 Changes to ISO 27001 Costs
The 2025 update to ISO 27001 costs is based on the average day rates and the typical industry day rates in 2025 are £1,250 per day. An increase of 20% in costs over the 2024 rates.
Factors that affect ISO 27001 Certification Costs
ISO 27001 certification costs can vary based on a number of factors. The consequences of getting these wrong means that costs can go up quickly and steeply.
There are several factors that affect the ISO 27001 certification cost. Here are the most common:
- The size of your organisation: The bigger you are the more the certification body will charge you. It is a simple as that. This one is outside your control of influence but be prepared for it.
- The scope of your ISO 27001 certification: You should spend time on defining your scope for certification including what is in scope and what is out of scope. The more that is in scope the more work you have to do and the more you need to be audited.
- The number of locations that are in scope: Once you have defined your scope work out how many locations are included. If they are your physical locations then an auditor will need to visit them. This will incur costs. More sites, more visits, more costs.
- The certification body you choose: Not all certification bodies are equal in what they charge. As a rule, the larger the certification body, the more they will charge. See more in the list of the best ISO 27001 certification companies.
ISO 27001 Cost Video
In this ISO 27001 costs overview you will learn the costs that you can expect and discover how much you can expect to pay.
ISO 27001 Certification Cost FAQ
ISO 27001 certification is the process of getting independent verification that you are meeting the requirements of the standard. The result of the ISO 27001 certification process is an ISO 27001 certificate that you can share with prospects, customers and clients.
When you have implemented the standard, have evidence that you are operating it and have completed and internal audit you will apply for ISO 27001 Certification. The process of ISO 27001 certification is a 2 stage process.
Stage 1 will primarily look at your documentation and management system. The output of stage one is a recommendation to proceed to stage 2.
Stage 2 will look at evidence of the operation of controls. The auditor will review your documents and observe your processes in action.
Yes. They will tell you that they do not work on a day rate but they do. As a result, the number of audit days will be fairly consistent between the certification bodies but the rate they charge will differ. The product at the end, the ISO 27001 certification, is exactly the same. In fact they often outsource the certification audit itself to a small pool of independent contractor auditors. This means that irrelevant of who you pay you can end up with the same auditor and will get the same product and the same outcomes. Get at least 3 quotes and shop around. Whilst the standard is the standard the amount that you are quoted or charged will be different depending on the ISO 27001 certification body that you choose.
Different ISO 27001 certification bodies charge different amounts as they have different costs to account for. The amount that they pay their staff or consultants, the amount they charge for their processes, additional services that they provide, spend on marketing all contribute to the certification bodies charging different amounts.
Yes, sometimes. The industry relies on a pool of freelance consultants to perform that ISO 27001 audits working for multiple ISO 27001 certification bodies at the same time. Sometimes a certification will have full time, permanent staff, usually in an attempt to reduce costs. You should ask when you engage with the ISO 27001 certification body what staffing model they adopt.
On average the cost of an online ISO 27001 ISMS is between £10,000 and £100,000 per year. Expect to pay a set up fee and an ongoing maintenance fee. They are expensive and have many hidden fees.
An ISO 27001 consultant day rate will range between £400 and £1,500 per day depending on experience.
An ISO 27001 consultant will charge between £12,000 and £60,000 per year depending on what they do for you.
An ISO 27001 consultants hourly rate will range from £50 per hour to £250 per hour depending on experience.
The actual ISO 27001 standard costs around £150. Shop around. It is also only 14 pages long.
No.
No.
There are no free ISO 27001 templates that are any good. Google is your friend but ‘buyer’ beware.
Partly because the ISO 27001 standard has been built in such a way that it excludes small business on cost. The ‘official’ framework of certification bodies is bureaucratic and doesn’t take into account the size of your organisation. They work on audit days not company size. It is not designed to be in your favour but, as they say, it is what it is.
It sounds simple but work out what you actually need.
Fundamentally it will come down to your costs verses your time.
Yes, you can get ISO 27001 certified without a consultant. HighTable provide an ISO 27001 Toolkit that allows you to do it yourself. It provides all the templates you need and an easy to follow step-by-step implementation guide.
No. There are many costs involved in ISO 27001 including annual audit costs and recertification costs.
It varies based on how you go about it but it typically takes 3-12 months.
The list of the best ISO 27001 certification companies.
The more that you can do yourself, the less it will cost you.
ISO 27001 is a management system the you will continue to operate and each year will be audited to ensure that you are still following it.
No. ISO 27001 certification must be carried out by an independent third party.
Yes, you can fail the ISO 27001 certification audit if you do not follow the ISO 27001 standard and meet its requirements.