A CISO at a 120-person SaaS firm in Manchester emailed our team last month with a single question: "Our biggest enterprise prospect won't sign without ISO 27001. We have 90 days. What's this actually going to cost?" That conversation is happening across UK boardrooms right now, driven by procurement teams at banks, NHS trusts, and government suppliers who treat the certificate as a contractual gate.
The problem is that public price guides are useless. Quotes range from several thousand to tens of thousands of pounds for organisations of similar size, and most of the variation has nothing to do with quality. It has to do with scope decisions, certification body choice, and whether you understood ISO/IEC 27001:2022 Annex A's 93 controls before you started writing policies.
This post breaks down the real numbers UK organisations pay in 2026 — what's negotiable, what isn't, and where most ISMS budgets quietly haemorrhage.
What ISO 27001 Certification Actually Includes
ISO/IEC 27001:2022 is the international standard for information security management systems. UKAS-accredited certification means an independent body has audited your ISMS against the standard and confirmed it works. The 2022 revision restructured Annex A into four control themes (organisational, people, physical, technological) and added 11 new controls covering threat intelligence, cloud services, secure coding, and data masking. Organisations certified under the 2013 version had until 31 October 2025 to transition — that window is now closed.
Three cost categories make up your ISO 27001 cost UK certification budget:
- Implementation — gap analysis, policies, risk assessment, control deployment, internal audit, management review
- Certification body fees — Stage 1 audit, Stage 2 audit, and three years of surveillance audits
- Ongoing maintenance — internal audits, management reviews, control evidence, and the recertification cycle in year three
The Real Numbers for UK Organisations in 2026
Based on our consultants' work across UK SaaS, professional services, and regulated firms, here is what an ISMS implementation budget looks like by organisation size. These figures assume a UKAS-accredited certification body and a single-site scope.
Small organisations (10-50 staff)
Total first-year spend typically lands between £12,000 and £25,000. Certification body fees from UKAS-accredited bodies (BSI, LRQA, NQA, Alcumus ISOQAR, BAB) run between £4,000 and £8,000 for Stage 1 and Stage 2 combined. The rest is implementation effort — either internal time or consultancy. Cyber Essentials Plus, often added as a prerequisite for UK public sector contracts, adds roughly £1,500 to £3,000 to the overall cost.
Mid-sized organisations (50-250 staff)
Expect £25,000 to £60,000 in year one. Audit days scale with headcount under IAF MD 5, the mandatory document certification bodies use to calculate audit duration. A 150-person firm typically needs 8-10 audit days across Stage 1 and Stage 2. The internal resource cost also rises here, as a dedicated ISMS Manager or security lead is usually required.
Larger organisations (250+ staff, multi-site)
Budgets reach £60,000 to £150,000+, particularly where scope covers multiple sites, cloud environments, or regulated data. Firms in FCA-regulated sectors usually align ISO 27001 with FCA PS21/3 operational resilience requirements, which raises the bar for evidence and testing. Multi-site organisations also face additional audit days under IAF MD 5.
Years two and three
Surveillance audits run roughly 30-40% of the initial certification fee annually. Recertification in year three costs slightly less than the original Stage 2. Internal effort to maintain the ISMS — risk reviews, internal audits, control evidence — is the cost most organisations underestimate. Our consultants typically see organisations spending 10-15 hours per month on ISMS maintenance once certified.
Where compliance investment planning 2026 goes wrong
Our team sees the same five mistakes repeatedly, and each one inflates the budget by tens of thousands of pounds.
Scoping the whole company when you only need to scope one product. ISO 27001 lets you define the ISMS boundary. A SaaS firm certifying its production platform doesn't need to drag the marketing team into the audit. Tighter scope means fewer audit days, fewer controls to evidence, and faster certification.
Buying a policy template pack and calling it an ISMS. Auditors don't certify policies — they certify operating systems. If your access review policy says quarterly and you can't produce evidence for the last two quarters, you fail. Templates accelerate drafting; they don't replace operational discipline. We see organisations spend on template packs only to fail their Stage 1 audit because the templates were never operationalised.
Choosing a non-UKAS certification body to save money. Procurement teams at FTSE 250s, NHS Digital, and Crown Commercial Service framework buyers check the UKAS register. A certificate from a non-accredited body often fails supplier due diligence, meaning you pay twice — once for the non-accredited attempt, again for the real thing.
Treating risk assessment as a one-off exercise. Clause 6.1.2 requires ongoing risk assessment. Auditors look for evidence that risks were reviewed when your architecture changed, when you adopted a new SaaS vendor, when a major incident hit your sector. Static risk registers fail surveillance audits consistently.
Ignoring Annex A control 5.23 on cloud services. Most UK SMEs run on AWS, Azure, or Google Cloud. The 2022 standard added explicit cloud requirements. Misconfigured S3 buckets, unmanaged IAM roles, and missing encryption-at-rest controls are the most common audit findings our consultants see. This control alone drives significant remediation cost for organisations that haven't properly governed their cloud estate.
How to cut the budget without cutting corners
Three decisions reduce cost without compromising the certificate. First, run a structured gap analysis before you sign with a certification body. You will know exactly which of the 93 Annex A controls are already in place and which need work. This kills the "endless implementation" spiral that pushes budgets past £100,000.
Second, automate cloud control evidence. Manual screenshot collection across AWS, Azure, and GCP burns weeks. Continuous configuration auditing produces audit-ready evidence for controls 8.9 (configuration management), 8.16 (monitoring activities), and 5.23 (cloud services). The reduction in internal effort alone can offset the cost of automated tools within the first certification cycle.
Third, use a fractional vCISO rather than a full-time hire during implementation. A senior security leader for two days a week through the 6-9 month implementation runway costs a fraction of a permanent CISO and delivers the management system clauses auditors care about. Once certified, that same vCISO keeps the ISMS current through surveillance audits.
Frequently asked questions about ISO 27001 certification costs
Can an organisation get ISO 27001 certified for under £10,000?
For a very small organisation (under 10 staff) with a tightly scoped ISMS and significant internal capability, it is possible to complete certification for under £10,000, though this is the lower boundary. Most organisations with 10-50 staff should budget £12,000-£25,000 to avoid shortcuts that trigger non-conformities at audit.
What is the cheapest UKAS-accredited certification body?
Certification body fees vary, and the cheapest fee is not always the best value. Lower-cost UKAS-accredited bodies may schedule fewer audit days or offer less experienced auditors. Our team recommends obtaining quotes from at least three bodies and comparing not just the fee but the proposed audit duration and auditor credentials.
How long does certification take from start to finish?
For most UK SMEs, certification takes 6-12 months from the start of implementation. The timeline depends on your starting position, scope complexity, and internal resource availability. Organisations that already operate to Cyber Essentials or NIST CSF can typically certify faster than those building from scratch.
How Pyralink helps
Pyralink Innovation Ltd advises UK organisations on ISO 27001:2022 certification — from gap analysis and ISMS design through to audit readiness and ongoing maintenance. Led by Michael Adedeji (CISM, CISA, CC, MSc Data Science), our consultants have implemented ISMS across financial services, healthtech, SaaS, and professional services.
Our approach focuses on keeping your certification budget under control through tight scoping, cloud control automation, and efficient evidence collection. We work alongside your team rather than replacing it, ensuring internal capability builds as the ISMS matures. Pyralink holds £5M professional indemnity insurance.
If you are building an ISMS implementation budget and want a second opinion on scope and cost, our team can run a quick gap indicator: