SecurSentry
← All notes
Cyber Essentials

What ISO 27001 Certification Actually Costs an SME

The certificate fee is the small part. Here is the honest cost picture of ISO 27001 for a smaller business — audit, effort, and all.

The short version

If you have been told a prospect requires ISO 27001, or you are weighing it up as the next step beyond Cyber Essentials, the first question is usually the same: what is the ISO 27001 certification cost going to be? The honest answer is that the figure most people quote, the certificate fee, is the small part. The bigger cost is the work behind it. This guide gives you the full picture, in plain English, so you can budget for the real thing rather than the headline number.

ISO 27001 is the international standard for an Information Security Management System (an ISMS, essentially a documented, repeatable way of managing security across your whole organisation). It is worth doing well, and it is worth going in with your eyes open about what it costs.

What drives ISO 27001 cost (it is mostly NOT the certificate)

The certification-body audit fee is usually the smallest line in the budget; the real cost is the time and effort of building and running the management system that the audit inspects.

It is tempting to treat ISO 27001 like buying a product: pay a fee, receive a certificate. It does not work that way. The certificate is awarded only after an independent auditor confirms that a genuine management system exists and is operating. So before any audit happens, you have to build that system: a defined scope, a risk assessment, a set of policies, a Statement of Applicability (a document setting out which controls apply to you and why), internal audits, and management reviews.

That build is where the bulk of the cost lives. Most of it is internal time: your own people, thinking and writing and putting processes in place, plus any consultancy you choose to bring in. Industry guides are consistent on this point. Internal preparation often costs as much as, or more than, the certification body’s fees.

The honest reality

You are not buying a certificate. You are building a way of working and then paying someone to verify it is real. The fee is the verification; the system is the cost. Treating the fee as the budget is the single most common ISO 27001 planning mistake an SME makes.

The certification-body audit (stage 1 + stage 2) cost

The audit itself comes in two stages over a three-year cycle, and for a smaller business the initial audit fee is typically a few thousand pounds — a real cost, but not the largest one.

ISO 27001 certification is carried out by an accredited certification body. In the UK, that means one accredited by UKAS (the United Kingdom Accreditation Service, the national body that oversees auditors). The initial certification happens in two stages:

Certification bodies typically charge per audit day, and the number of days scales with the size and complexity of your organisation. For a smaller, single-site SME, figures commonly cited for the initial Stage 1 plus Stage 2 audit fall somewhere in the region of a few thousand pounds. You will often see that quoted around £4,000 to £8,000, tending to sit at the higher end (or above) with a UKAS-accredited body. Treat that as a guide range, not a quote. Prices for the same scope vary widely between bodies, so ask two or three accredited bodies for a proper figure based on your actual scope and headcount.

After the initial certification, the standard runs on a three-year cycle:

“The audit fee buys you a check, once a year, that your security is real. The reason it is not huge is that the auditor is not building anything — you are.”

So the audit cost is ongoing, not one-off. It is also, for most SMEs, not the part of the budget that hurts.

The bigger cost: building and running the ISMS

The largest cost of ISO 27001 is the internal effort — and any consultancy — required to stand up the management system and then keep it running, year after year.

This is where the honesty matters most. A questionnaire or a Cyber Essentials assessment can largely be a point-in-time exercise. ISO 27001 is not. It asks you to operate a living system, and that has two cost phases:

The build (typically several weeks to several months). You need to define your scope, run a risk assessment, write or adapt a set of policies, complete the Statement of Applicability, set up internal audit and management review routines, and gather the evidence that all of this is real. Many businesses bring in a consultant for some or all of this; many do meaningful parts internally. Either way, it is a genuine project with a named owner, not a form to fill in. A missing process here is never a click. It is a decision, a document, and usually a change to how people work.

The ongoing run (every year, indefinitely). Once certified, you keep the system alive: internal audits, management reviews, maintained risk assessments, updated policies, and the evidence to show all of it happened. This is the cost people forget at the planning stage. Pulled together with the surveillance audits above, it is why ISO 27001 is best budgeted across a full cycle. Guides commonly put the total three-year cost for an SME somewhere in the low tens of thousands of pounds, with smaller single-site businesses sitting nearer the bottom of that range. But the split between fees and effort varies enormously depending on how much you do in-house.

The encouraging part: much of this effort is genuinely useful work, not box-ticking. A real risk assessment, a real access-control process, a real incident plan: these protect your business whether or not an auditor ever looks at them. There is a real difference between saying you are secure and actually being secure, and ISO 27001, done properly, pushes you firmly towards the second.

How it compares to Cyber Essentials

Cyber Essentials is a faster, far cheaper check of five core controls; ISO 27001 is a broader, deeper, ongoing management system — different tools for different points in a business’s journey.

It helps to see them side by side rather than as competitors:

Neither replaces the other. In fact, the work you do for Cyber Essentials feeds directly into an eventual ISO 27001 project. The technical controls overlap, and the discipline of documenting what you do carries forward. If you want the detailed contrast, we have written it up separately in Cyber Essentials vs ISO 27001. For the full ISO 27001 picture for a smaller business, see our guide to ISO 27001 for SMEs.

Is it worth it for your business yet?

ISO 27001 is worth the cost when enterprise customers specifically require it, or you are in a supply chain that expects it — and often premature before then.

The question is not whether ISO 27001 is good (it is). It is whether the cost is justified for your business right now. A few honest prompts:

Be honest with yourself about where your business sits. ISO 27001 is a serious, worthwhile commitment when the timing is right, and an expensive distraction when it is not. The right answer for many SMEs is “yes, but not yet.”

The organising principle

Budget for ISO 27001 as a multi-year programme, not a purchase. The certificate fee is the visible cost; the management system behind it is the real one. Get the basics in place first, and much of that spend becomes an upgrade rather than a fresh start.


SecurSentry is launching soon to help UK SMEs work through their compliance journey, from the basics like Cyber Essentials, and carrying that effort forward towards bigger standards like ISO 27001, so the work you do once keeps paying off. Join the waitlist to be among the first to know when we open.

This article is for general information only and does not constitute legal or compliance advice. Costs vary by organisation, scope and auditor; where in doubt, consult a qualified professional or an accredited certification body.

Frequently asked questions

How much does ISO 27001 certification cost for a small business?

The certification-body audit fee for a smaller UK organisation is typically a few thousand pounds for the initial Stage 1 and Stage 2 audit — figures for a small, single-site business commonly fall in the region of £4,000 to £8,000, and tend to sit higher with a UKAS-accredited body. But that fee is only part of the picture — building and running the management system behind it usually costs as much again, or more, in internal time and any consultancy support. Across a full three-year cycle, total ISO 27001 cost for an SME commonly lands in the low tens of thousands of pounds. Treat any figure as a guide and get quotes for your actual scope.

Why is ISO 27001 so much more expensive than Cyber Essentials?

Cyber Essentials checks five core technical controls and is largely a point-in-time assessment. ISO 27001 asks you to build and continuously run a formal information security management system — risk assessments, policies, internal audits, management reviews and evidence — and it is independently audited on a three-year cycle. You are paying for depth and for ongoing assurance, not a one-off tick.

What are the ongoing costs of ISO 27001 after certification?

ISO 27001 certification is valid for three years, but it is not a set-and-forget badge. You undergo annual surveillance audits in the years between certification and recertification, and a fuller recertification audit at the end of the cycle. Each carries an audit fee, and you also need to keep the management system genuinely running — internal audits, reviews and maintained evidence — which is an ongoing internal cost in time.

Should an SME get Cyber Essentials or ISO 27001 first?

For most smaller businesses, Cyber Essentials first is the sensible order. It is faster and far cheaper, it closes the most common security gaps, and a lot of the groundwork carries forward into an eventual ISO 27001 project. ISO 27001 makes most sense once enterprise customers are specifically asking for it, or you are operating in a regulated supply chain that expects it.

Written by The SecurSentry Team

We write plain-English notes on security and compliance for small businesses — the things we wish someone had explained to us. Read more notes →

More from the blog

Cyber Essentials

How to Choose a Cyber Essentials Certification Body

4 Jul 2026 · 6 min
Cyber Essentials

What Cyber Essentials Plus Actually Costs

1 Jul 2026 · 6 min
SME security

The UK Small Business Compliance Journey: Cyber Essentials, GDPR and Security Questionnaires

29 Jun 2026 · 8 min

Be first to know when we launch.

Leave your email and we'll let you know the moment SecurSentry is ready. One email — no newsletters, no spam.

Just one email, at launch. We never share your data. Privacy policy.

You're on the list — we'll be in touch at launch.