ISO 27001 certification cost calculator
Plug in your context, see a year-one range, see the three-year total cost of ownership, see what is inside the number. The assumption set is published below. No email is captured to release the result.
- Stage 1 + Stage 2 audit fees£5,800 – £17,600
- Implementation effort£6,100 – £18,700
- Tooling (GRC, evidence)£3,200 – £9,900
- Remediation£2,900 – £8,800
The assumption set
Every figure the calculator returns is constructed from explicit assumptions. They are listed below in full so the math can be re-derived. Where the assumption does not match your context, adjust the input or read the relevant detail page.
- Geographic base. UK organisation. Day rates and tooling figures are GBP. For regional variation see the UK vs global page.
- Body tier baseline. Mid-tier UKAS-accredited body (NQA, Alcumus ISOQAR, BAB, Citation tier). Day rate £1,050. Top-tier (BSI, LRQA, BV) applies a 1.18x multiplier on the audit-fee component.
- Internal champion rate. £75/hour fully loaded (UK SME / mid-market typical), £90/hour for enterprise. Time commitment varies with company size and pathway choice.
- Maturity multiplier. None: 1.00x. Partial (informal controls): 0.82x. Mature (SOC 2 or ISO 9001 in place): 0.62x on implementation effort, tooling and remediation.
- Pathway multiplier. Full external (consultant-led): 1.18x. Hybrid: 1.00x. Full internal (light advisory): 0.86x.
- Multi-site uplift. 1.22x where multi-site is selected. The full multi-site day-count multiplier table is on the enterprise page.
- Surveillance year share. Year-2 audit fee runs at 34 percent of initial Stage 2 fee; year-3 at the same rate plus a small inflation increment. Tooling persists at full subscription.
- Component shares of year-1 spend. Audit 32%, implementation 34%, tooling 18%, remediation 16%. Shares vary with company size; the figures above are mid-band. Detail on the cost drivers page.
The math
The calculator is intentionally simple so the result is defensible. The formula in pseudocode:
baseline = SIZE_BASE[size] # company-size band
adjusted = baseline
* SCOPE_MULT[scope] # ISMS scope
* MATURITY_MULT[maturity] # current security maturity
* MIX_MULT[mix] # pathway choice
* (multiSite ? 1.22 : 1) # multi-site uplift
audit = adjusted * 0.32 * BODY_MULT[body] # audit-fee share, body tier
tooling = adjusted * 0.18 # GRC platform contract
implementation = adjusted * 0.34 # internal effort
remediation = adjusted * 0.16 # gap-to-audit-ready
year1 = audit + tooling + implementation + remediation
year2 = audit * 0.34 + tooling # surveillance + tooling
year3 = year2 * (1.02 .. 1.04) # small inflation increment
total3y = year1 + year2 + year3The formula does not assume monthly inflation, regional variation within the UK, or commercial concession from certification bodies. For a regulated-industry programme (financial services, healthcare) add a 15 to 25 percent overlay on remediation; for a public-sector tender requirement, default to the UKAS top-tier body multiplier.
Discuss your specific situation
If your scenario does not fit cleanly into the calculator (a novel scope, a complex regulatory overlay, an in-progress acquisition, a customer contract with bespoke wording), an advisory conversation typically produces a more defensible budget figure than a wider input range here.
The advisory inquiry below routes to Digital Signet's compliance-adjacent advisory line. There is no obligation attached to the conversation and no automated email-capture follow-up.