Certification CostsISO guides & calculators
ISO 27001 · Tech, SaaS, data-handling and B2B service firms

Information Security certification

Information security, cybersecurity and privacy protection

What is ISO 27001?

ISO 27001 is the leading international standard for an Information Security Management System (ISMS). It provides a risk-based framework for protecting the confidentiality, integrity and availability of information, whether that information is digital, physical or intellectual.

The current edition is ISO/IEC 27001:2022. It pairs a core management-system clause set with Annex A, a catalogue of 93 controls (reorganised into four themes in the 2022 revision) that organisations select based on a documented risk assessment and Statement of Applicability.

For UK technology companies, ISO 27001 has become a near-standard requirement in enterprise procurement and is often pursued alongside, or instead of, SOC 2. It also supports demonstrable due diligence under UK GDPR.

How to get ISO 27001 certified

  1. Define the ISMS scope and secure leadership commitment and resources.
  2. Conduct an information security risk assessment and risk treatment plan.
  3. Select Annex A controls and produce the Statement of Applicability (SoA).
  4. Implement controls, policies and procedures, and run them long enough to gather evidence.
  5. Perform internal audits and a management review.
  6. Engage a UKAS-accredited certification body for the Stage 1 and Stage 2 audits, remediate findings, and maintain via annual surveillance and three-yearly re-certification.

Choosing a certification body

For a certificate to carry weight, choose a body accredited by UKAS, the UK's national accreditation body. Accredited certification is recognised by customers and procurement teams; unaccredited certificates often are not. Get quotes from at least three bodies, as fees vary.

How much does ISO 27001 certification cost?

There is no single price — total cost depends on your organisation's size, how much you already have in place, the number of sites, and whether you use a consultant. Broadly, the cost splits into three parts: implementation (building the system), the certification audit (paid to the certification body), and ongoing costs (annual surveillance and a three-yearly re-certification).

  • ISO 27001 audits run longer than ISO 9001 because auditors must sample technical and organisational controls, so the day-rate component is higher.
  • A penetration test is not mandatory for certification but is strongly expected by customers and is a common add-on cost.
  • Tooling (risk registers, evidence-collection platforms, MDM, logging) can add meaningful recurring cost beyond the audit itself.

To get a tailored figure for your organisation, use our free calculator:

Open the ISO 27001 cost calculator →

Official & useful resources

Explore related standards

ISO 42001 ISO/IEC 20000-1 ISO/IEC 27701 ISO 9001