Internal team vs external consultant: when each pathway pays off

Three operating models cover almost every UK ISO 27001 first-time certification. Naming them precisely is the first step in costing them honestly.

Most teams default to "hybrid" without naming it. The pathway is worth costing explicitly because the failure modes are different: full-external pathways tend to overrun on consultant days, full-internal pathways tend to overrun on calendar time.

UK ISO 27001 consultant day rates run from £800 to £1,400 for typical practitioners, with specialist or lead-auditor backgrounds at £1,500 to £2,000+. A first-time SME engagement runs 15 to 30 consultant days depending on pathway choice and current maturity.

What a consultant day buys, in practice: design and review of policies, control implementation guidance, mock internal audit, Stage 1 readiness review, on-call support during Stage 2. What it does not buy: ownership of any control. Auditors test the implementation, not the consultant.

Three-year totals include audit fees, tooling subscriptions, internal time (at £75/hour fully-loaded), consultant fees and remediation. The full-internal pathway looks cheapest in the table because consultant days are zero, but the internal time line item is significantly larger and harder to see.

The honest decision rule: pathway choice is governed by three variables, not one. Company size is the headline; security maturity and time pressure shift the line meaningfully.

The crossover from hybrid to full internal happens around 100 FTE when an internal security or compliance function is already in place. Below that, the internal effort to stand up the ISMS without experienced guidance is typically more costly than the consultant days saved.

A full-internal pathway needs an ISMS lead with sufficient practical information-security experience to make Annex A control decisions, a documentation owner with policy-authoring discipline, an internal auditor (cannot be the same person as the ISMS lead under Annex A requirements), and an evidence custodian to manage the audit-day pack.

For a 50 to 250 FTE organisation, this typically means hiring or re-roling a 0.5 to 0.8 FTE for the year-one programme. Beyond year one, ongoing ISMS lead time settles at 0.2 to 0.5 FTE for SME and 0.5 to 1 FTE for mid-market. Recruit-or-train cost: a UK ISMS manager with one prior implementation typically costs £55,000 to £75,000 per year fully loaded.

For an under-30 FTE firm with an internal champion, the cheapest legitimate first-time ISO 27001 path is: existing SaaS-stack baseline, mid-tier GRC platform contract, mid-tier UKAS body, plus 5 to 10 days of advisor time at the design and Stage 1 stages. Total floor sits at roughly £8,000 in year one.

Below that figure suggests a shortcut that fails Stage 2: a non-UKAS body without due diligence, a GRC platform that is not configured to your control set, or an internal champion without practical ISMS experience. The Stage 2 audit will catch all three. The detail by scenario is on the small business page.

To compare GRC platforms in the context of pathway choice, see the tooling page. For the gap-assessment input that feeds pathway choice, see the gap assessment page. For sanity-check scenarios at the SME and enterprise scale, see the small business and enterprise pages.