Stage 1, Stage 2 and surveillance audit fees explained
How audit fees are actually calculated
Every UKAS-accredited audit fee on a UK quote breaks down to the same two factors: a day rate and a day count. Day rate is set by the certification body and varies with body tier (top-tier names like BSI and LRQA carry a 15 to 20 percent premium over mid-tier UKAS bodies, which in turn run above non-UKAS or smaller bodies). Day count is set by the auditor and varies with the number of sites, the ISMS scope, the number of in-scope FTEs, and the maturity evident in the Stage 1 documentation.
Reading a quote: if a body cannot articulate the day rate and day count separately, the quote is not auditable for fairness. UKAS guidance on assessment-day calculation is published openly. A quote significantly above the mid-tier band for a comparable scope is worth questioning before signature.
Day rates by UK certification body tier
| Body tier | Examples | Day rate band |
|---|---|---|
| Top tier UKAS | BSI, LRQA, Bureau Veritas, SGS | £1,100 – £1,600 |
| Mid tier UKAS | NQA, Alcumus ISOQAR, BAB, Citation ISO Certification | £850 – £1,250 |
| Smaller UKAS bodies | Smaller specialist UKAS-accredited bodies | £700 – £1,000 |
| Non-UKAS / international | ANAB-accredited, IAF-listed bodies serving UK customers | £600 – £950 |
Day rates above are practitioner-sourced from quotes received April 2025 to April 2026. Body-tier choice should be driven by who your customers and prospects recognise: if you are selling into the FTSE 350 or UK public sector, top-tier UKAS bodies signal more reliably. For a US-customer-led SaaS, a non-UKAS body sometimes suffices.
Day-count guidance by company size and scope
UKAS publishes guidance on minimum assessment days. Practitioners sometimes negotiate down for narrow scopes or up for complex ones. The bands below are the typical observed range for first-time UK certification.
| Company size | Scope | Stage 1 days | Stage 2 days | Surveillance days |
|---|---|---|---|---|
| Under 50 FTE | Single product | 1 | 3 – 4 | 1.5 – 2 |
| 50 – 100 FTE | Single product or BU | 1.5 | 4 – 6 | 2 – 3 |
| 100 – 250 FTE | Multi-product, single entity | 2 | 5 – 8 | 2.5 – 4 |
| 250 – 1,000 FTE | Multi-site, single entity | 2 – 3 | 7 – 12 | 4 – 6 |
| 1,000+ FTE | Multi-entity | 3 – 5 | 10 – 18 | 5 – 9 |
Surveillance day count is typically 50 to 70 percent of Stage 2 day count. Recertification in year 4 returns close to Stage 2 day count, often without a separate Stage 1.
Three worked UK examples
The three scenarios below are constructed at a mid-tier UKAS body day rate of £1,050 (mid of the band). Substitute another tier and the figures shift proportionally.
| Audit | Days | Day rate | Total |
|---|---|---|---|
| Stage 1 | 1.0 | £1,050 | £1,050 |
| Stage 2 | 3.5 | £1,050 | £3,675 |
| Surveillance year 2 | 2.0 | £1,050 | £2,100 |
| Surveillance year 3 | 2.0 | £1,050 | £2,100 |
| Three-year audit fee total | 8.5 | - | £8,925 |
| Audit | Days | Day rate | Total |
|---|---|---|---|
| Stage 1 | 2.0 | £1,050 | £2,100 |
| Stage 2 | 6.0 | £1,050 | £6,300 |
| Surveillance year 2 | 3.0 | £1,050 | £3,150 |
| Surveillance year 3 | 3.0 | £1,050 | £3,150 |
| Three-year audit fee total | 14.0 | - | £14,700 |
| Audit | Days | Day rate | Total |
|---|---|---|---|
| Stage 1 | 3.0 | £1,050 | £3,150 |
| Stage 2 | 10.0 | £1,050 | £10,500 |
| Surveillance year 2 | 5.0 | £1,050 | £5,250 |
| Surveillance year 3 | 5.0 | £1,050 | £5,250 |
| Three-year audit fee total | 23.0 | - | £24,150 |
Substitute a top-tier UKAS body day rate (£1,400) for example B and the three-year total moves to roughly £19,600. Substitute a non-UKAS body (£800) and the same scope drops to roughly £11,200, with the tradeoff that the non-UKAS certificate may not satisfy a UK enterprise customer or public-sector tender.
What is in the audit fee, and what is extra
Most UK certification body quotes include the auditor day rate, report production, certificate issuance and a portion of admin overhead. They typically exclude expenses (travel for on-site days, which post-pandemic is increasingly remote), scope-extension days if the ISMS expands during the cycle, and any Stage 1 retrials if documentation is rejected.
Where to read next
For the surveillance year 2 and year 3 picture, see the annual maintenance page. For UKAS versus non-UKAS quantified, see the UK vs global page. To plug your specific company-size and scope into a defensible number, use the calculator.