ISO 27001 · 1 July 2026
ISO 27001 cost and timeline: the factors that drive them
Two of the most common questions about ISO/IEC 27001:2022 are “how much will it cost?” and “how long will it take?”. Neither has a single answer, because both depend on your organisation. This guide explains the factors that drive cost and timeline, so you can plan a realistic budget rather than rely on a headline figure.
Why there’s no single price
Certification isn’t a product with a fixed price tag. It’s a combination of your own effort, external support if you choose it, and the certification body’s fees — and each of those scales with the size and complexity of your organisation. A five-person software firm and a fifty-site care group face very different journeys. That’s why any credible provider will look at your situation before quoting.
As a rough guide, certification for an SME typically takes 3 to 6 months from a standing start, though it can be quicker for a small, well-prepared organisation or longer for a larger or more complex one.
The two types of cost
It helps to separate the costs into two buckets.
| Cost type | What it covers |
|---|---|
| Implementation cost | Building the ISMS: internal time, consultancy support, tooling, and any technical fixes |
| Certification cost | The UKAS-accredited body’s fees for Stage 1, Stage 2 and ongoing surveillance audits |
The certification body’s fees are separate from any consultancy support and are set by that body based on your organisation’s size and scope.
Factors that drive cost and timeline
1. Scope
The single biggest driver. A narrow scope — one product, one team, one location — is faster and cheaper to certify than an organisation-wide scope covering many systems and sites. Defining a sensible scope early is one of the most effective ways to control both cost and time.
2. Organisation size and complexity
More people, more locations, more systems and more suppliers all add effort — to the risk assessment, the controls, the documentation and the audit itself. Certification bodies also factor headcount and complexity into their fees and audit duration.
3. Your starting point
Where you begin matters enormously:
- If you already hold Cyber Essentials or IASME Cyber Assurance, you’ll have a head start on many technical controls.
- If you have existing policies, access controls and backups, there’s less to build.
- Starting from a blank page means more implementation effort.
Our free ISO 27001 gap assessment tool is a quick way to gauge your starting point.
4. Internal resource and expertise
If you have people who understand information security and can dedicate time, more of the work can be done in-house. If not, external support fills the gap. Either way, someone’s time is the real cost — the question is whose.
5. Documentation and control gaps
The wider the gap between where you are and what the standard requires, the more work to close it. Technical remediation — such as introducing multi-factor authentication, encryption or logging — can add both cost and time if it isn’t already in place. Our documentation checklist shows what’s needed.
6. Ongoing maintenance
Certification isn’t a one-off spend. Budget for the ongoing cycle: internal audits, management reviews, and annual surveillance audits, plus recertification every three years. A lean, well-run ISMS keeps these ongoing costs proportionate.
A realistic timeline
While every project differs, a typical SME path looks like this:
- Scoping and gap assessment — understand where you stand.
- Risk assessment and treatment planning — see our risk assessment guide.
- Implementation — put controls, documents and records in place.
- Internal audit and management review — both mandatory before certification; see our internal audit guide.
- Stage 1 audit — documentation and readiness.
- Stage 2 audit — effectiveness, leading to a certification decision.
The 3 to 6 month guide reflects a focused SME project. The elements that most often extend timelines are broad scope, limited internal time, and technical remediation that takes longer than expected.
How to keep cost and time under control
- Scope tightly to what genuinely needs certifying.
- Start with a gap assessment so there are no surprises.
- Build on existing schemes like Cyber Essentials rather than starting fresh.
- Right-size your documentation — avoid over-engineering.
- Dedicate some internal time so the project keeps moving.
- Choose a UKAS-accredited body so the certificate carries weight the first time.
If any of the terms are unfamiliar, our glossary explains them plainly.
How we can help
We believe cost should be clear from the outset, which is why we work on a transparent, fixed-fee basis with a clear delivery process — no open-ended day rates and no surprises. We provide practical support throughout, scaled to your scope and starting point, and can help you plan a realistic budget and timeline before you commit. A good first step is our free ISO 27001 gap assessment tool.
Learn more about our ISO 27001 service or get in touch for a scoped conversation about your project.
Need help in practice? See our ISO 27001 service.