top of page

What does ISO 27001 cost in 2024?

Implementing ISO 27001: The Cost of Achieving Information Security

Let's start by defining what ISO 27001 is in simple terms, but if you want a detailed explanation check out our, What Is ISO 27001 article - here;

What is ISO 27001?

ISO 27001 is an international standard for information security management. The standard outlines a systematic approach to managing sensitive information, such as financial data, intellectual property, and personal information, to ensure its confidentiality, integrity, and availability. Implementing ISO 27001 requires significant time, effort, and resources. The cost of implementation can vary greatly, depending on the size and complexity of the organisation and the type of services used to achieve certification.

What does it cost?

It is hard to say precisely how much you can expect to pay for ISO 27001 implementation as multiple factors drive the cost. It can vary from as little as £100 (buying a policy pack) to as much as £20,000+, but for most SMBs, an assisted implementation should range from £3,000 to £20,000. So let's delve deeper into some things that can drive costs up and how to keep costs down.

What drives the cost up?

The biggest cost differentiator is the size and complexity of the business. For example, a 10-man, fully outsourced and cloud-first business will be much more straightforward compared to a 1000+ user, multi-site, international with on-premise technology business: essentially, more moving parts, more responsibility on data security.

Using a consulting company over in-house skills may be more expensive. On the other hand, completing the implementation in-house may reduce initial costs. But, the long-term operational costs could be higher, and by choosing a consultancy, the results may be a faster and smoother process.

The cost can also be affected by the timeframe for the implementation; for example, if a quick turnaround is needed, more resources may be required to deliver the project at an accelerated pace.

What drives costs down?

Having good security practices and policies already in place can significantly reduce costs. In addition, the effort to achieve compliance is significantly reduced if you have a security culture as part of your everyday business.

Using in-house knowledge to deliver the bulk of the implementation and an external resource for reviewing key aspects like auditing can also keep the expenditure down.

If you're not in a hurry, implementing the Information Security Management System (ISMS) can help keep costs down and better integrate the system into the organisation.

While a DIY approach may seem the cheapest option, some organisations can underestimate the effort required to achieve accreditation. As a result, they may make little progress over a period of two years. Ultimately, this could cost more than bringing in a specialist consulting company to help with the implementation.

Why are some companies so expensive?

The complexity of the ISMS they use and the day rate they charge will increase the cost of the implementation. The more complex the system, the more time is needed to implement it! Meaning long-term management costs rise.

Some companies may over-engineer what is required meaning there is more to implement but with little benefit.

Day rate has the most significant impact on cost. Larger consulting companies are generally more expensive due to increased overheads but provide more coverage capabilities for the consultant working on your project in case of availability issues. Larger organisations will also carry greater skills and service diversity which adds to their value, and their prices usually reflect this.

Many companies will operate onsite regardless of need which can include expenses for hotels, travel and food, which on a 10-day engagement could easily add another £1,000+.

Why are some companies so cheap?

Smaller consulting firms will generally cost less due to their reduced operating costs. Companies with only one or two consultants are typically the most affordable, but they often face problems with limited resources and insufficient coverage if the primary consultant is unavailable. This can result in lower daily rates but may lead to other issues, including but not limited to reduced skills diversity, availability issues and lack of innovative processes.

Other costs

So far, we have explained the implementation costs. There will also be a cost for accreditation if that is your end goal. Over time, we have noticed a steady rise in the number of days required for UKAS bodies to complete their accreditation process. UKAS accreditation is strongly recommended, as the certification holds little value without it. However, it is possible to implement the framework without accreditation and still reap the security benefits while avoiding associated costs.

UKAS audit costs for an SMB would be in the region of £4,500 to £8,000, depending on the factors we have already discussed. However, we have seen costs in excess of £25,000 for larger complex organisations.

How we compare

As an organisation focused on value and simplicity, we offer builds from as little as £4,875. On average, our clients pay around £6,000-£8,000. We also guarantee a Stage 1 pass, and as long as you take our advice, we guarantee you'll pass stage 2 and achieve certification. We have a 100% certification success rate.

Where possible, we complete everything remotely as this reduces costs, as no travel, hotels or other expenses are needed. Our day rate is £975, but where required we can and are happy to operate on site, at no additional cost, expenses are built into the day rate, so no unexpected or hidden costs.

Our service includes all the documents you require, policies, registers and records. In addition, we will hold numerous workshops to ensure you understand the implementation ready for your audits. We will run your stage 1 audit for you, representing your company as your compliance manager, and at no additional cost and if needed we can assist at stage 2 as well, but this will increase your costs. Still, many clients opt for it as having someone who has in-depth knowledge of the standard and the management system, as well as being able to guide key staff on how to respond to the auditors, makes the whole process more seamless.

27 views0 comments

Recent Posts

See All


bottom of page