Where ISO 27001 budgets actually blow up: remediation, evidence and scope creep
Three patterns behind most cost overruns
Practitioner reports across UK first-time ISO 27001 engagements show three patterns recurring. The patterns differ in shape but compound when more than one is present.
- Under-estimated remediation work after the gap assessment. The findings list is technically complete but the effort to close each finding is light. Privileged access management is the line that most often surprises the budget.
- Evidence collection consuming 2 to 3 times the estimate. Annex A controls demand operational evidence over time, not just at audit. First-time teams routinely under-estimate the evidence cadence by a factor of two.
- Scope creep mid-audit. Stage 1 surfaces a subsidiary, a third-party processor or a shadow-IT system that should be in scope. Re-scoping mid-cycle adds audit days and unplanned remediation.
Remediation: the four findings that move the bill most
UK practitioner data across 50 to 250 FTE first-time engagements shows four remediation lines accounting for the bulk of overrun spend. Cost bands below assume the finding is real and the remediation is implemented, not deferred.
| Remediation | Typical cost band | What drives it |
|---|---|---|
| Privileged access management | £5,000 – £15,000 | PAM tooling, IAM rework, time-bounded admin sessions |
| Encryption of data at rest | £2,000 – £10,000 | Stack dependent. Cheaper on cloud-native, expensive on legacy estate |
| Supplier security questionnaire programme | £3,000 – £8,000 | First-time vendor inventory, security questionnaire issuance, response review |
| Data classification rollout | £4,000 – £12,000 | Classification scheme, labelling, DLP rules, exception handling |
The four lines above can together represent £14,000 to £45,000 of remediation effort that no budget paper called out. Where the gap assessment is rigorous, the lines appear in the remediation register with named owners; where the assessment is light, they emerge after Stage 1 and compound the timeline pressure.
Evidence collection: the 60 to 200 hour band
First-time ISO 27001 evidence collection consumes between 60 and 200 internal hours, depending on company size, scope and existing documentation discipline. The driver is not control count; it is the number of separate systems and people that produce evidence over the 12-month operating window.
| Company size | Hour band | Calendar pattern |
|---|---|---|
| Under 50 FTE | 60 – 110 hours | Concentrated bursts month 4 and 7 to 10 |
| 50 – 250 FTE | 110 – 180 hours | Standing programme, accelerating month 7 to 10 |
| 250+ FTE | 180+ hours | Continuous programme owned by ISMS lead |
GRC platforms claim to halve evidence-collection time. In practice they do this for cloud-native firms with API-rich tooling, where the platform integrates against the same systems that hold the evidence. For non-cloud-native firms, the saving is smaller because the evidence still has to be assembled from email, document stores and screenshots. Detail on platform value is on the tooling page.
Scope creep mid-audit
Three patterns drive mid-audit scope expansion. A subsidiary or recently-acquired entity surfacing during Stage 1 documentation review is the most common. A third-party processor not previously included in the supplier register is the second. Shadow IT (an AWS account no one named, a SaaS the marketing team owns) is the third.
The cost shape is consistent. A scope expansion typically adds 10 to 25 percent additional audit days at the same day rate, plus unplanned remediation in the new scope area. For a 50 to 250 FTE engagement, this typically adds £3,000 to £12,000 on the audit-fee side and a similar amount on remediation.
What we underestimated, in practice
Anonymised practitioner reports from UK engagements over 2024 to 2026 surface a small number of recurring underestimates:
- "We thought tooling could replace policy authoring." GRC platform policy templates produce a starting point, not a policy. Policies still require editorial work to fit the organisation, typically 20 to 40 hours of senior time across the policy set.
- "We assumed the supplier list was clean." First-time supplier inventories typically surface 30 to 60 percent more in-scope third parties than initially named. Each requires a security questionnaire issued and reviewed.
- "We did not budget for internal audit days." ISO 9.2 mandates an internal audit programme separate from the certification audit. For an SME this is 3 to 6 days of internal time, recurring annually, and competes with the same calendar as the certification audit.
- "Stage 1 was a documentation review, not a tick-box exercise." Stage 1 findings frequently delay Stage 2 by 4 to 6 weeks. The remediation between stages is the most-commented underestimate in practitioner write-ups.
Mid-cycle recovery options when the budget has overrun
When a programme is mid-cycle and over budget, the recoverable options are narrower than they were at planning. In order of impact: defer non-mandatory tooling spend (DLP, advanced PAM) until year two and document compensating controls; reduce scope where defensible (single product line first, broaden in year two); extend timeline to 12 months instead of 9 if the customer-side deadline allows. Cancelling the engagement is rarely the right answer once gap-assessment has been done; the work survives a re-attempt next quarter.
Where to read next
For the gap-assessment process that produces the remediation register, see the gap assessment page. For the year 2 and year 3 surveillance position once remediation is complete, see the annual maintenance page. To plug a remediation reserve into a defensible programme budget, use the calculator.