What ISO 27001 Certification Actually Costs an SME
The certificate fee is the small part. Here is the honest cost picture of ISO 27001 for a smaller business — audit, effort, and all.
The short version
- The certificate is the small part: For a smaller UK business, the certification-body audit fee is typically a few thousand pounds — but the real ISO 27001 certification cost is the work of building and running the management system behind it.
- Budget across three years, not one: ISO 27001 runs on a three-year cycle — an initial Stage 1 and Stage 2 audit, then annual surveillance checks, then recertification. Total spend over a cycle commonly lands somewhere in the low tens of thousands for an SME.
- Effort often outweighs fees: Internal time, and any consultancy you bring in, frequently costs as much as — or more than — the certification body itself.
- It is a step up from Cyber Essentials: ISO 27001 is broader, deeper and more ongoing. For many SMEs, starting with Cyber Essentials and growing into ISO 27001 is the sensible order.
If you have been told a prospect requires ISO 27001, or you are weighing it up as the next step beyond Cyber Essentials, the first question is usually the same: what is the ISO 27001 certification cost going to be? The honest answer is that the figure most people quote, the certificate fee, is the small part. The bigger cost is the work behind it. This guide gives you the full picture, in plain English, so you can budget for the real thing rather than the headline number.
ISO 27001 is the international standard for an Information Security Management System (an ISMS, essentially a documented, repeatable way of managing security across your whole organisation). It is worth doing well, and it is worth going in with your eyes open about what it costs.
What drives ISO 27001 cost (it is mostly NOT the certificate)
The certification-body audit fee is usually the smallest line in the budget; the real cost is the time and effort of building and running the management system that the audit inspects.
It is tempting to treat ISO 27001 like buying a product: pay a fee, receive a certificate. It does not work that way. The certificate is awarded only after an independent auditor confirms that a genuine management system exists and is operating. So before any audit happens, you have to build that system: a defined scope, a risk assessment, a set of policies, a Statement of Applicability (a document setting out which controls apply to you and why), internal audits, and management reviews.
That build is where the bulk of the cost lives. Most of it is internal time: your own people, thinking and writing and putting processes in place, plus any consultancy you choose to bring in. Industry guides are consistent on this point. Internal preparation often costs as much as, or more than, the certification body’s fees.
The honest reality
You are not buying a certificate. You are building a way of working and then paying someone to verify it is real. The fee is the verification; the system is the cost. Treating the fee as the budget is the single most common ISO 27001 planning mistake an SME makes.
The certification-body audit (stage 1 + stage 2) cost
The audit itself comes in two stages over a three-year cycle, and for a smaller business the initial audit fee is typically a few thousand pounds — a real cost, but not the largest one.
ISO 27001 certification is carried out by an accredited certification body. In the UK, that means one accredited by UKAS (the United Kingdom Accreditation Service, the national body that oversees auditors). The initial certification happens in two stages:
- Stage 1 is a documentation and readiness review. The auditor checks that your management system exists on paper (your scope, policies, risk assessment and Statement of Applicability) and flags anything missing before the deeper audit.
- Stage 2 tests how the system actually works in practice. The auditor looks for evidence that the controls you have documented are genuinely operating day to day.
Certification bodies typically charge per audit day, and the number of days scales with the size and complexity of your organisation. For a smaller, single-site SME, figures commonly cited for the initial Stage 1 plus Stage 2 audit fall somewhere in the region of a few thousand pounds. You will often see that quoted around £4,000 to £8,000, tending to sit at the higher end (or above) with a UKAS-accredited body. Treat that as a guide range, not a quote. Prices for the same scope vary widely between bodies, so ask two or three accredited bodies for a proper figure based on your actual scope and headcount.
After the initial certification, the standard runs on a three-year cycle:
- Annual surveillance audits in the years between certification and recertification. These are shorter than the initial Stage 2 and sample a subset of your controls.
- Recertification at the end of the three years. This is a fuller audit that revisits the whole system, and it starts a new cycle.
“The audit fee buys you a check, once a year, that your security is real. The reason it is not huge is that the auditor is not building anything — you are.”
So the audit cost is ongoing, not one-off. It is also, for most SMEs, not the part of the budget that hurts.
The bigger cost: building and running the ISMS
The largest cost of ISO 27001 is the internal effort — and any consultancy — required to stand up the management system and then keep it running, year after year.
This is where the honesty matters most. A questionnaire or a Cyber Essentials assessment can largely be a point-in-time exercise. ISO 27001 is not. It asks you to operate a living system, and that has two cost phases:
The build (typically several weeks to several months). You need to define your scope, run a risk assessment, write or adapt a set of policies, complete the Statement of Applicability, set up internal audit and management review routines, and gather the evidence that all of this is real. Many businesses bring in a consultant for some or all of this; many do meaningful parts internally. Either way, it is a genuine project with a named owner, not a form to fill in. A missing process here is never a click. It is a decision, a document, and usually a change to how people work.
The ongoing run (every year, indefinitely). Once certified, you keep the system alive: internal audits, management reviews, maintained risk assessments, updated policies, and the evidence to show all of it happened. This is the cost people forget at the planning stage. Pulled together with the surveillance audits above, it is why ISO 27001 is best budgeted across a full cycle. Guides commonly put the total three-year cost for an SME somewhere in the low tens of thousands of pounds, with smaller single-site businesses sitting nearer the bottom of that range. But the split between fees and effort varies enormously depending on how much you do in-house.
The encouraging part: much of this effort is genuinely useful work, not box-ticking. A real risk assessment, a real access-control process, a real incident plan: these protect your business whether or not an auditor ever looks at them. There is a real difference between saying you are secure and actually being secure, and ISO 27001, done properly, pushes you firmly towards the second.
How it compares to Cyber Essentials
Cyber Essentials is a faster, far cheaper check of five core controls; ISO 27001 is a broader, deeper, ongoing management system — different tools for different points in a business’s journey.
It helps to see them side by side rather than as competitors:
- Cyber Essentials checks five fundamental technical controls: firewalls, secure configuration, user access control, malware protection and keeping software up to date. The certification fee is usually a few hundred pounds, and the work to prepare is measured in weeks for most unprepared SMEs. It is largely point-in-time.
- ISO 27001 asks you to build and continuously run a whole management system covering governance, risk, policy, people, physical and technical security, independently audited on a three-year cycle. The total cost is an order of magnitude higher, and the commitment is ongoing.
Neither replaces the other. In fact, the work you do for Cyber Essentials feeds directly into an eventual ISO 27001 project. The technical controls overlap, and the discipline of documenting what you do carries forward. If you want the detailed contrast, we have written it up separately in Cyber Essentials vs ISO 27001. For the full ISO 27001 picture for a smaller business, see our guide to ISO 27001 for SMEs.
Is it worth it for your business yet?
ISO 27001 is worth the cost when enterprise customers specifically require it, or you are in a supply chain that expects it — and often premature before then.
The question is not whether ISO 27001 is good (it is). It is whether the cost is justified for your business right now. A few honest prompts:
- Are customers actually asking for it? If enterprise prospects or procurement teams are naming ISO 27001 as a requirement, the cost may pay for itself in contracts won. If no one has asked, you may be buying ahead of need.
- Are you in a supply chain that expects it? Regulated industries and large vendor programmes increasingly treat ISO 27001 as table stakes. If that is your market, it is less optional.
- Have you done the basics first? If Cyber Essentials and the fundamentals are not yet in place, starting with those is almost always the cheaper, faster, more sensible first move, and it lowers the eventual ISO 27001 bill.
Be honest with yourself about where your business sits. ISO 27001 is a serious, worthwhile commitment when the timing is right, and an expensive distraction when it is not. The right answer for many SMEs is “yes, but not yet.”
The organising principle
Budget for ISO 27001 as a multi-year programme, not a purchase. The certificate fee is the visible cost; the management system behind it is the real one. Get the basics in place first, and much of that spend becomes an upgrade rather than a fresh start.
SecurSentry is launching soon to help UK SMEs work through their compliance journey, from the basics like Cyber Essentials, and carrying that effort forward towards bigger standards like ISO 27001, so the work you do once keeps paying off. Join the waitlist to be among the first to know when we open.
This article is for general information only and does not constitute legal or compliance advice. Costs vary by organisation, scope and auditor; where in doubt, consult a qualified professional or an accredited certification body.