ISO 27001 Cost UK - Certification Pricing in GBP
UK-specific pricing for ISO 27001 certification: UKAS-accredited certification bodies, consultant day rates in GBP, Cyber Essentials alignment, and government procurement requirements.
Updated April 2026
UK Certification Cost by Company Size
| Size | Total (GBP) | Audit (GBP) | Consultant (GBP) | Approx USD |
|---|---|---|---|---|
| Micro (1-10) | GBP 8,000-20,000 | GBP 3,500-6,000 | GBP 3,000-10,000 | $10K-$25K |
| Small (11-50) | GBP 12,000-40,000 | GBP 4,000-8,000 | GBP 5,000-20,000 | $15K-$50K |
| Medium (51-250) | GBP 40,000-120,000 | GBP 7,000-20,000 | GBP 15,000-50,000 | $50K-$150K |
| Large (251-1K) | GBP 100,000-280,000 | GBP 15,000-40,000 | GBP 35,000-100,000 | $125K-$350K |
| Enterprise (1K+) | GBP 200,000-400,000+ | GBP 25,000-60,000 | GBP 50,000-150,000+ | $250K-$500K+ |
UK Certification Bodies (UKAS-Accredited)
| Certification Body | Day Rate (GBP) | UKAS | Best For |
|---|---|---|---|
| BSI | GBP 1,200-1,800 | Yes | Enterprise, government, defence |
| LRQA | GBP 1,100-1,500 | Yes | Technology, maritime, energy |
| Bureau Veritas | GBP 1,100-1,600 | Yes | Multi-national, manufacturing |
| NQA | GBP 800-1,200 | Yes | SMEs, cost-conscious organisations |
| Alcumus (ISOQAR) | GBP 800-1,100 | Yes | UK SMEs, construction, property |
| Assured Certification | GBP 750-1,000 | Yes | Micro and small organisations |
| QMS International | GBP 800-1,100 | Yes | SMEs in Midlands and North |
All listed CBs are UKAS-accredited for ISO/IEC 27001:2022. Rates indicative for 2026. London-based auditors may charge 10-20% more than regional CBs.
UK Consultant Day Rates
Independent Consultant
GBP 800-1,200
per day
Boutique Firm
GBP 1,000-1,500
per day
Big Four-Adjacent
GBP 1,500-2,200
per day
Cyber Essentials as a Stepping Stone
Cyber Essentials (CE) and Cyber Essentials Plus (CE+) cover basic technical controls that map to several ISO 27001 Annex A controls. Getting CE/CE+ first is a smart strategy:
| Certification | Cost | Duration | ISO 27001 Overlap |
|---|---|---|---|
| Cyber Essentials | GBP 300-600 | 1-2 weeks | Covers 5 technical control areas |
| Cyber Essentials Plus | GBP 1,500-3,000 | 2-4 weeks | Verified testing of CE controls |
| ISO 27001 | GBP 12,000+ | 6-18 months | Full ISMS + 93 Annex A controls |
Achieving CE/CE+ before starting ISO 27001 demonstrates baseline security maturity, satisfies basic government requirements immediately, and reduces ISO 27001 gap analysis scope.
UK Government and G-Cloud Requirements
- G-Cloud (Digital Marketplace): ISO 27001 certification is strongly encouraged for G-Cloud suppliers. While not strictly mandatory, many buyers filter by ISO 27001 status. Having certification significantly increases your chances of winning G-Cloud contracts.
- Defence supply chain: ISO 27001 is typically required for MoD contracts involving sensitive data. Defence suppliers may also need additional clearances (SC, DV) and compliance with Defence Standard 05-138.
- NHS supply chain: The NHS Data Security and Protection Toolkit (DSPT) aligns with ISO 27001. Having ISO 27001 simplifies DSPT compliance and is increasingly expected by NHS trusts and ICSs.
- Procurement Policy Notes: PPN 09/14 requires suppliers to meet minimum cyber security standards. ISO 27001 or Cyber Essentials are the accepted evidence.
Frequently Asked Questions
How much does ISO 27001 cost in the UK?
Total first-year costs in the UK range from GBP 8,000 to GBP 120,000+ depending on organisation size. Micro (1-10 staff): GBP 8,000-20,000. Small (11-50): GBP 12,000-40,000. Medium (51-250): GBP 40,000-120,000. Large (251+): GBP 100,000-300,000+. These include audit fees, consultant costs, and internal resources.
What is UKAS accreditation and why does it matter?
UKAS (United Kingdom Accreditation Service) is the UK government-appointed body that accredits certification bodies. A UKAS-accredited ISO 27001 certificate is internationally recognised via the IAF MLA (Multilateral Agreement). Many UK government contracts specifically require UKAS-accredited certification. Non-UKAS certificates may not be accepted by procurement teams.
Should I get Cyber Essentials before ISO 27001?
Yes, if you are not already certified. Cyber Essentials (GBP 300-600) and Cyber Essentials Plus (GBP 1,500-3,000) cover basic technical controls that map to several ISO 27001 Annex A controls. Achieving CE/CE+ first demonstrates baseline security maturity and can reduce your ISO 27001 gap analysis scope. It is also required for many UK government contracts under GBP 5 million.
Is ISO 27001 required for UK government contracts?
It depends on the contract value and sensitivity. ISO 27001 is commonly required for contracts involving sensitive data, classified information, or critical national infrastructure. The Procurement Policy Note (PPN) framework references ISO 27001 as a key security standard. G-Cloud suppliers are strongly encouraged to hold ISO 27001 certification.