How the cost ranges on this site are sourced

Cost ranges on this site are constructed from the following sources, named openly so the basis can be checked. Where a specific source contributed to a specific figure, the relevant page lists the attribution inline.

• UKAS-accredited certification body public materials. Day-rate disclosures, tier positioning, transition guidance from BSI, LRQA, NQA, Bureau Veritas, SGS, Alcumus ISOQAR, BAB and Citation ISO Certification published April 2025 to April 2026.
• GRC vendor partner-programme price disclosures. Reseller-published pricing, partner-portal disclosures and public G2 / TrustRadius contract-value reports for Vanta, Drata, Sprinto, Scytale, Secureframe and Comp AI, sampled April 2025 to April 2026.
• Practitioner survey data. UK ISO 27001 implementation survey data published by ISMS.online, Hightable and ISO27001 community write-ups (2024 to 2026).
• UK consultant day-rate disclosures. Public day-rate guidance from UK ISO 27001 specialist firms (Evalian, YourISO, Beacon Risk, Iseoblue, Tempo Audits, Kafico) sampled April 2025 to April 2026.
• Cluster keyword research. Google Keyword Planner UK volume data April 2025 to March 2026, used for editorial scoping (which queries deserve dedicated pages); not for cost figures.
• First-hand engagement histories. Anonymised cost data from Digital Signet's compliance-adjacent advisory pipeline. Where used, the figure is presented as consistent with the public-source range, not as a separate primary citation.

For each cost line, we collect data points across the named source list, normalise to GBP-2026, exclude clear outliers (single quotes more than 1.5 standard deviations from the cluster, or quotes whose scope assumption is incompatible), and report the inter-quartile band.

The result is a 25th-to-75th percentile range. We do not publish a single point estimate because point estimates over-claim precision; we do not publish the full range because the tails carry small samples. Where a range tightens or widens significantly between sample dates, the relevant page is updated with the new band and the prior band noted.

Some figures cannot be sourced cleanly enough to publish. Listing them openly is part of the credibility surface.

• Specific certification-body fee tariffs. BSI, LRQA and others redact specific fee tariffs in writing. We publish the tier band, not the named-body specific quote.
• Specific consultant rate cards. Day rates are presented as bands. Named-firm rate cards are confidential.
• Customer-named pricing for GRC platforms. Where a specific customer's contract value is known to us through advisory work, it is not published. Bands derive from public sources only.
• Per-firm comparisons. We publish positioning notes for major GRC vendors but do not produce side-by-side feature grids. Feature parity changes quarterly; static grids are stale within months.

Cost ranges on this site update only when the underlying reality changes. We do not perform cosmetic date bumps. The triggers that warrant revision:

• ISO 27001 standard revision (the next watch item; 2022 was the last major revision).
• UKAS or related accreditation framework changes that affect assessment-day calculation.
• Major GRC platform pricing model change (a vendor moving from tier-banded to per-employee, for example).
• Material UK regulatory or procurement-framework change that redefines accreditation requirements.
• Aggregate movement in UK consultant day rates greater than 10 percent over a 12-month sample.

Each substantive revision is logged with the date and the change. The revision log is hosted on the FAQ page under the "When does this page update?" question.

This site is compiled by Digital Signet, an independent compliance-adjacent advisory practice. Substantive page revisions are attributed to a named author. Digital Signet does not sell ISO 27001 certification, does not act as a certification body, and does not run a GRC platform.

Where Digital Signet's advisory practice has been engaged on compliance-adjacent work for an organisation referenced in editorial content, the relevant page is reviewed for any conflict of interest before publication.

A single advisory inquiry form is provided on the calculator page. There is no newsletter signup, no email gate on any tool, no chat widget. The advisory line is for discussions where the calculator output does not produce a defensible budget figure for a specific scenario.

For the FAQ and revision log, see the FAQ page. For the calculator math reference, see the calculator page. For the year-over-year update reference, see the annual maintenance page.