ISO 27001 certification cost for small businesses, startups and SaaS firms
What 'small' means here
Under 50 FTE for the purposes of this page. The cost shape changes materially above that threshold (audit day count rises faster than tooling falls, internal champion time becomes 0.5 FTE+). Below 50 FTE, the dominant cost levers are the GRC platform contract, the gap-assessment and remediation cycle, and the choice of certification body tier.
Three driver patterns small firms hit hardest
Three patterns recur in UK small-firm first-time certification. Naming them at the planning stage avoids the most expensive mistakes.
- No internal champion bandwidth. Smaller firms usually do not have a dedicated information-security head; the project lands on a CTO, founding engineer or COO who already has a full job. The realistic time commitment for a 12-month programme is 0.3 to 0.5 FTE; under 0.2 FTE, the programme stalls.
- No prior security documentation. Small firms typically arrive at ISO 27001 with informal practices and few written policies. The policy-authoring effort is therefore from a base of zero, not from an existing policy set, and is larger than mid-market projects assume.
- GRC platform feels expensive. A £8,000 platform contract represents a large share of total year-one spend at SME scale. The temptation to defer or under-spec the platform usually trades short-term saving for year-two evidence-collection pain.
Scenario A: 25-staff SaaS, no prior cert, single product
A 25-staff SaaS, no prior security certification, single product, customer pressure for ISO 27001 from a prospect contract. UK-based, single site (remote-first office), AWS-hosted, mid-tier UKAS body.
| Line item | Year 1 | Year 2 | Year 3 |
|---|---|---|---|
| Stage 1 + Stage 2 audit | £4.7k | - | - |
| Surveillance audit | - | £2.1k | £2.1k |
| Implementation effort (£75/hr) | £8k – £14k | £3k | £3k |
| GRC platform contract | £7k | £7k | £7k |
| Remediation | £3k – £8k | £0.5k | £0.5k |
| Internal champion time (0.3 FTE) | £15k | £8k | £8k |
| Year total | £37k – £49k | £20.6k | £20.6k |
Three-year TCO range: £78,000 – £91,000. Primary cost drivers: implementation effort and internal champion time, then GRC platform. Audit fees are a small share. The figure surprises some teams because internal time is often unbudgeted.
Scenario B: 12-staff fintech, SOC 2 in place
A 12-staff fintech, US SOC 2 Type II already in place from prior year, UK customer pressure for ISO 27001. Cloud-native (GCP), single office, mid-tier UKAS body.
| Line item | Year 1 | Year 2 | Year 3 |
|---|---|---|---|
| Stage 1 + Stage 2 audit | £4.0k | - | - |
| Surveillance audit | - | £1.8k | £1.8k |
| Implementation effort (£75/hr) | £3k – £6k | £1.5k | £1.5k |
| GRC platform delta (already running) | £2k | £2k | £2k |
| Remediation | £1.5k – £3k | £0.3k | £0.3k |
| Internal champion time (0.2 FTE) | £8k | £5k | £5k |
| Year total | £18.5k – £25k | £10.6k | £10.6k |
Three-year TCO range: £40,000 – £46,000. The existing SOC 2 reduces year-one effort by close to 30 percent versus Scenario A on a per-FTE basis. Surveillance is also lighter because the supporting evidence base is already in place.
Scenario C: 40-staff scale-up, 6-month deadline
A 40-staff scale-up, no prior certification, enterprise-customer contract requiring ISO 27001 in 6 months. Multi-product (two SaaS properties), single UK office, hybrid pathway with mid-tier UKAS body.
| Line item | Year 1 | Year 2 | Year 3 |
|---|---|---|---|
| Stage 1 + Stage 2 audit | £6.5k | - | - |
| Surveillance audit | - | £3.2k | £3.2k |
| Implementation effort (£75/hr) | £12k – £18k | £4k | £4k |
| Consultant days (12 days × £1k) | £12k | £3k | £3k |
| GRC platform contract | £12k | £12k | £12k |
| Remediation (rushed-path uplift) | £8k – £14k | £1k | £1k |
| Internal champion time (0.5 FTE) | £25k | £12k | £12k |
| Year total | £75.5k – £87.5k | £35.2k | £35.2k |
Three-year TCO range: £146,000 – £158,000. The rushed-path penalty is visible across consultant days, remediation and internal time. Pushing the deadline back to 9 to 12 months would typically reduce year-one spend by 18 to 25 percent. See the cost drivers page for the rushed-path detail.
Where small firms commonly overpay
Three patterns of overpayment recur. Each is a real saving when the context fits.
- Buying full-spec GRC platform when mid-tier would do. For under-50 FTE first-time certification, the entry tier of most major platforms is sufficient. Top-tier features (multi-framework simultaneous certification, deep SSO integrations) frequently go unused. Saving: £3,000 – £6,000 / year.
- Hiring full-time consultant when 12-day engagement is enough. For SaaS-stack organisations with reasonable internal capability, 10 to 18 consultant days is typically sufficient. Long-engagement "consultant runs the project" pricing is rarely the right shape. Saving: £10,000 – £18,000.
- Picking top-tier UKAS body when mid-tier UKAS body would satisfy the customer. BSI carries a brand premium that not all customers require. For UK SaaS-to-SaaS sales, mid-tier UKAS bodies (NQA, Alcumus ISOQAR, BAB) are widely accepted. Saving: £1,500 – £3,000 / year.
The cheapest legitimate path
For an under-30 FTE firm with an internal champion, the cheapest legitimate first-time path is: existing SaaS-stack baseline, entry-tier GRC platform contract, mid-tier UKAS body, plus 5 to 10 days of advisor time at the design and Stage 1 stages. Total year-one floor sits at roughly £8,000 to £12,000 excluding internal time, or £18,000 to £25,000 including a 0.2 FTE internal champion at £75/hour fully loaded.
Where to read next
For the calculator that takes your specific size and scope and returns a defensible budget, see the calculator. For the GRC platform context that is the largest swing factor at SME scale, see the tooling page. For the UKAS-versus-non-UKAS body decision that affects the audit-fee line, see the UK vs global page. For the consultant pathway choice, see the internal vs consultant page.