How we source ISO 27001 cost figures

Cost ranges on this site are based on public reference material across the relevant landscape. The publishers below are representative of the kind of source that informs our positioning, not an exhaustive extraction map per figure. A specific figure on a specific page is not necessarily anchored to a single named publisher.

Primary sources

The cost bands on this site triangulate three independent input streams: (a) standard-setting and accreditation bodies for the calculation framework, (b) certification-body and consultancy public materials for the price spread, and (c) practitioner survey data for the reality check.

• UKAS register of accredited certification bodies. The UK government-appointed accreditation body for ISO 27001 certification scopes. Source for which UK certification bodies actually hold ISO 27001:2022 accreditation: ukas.com/find-an-organisation.
• ISO/IEC 17021-1. Conformity assessment requirements for bodies providing audit and certification of management systems. Source for the audit-day calculation framework that drives certification-body fees: iso.org/standard/61651.html.
• IAF MD 5. International Accreditation Forum Mandatory Document 5: determination of audit time of quality, environmental, and occupational health and safety management systems. The effective-headcount to audit-days table that every certification body uses: iaf.nu/iaf-documents.
• ISO/IEC 27001:2022. The standard itself. Source for scope, the four-theme Annex A taxonomy, and the 93 controls: iso.org/standard/27001.
• UKAS-accredited certification body public materials. BSI, LRQA, NQA, Bureau Veritas, SGS, Alcumus ISOQAR, British Assessment Bureau, Citation ISO Certification, Tempo Audits, Assured Certification, QMS International. Public scope statements, indicative-fee material, and quote-page disclosures.
• GRC vendor public pricing. Publicly published pricing pages and public G2 / TrustRadius contract-value reports for Vanta, Drata, Sprinto, Scytale, Secureframe, Comp AI.
• UK consultant public day-rate guidance. Publicly published day-rate ranges from UK ISO 27001 specialist firms (Evalian, YourISO, Iseoblue, Kafico) and IT Jobs Watch UK ISO 27001 contractor day-rate panels.
• Cyber Essentials scheme published rates. NCSC-published scheme rates for Cyber Essentials and Cyber Essentials Plus, which alignment-prep work on this site treats as a precursor cost band when the site discusses UK government procurement gates.
• Published practitioner survey data. UK ISO 27001 implementation survey data and write-ups published by ISMS.online, Hightable, and the wider ISO 27001 practitioner community.

Calculation method: audit days

Certification body fees are not arbitrary. Bodies calculate audit days from effective headcount using the IAF MD 5 framework, applied via ISO/IEC 17021-1. The shape of the headcount-to-audit-days curve is sublinear: an organisation with 50 effective FTE in scope is not five times the audit time of one with 10 FTE.

• Effective headcount is full-time equivalent staff inside the certified ISMS scope, with weighting for part-time and shift workers.
• Initial certification audit time at 10 FTE is roughly 4 days; at 50 FTE roughly 8 days; at 250 FTE roughly 14 days; at 1,000 FTE roughly 19 days. These are the IAF MD 5 Table 1 bands.
• Stage 1 (documentation review) is 20 to 25 percent of total audit days. Stage 2 (full implementation audit) is the remaining 75 to 80 percent.
• Multi-site samplings, sector complexity factors, integrated management systems with ISO 9001 or ISO 14001 already certified, and remote-audit allowances all adjust the total. Most adjustments compress the day count by 10 to 30 percent.
• Surveillance audits in years 2 and 3 of the certificate run roughly one third of the initial audit days each. Recertification at year 4 returns to initial-audit duration.

The day-count framework is identical across UKAS-accredited bodies. The price spread between bodies is mostly the auditor day-rate plus brand premium, not the day count.

Calculation method: certification body day rates

UKAS-accredited certification body auditor day rates in 2026 cluster in the GBP 750 to GBP 1,800 range in the UK, $1,400 to $2,500 in the US, and $1,000 to $1,800 in Asia-Pacific. Within the UK band, the spread tracks brand premium and sector specialisation.

• Premium brands (BSI, Bureau Veritas) tend to occupy the GBP 1,200 to GBP 1,800 range, commanding 30 to 40 percent above SME-focused bodies. Procurement-sensitive customers (UK government, defence, large enterprise) sometimes require these specifically.
• SME-focused UKAS-accredited bodies (NQA, Alcumus ISOQAR, British Assessment Bureau, QMS International, Assured Certification) tend to occupy the GBP 750 to GBP 1,200 range. The accreditation is identical; the audit is identical in structure.
• Travel time, language requirements, multi-site arrangements, and complex sector witness-audit requirements all push rate cards up.
• UKAS accreditation is what makes a certificate internationally recognised via the IAF Multilateral Agreement. Non-UKAS certificates exist; they cost less, and they are routinely rejected by UK government procurement.

Calculation method: consultant day rates

UK ISO 27001 consultant day rates in 2026 cluster in the GBP 600 to GBP 1,500 range, depending on engagement model and firm.

• Independent consultants typically charge GBP 600 to GBP 900 per day on day-rate engagements. Loaded rates rather than time-and-materials are the norm.
• Boutique firms charge GBP 900 to GBP 1,300 per day. The premium is usually for ISMS template libraries and a delivery team rather than a single consultant.
• National-brand or Big-Four-adjacent consultancies charge GBP 1,300 to GBP 1,500 plus per day. Procurement gates at large enterprises sometimes require these specifically.
• Fixed-fee engagements are common for gap analysis and ISMS framework work (typically GBP 4,000 to GBP 15,000). Implementation phases are usually day-rate or capped-day.
• Red-flag pricing patterns: guarantees of certification, refusal to name recent clients, refusal to put deliverables in scope writing, day rates well below market floor.

In scope and out of scope

In scope of the cost bands published on this site:

• Certification-body audit fees (Stage 1 + Stage 2).
• Consultant fees (gap analysis, ISMS development, internal audit support).
• GRC platform subscriptions and platform-assisted implementation.
• Internal staff time at loaded cost rates.
• Surveillance and recertification across the 3-year certificate cycle.

Out of scope:

• Specific quotes from named certification bodies (these are confidential).
• Named-firm consultant rate cards (these are confidential).
• Classified or government-restricted scopes (DCPP, FSC, MOD-specific work).
• Transition-from-2013-to-2022 cost as a separate methodology question (treated as inside the implementation budget where mentioned).

What we deliberately do not publish

• Specific certification-body fee tariffs. BSI, LRQA and others redact specific fee tariffs in writing. We publish the tier band, not the named-body specific quote.
• Named-firm consultant rate cards. Day rates are presented as bands. Named-firm rate cards are confidential.
• Side-by-side GRC feature grids. We publish positioning notes for major vendors but do not produce feature grids. Feature parity changes quarterly.

Editorial position

This site is operated by Digital Signet, an independent AI-development studio. Digital Signet does not sell ISO 27001 certification, does not act as a certification body, does not run a GRC platform, and does not accept paid placements from any vendor in the compliance space. See /about for the operator and the wider network.

Editorial direction is set by Digital Signet's editor. Drafts are produced via Digital Signet's autonomous AI development methodology and reviewed against the editorial framework before publication.

Contact

For methodology questions, corrections, or scenarios that don't fit cleanly: [email protected].