Managed IT & security for UK SMBs
contact@blueicon-it.com·+44 7 888 862 000
Compliance

ISO 27001 Certification Cost in the UK: What a London Small Business Should Really Budget in 2026

Marc Dirrenberger14 min read
A framed ISO 27001 certificate on a London office wall next to an open invoice, representing the gap between certification cost and real security value

The Tale of Two Quotes

Two London firms sat down in January with almost identical problems. Both were professional services businesses. Both had around twenty-five people. Both had just lost a piece of work because a prospective client asked whether they were ISO 27001 certified, and the answer was no.

Both firms got quoted roughly fifteen thousand pounds by their consultants to fix it.

Six months later, both firms had the certificate on the wall. One of them was no harder to breach than the day they started. The other had a business that was genuinely defensible. Same money. Same certificate. Wildly different outcomes.

This article is about what ISO 27001 actually costs a small business in London in 2026. The honest numbers are below, broken down the way your finance director would want to see them. But before we get there, a warning. The number on the consultant's quote is not the real cost. Sometimes it is not even half of it. And the cost on paper tells you almost nothing about whether the money was well spent.

Here is what you should really budget for.

The Headline Numbers

Let us start with what you came here for. These are realistic 2026 ranges for a London small business pursuing UKAS-accredited ISO 27001 certification, the only kind that carries weight with serious enterprise clients.

  • 10 to 25 employees: £8,000 to £15,000 in year one
  • 25 to 50 employees: £12,000 to £25,000 in year one
  • 50 to 100 employees: £20,000 to £40,000 in year one
  • Ongoing maintenance from year two onwards: £3,000 to £10,000 per year, rising in the year you face recertification

Two things to notice about those ranges. First, they are wide. Anyone who quotes you a single confident figure without scoping your business has not done the work. Second, the cheapest end of each range almost always means corners cut somewhere, usually in the policy work or the consultant's involvement. The expensive end usually means proper hand-holding through a process that genuinely changes how your business operates.

These figures cover what a competent consultant or compliance partner would charge, what an accredited certification body charges for the audit itself, and the software you will need to run your information security management system. They do not cover the cost of your own people's time, which we will come to shortly, because that is the cost nobody quotes you for and nobody warns you about.

If your business sits at the small end of that range and you are already feeling the budget tighten, pause here. The decision to pursue ISO 27001 should not be made on cost alone, and it should certainly not be made on the lowest quote.

  • Year one cost scales with headcount, from around £8,000 for the smallest firms to £40,000 for those approaching 100 staff
  • Maintenance never goes away, expect £3,000 to £10,000 every year after, with a jump at recertification
  • The cheapest quotes almost always cut corners on policy work or consultant involvement
  • Only UKAS-accredited certification carries weight with serious enterprise procurement teams

Where the Money Actually Goes

The headline numbers break down across three visible cost pillars. Understanding them helps you read a quote properly and spot where a consultant is lowballing to win the work.

Pillar one: Implementation. This is where most of the year-one budget lives. It covers the gap analysis that tells you how far your current setup is from the standard, the policy and procedure writing, the risk assessment work, the training, and the consultant time spent walking your team through what needs to change. For a 25-person firm, expect this to account for sixty to seventy per cent of the year-one cost. Implementation is also where the biggest quality differences between providers show up. A consultant who hands you a folder of templated policies and disappears has done implementation cheaply. A consultant who sits with your operations director and rewrites the policies to fit how your business actually runs has done it properly.

Pillar two: The certification audit. This is the bit people overestimate. The formal audit is conducted by a UKAS-accredited certification body, not your consultant, and it happens in two stages. Stage one is a documentation review. Stage two is the on-site audit where the auditor checks that what you have written down is what you actually do. For a small London business, the audit itself usually costs between £4,000 and £8,000. It is mandatory, it is non-negotiable, and the certification body fees are broadly similar across the market.

Pillar three: Ongoing maintenance. ISO 27001 is not a one-and-done purchase. The certificate is valid for three years, but you face a surveillance audit every year and a full recertification audit in year three. Between audits, you need to be running the management system properly: reviewing policies, logging incidents, training new starters, conducting internal audits. The annual cost depends almost entirely on whether you keep your consultant on retainer or run the system internally. Most small businesses that try to run it internally underestimate how much work it is, and the certificate quietly becomes a wall decoration between audits.

That is where the visible money goes. Now we get to the costs nobody mentions.

  • Implementation eats 60–70% of the year-one budget and is where quality differences between providers show up most clearly
  • The audit itself is £4,000 to £8,000 and the fees are broadly similar across UKAS-accredited bodies
  • Maintenance is the silent killer, surveillance audits each year, recertification in year three, and a management system that needs running in between

The Costs Nobody Quotes You For

Here is what your consultant will not put on the invoice.

The cost of your own people's time. Implementing ISO 27001 is not something a consultant does to your business. It is something they do with your business. Your operations director, your IT lead, your HR manager, your finance head, and at least one founder or director will spend real hours on this for months. For a 25-person firm, expect somewhere between two hundred and four hundred internal hours across leadership and operations during the implementation phase. At a blended cost of seventy-five to a hundred pounds per hour for senior staff time, that is fifteen to thirty thousand pounds of cost that never appears on a single quote. It comes out of your payroll instead, dressed up as everyone being a bit busier than usual.

The productivity drag. New approval workflows. New documentation requirements. New checks before things that used to take five minutes now take twenty. The first six months after certification feel slower because they are slower. Most of this drag is the cost of doing things properly, which is precisely why you are pursuing certification in the first place. But nobody warns you in advance, and nobody factors it into the business case. If you are running tight on capacity already, the timing matters.

The policy graveyard. This is the most expensive hidden cost, and the easiest one to miss. Off-the-shelf policy templates are cheap, fast, and entirely useless if nobody in your business owns them. The consultant who sells you a policy pack for two thousand pounds has saved you ten thousand on the visible budget and cost you a hundred thousand in real risk, because the policies sit in a folder that nobody opens, governing behaviour that nobody changed. When the audit comes, you scramble. When the breach comes, you discover that the documentation does not match reality. Both are expensive in different ways.

Add the hidden costs to the visible ones and the picture changes. The real first-year cost for a 25-person London firm pursuing ISO 27001 properly is closer to thirty to forty-five thousand pounds, not the fifteen on the consultant's quote. That is the number your finance director needed two weeks ago, and it is the number nobody in this market wants to write down.

  • Internal time costs £15,000–£30,000 in senior salary that never appears on a quote, the silent line on your payroll
  • Productivity drags for six months after certification, plan for it instead of being surprised by it
  • Templated policies are the most expensive false economy, cheap to buy, ruinous when the audit or breach exposes the gap
  • The honest first-year cost for a 25-person firm doing this properly is £30,000–£45,000, roughly double the visible quote

Certificate or Security? The £15,000 Question

Now back to the two firms from the opening.

Firm A wanted the certificate. They bought a policy template pack, hired a consultant who specialised in passing audits cheaply, and treated the whole project as a paperwork exercise. Their staff sat through a one-hour training session. The policies were filed and forgotten. Twelve months later they had the certificate on the wall and an information security posture that was identical to the day they started. They could pass the surveillance audit because the documentation existed. They could not survive a serious phishing campaign because nothing about the business had actually changed.

Firm B wanted to be more secure. They scoped the implementation around the things that were genuinely broken. They rewrote the policies to fit how their teams actually worked, not how a template imagined they worked. They used the project to fix things that had been on the to-do list for years: poor access controls, inconsistent starter and leaver processes, a backup strategy that nobody had tested. Twelve months later they had the certificate and a business that was meaningfully harder to attack. Proper security awareness training was part of how they got there, not a one-hour box-ticking exercise.

The cost on paper was almost identical. The return was not.

And then there is a third option most articles will not tell you about.

A few years ago a fast-growing London creative agency hired me to get them ISO 27001 ready within a year, starting with Cyber Essentials in the first three months. The plan was sensible. The clients they were winning were the kind of clients you build a roadmap around: Meta, Nike, Lloyds Bank. Real procurement scrutiny, real security questionnaires, real consequences for getting it wrong.

What actually happened over the next two years was different. They never pursued either certification. Not because the project drifted, but because we made a deliberate call together. I was sitting in the room when the big clients asked the hard questions about their security posture. I had drafted the policies. I had communicated them across the agency. I made sure they were applied. The clients were satisfied because what they wanted was evidence of competent security governance, and a credible human in the room providing it turned out to be evidence enough. The certificate stayed on the roadmap. It was never needed.

This is not advice to skip certification. It is evidence that the question "do we need ISO 27001?" deserves a more honest answer than "yes, eventually." Sometimes the answer is yes. Sometimes the answer is not yet. Sometimes the answer is never, because your business model and your client base mean the certificate would be a wall decoration that costs you forty thousand pounds and gets you nothing you do not already have.

A consultant who cannot tell you which one applies to your business is selling you their service, not advising you.

  • Same certificate, same money, two different outcomes, the variable is whether the work behind the badge was real
  • For some businesses the right answer is "not yet" or "never", credible governance and a real human in client conversations can outperform a certificate on a wall
  • If your consultant cannot tell you honestly which path fits your business, they are selling, not advising

When Spending the Money Is the Best Decision You Make This Year

For a great many London small businesses, the answer is genuinely yes. ISO 27001 is the right move, and the money is well spent.

If you sell to enterprise, central government, regulated financial services, or healthcare, the certificate is increasingly the price of admission. Procurement teams use it as a filter. Security questionnaires get answered in days instead of weeks. A sales cycle that used to stretch across six months collapses to six weeks because the certificate answers half the buyer's questions before they are asked. Many of the firms we work with discover this during a technology and security review, not before.

The clearest case I have seen looked like this. A small professional services consultancy spent around eighteen thousand pounds on certification. Within six months they had won a contract worth more than five hundred thousand pounds that had previously been blocked at the procurement stage. The certificate was not the only reason they won the work. But without it they would not have been allowed to bid.

That is the calculation worth running before you sign the quote. Not "can we afford this?" but "what specifically does this unlock, and how confident are we that it will unlock it?" If the answer is a credible enterprise pipeline that genuinely requires certification, the money is some of the best you will spend this year. If the answer is "it feels like we should have it," pause and have a different conversation.

  • If you sell to enterprise, government, financial services or healthcare, the certificate is increasingly the price of admission
  • The real ROI shows up in collapsed sales cycles, security questionnaires answered in days, and procurement filters that no longer block you
  • The right question is not "can we afford this?" but "what does this specifically unlock, and how confident are we?"

How We Approach This at Blue Icon IT

Most providers in this market do one of two things. Either they sell you the audit and walk away once the certificate is issued, or they sell you software that automates the paperwork without changing anything about your security. Both are legitimate businesses. Neither is what we do.

Our compliance work is built around the gap this article has been describing. The gap between certificate and security. The gap between policies that exist and policies that are lived. The gap between what your consultant promised and what your business actually got. It sits inside a broader cybersecurity posture rather than alongside it, because the two should never be separate conversations.

That means scoping properly before we quote. It means telling you when ISO 27001 is the wrong move for your business, the way I told that creative agency, and helping you find the right answer instead. It means writing policies that fit your business rather than forcing your business to fit a template. And it means staying with you between audits so the management system stays alive instead of quietly dying in a folder nobody opens.

It also means being honest about cost. The honest cost is usually higher than the cheapest quote on your desk. The honest return, when the work is done properly, is usually higher too.

  • Most providers either sell the audit and disappear, or sell software that automates paperwork without improving security
  • Our compliance work sits inside a broader security posture, never alongside it as a separate exercise
  • Honest scoping, policies that fit your business, and a partner who stays with you between audits

What to Do Next

The right ISO 27001 budget is not the lowest quote. It is the quote that buys you something real: a certificate, a defensible business, and a clear answer to the procurement questions that have been costing you contracts.

If you are weighing up whether ISO 27001 is the right move for your business, or trying to make sense of a quote that does not feel quite right, the most useful thing we can do is have a proper scoping conversation. No template estimates, no off-the-shelf packages. A real look at your business, your clients, and what certification would actually do for you.

Book a compliance scoping call and we will give you an honest answer, including the answer you might not want to hear.

At Blue Icon IT, we help London small businesses get ISO 27001 certification right the first time, or decide honestly that they do not need it yet. If you are scoping certification, comparing quotes, or trying to read between the lines of a consultant's proposal, get in touch.

#iso-27001#compliance#certification-cost#smb#london#uk-business#information-security#isms
Marc Dirrenberger

Marc Dirrenberger

Blue Icon IT Founder & Tech Consultant

Marc helps businesses navigate technology adoption securely and effectively. He focuses on practical IT strategies that drive real business outcomes for SMBs and startups.

Need Help With Your IT Security?

Our CISSP-certified team helps London SMBs and startups build resilient, secure IT infrastructure. Get a free consultation to discuss your needs.

Get in Touch

Related Articles