GRC platforms, evidence management and tooling cost ranges
What a GRC platform actually does
Modern GRC platforms (Vanta, Drata, Sprinto, Scytale, Secureframe, Comp AI) position themselves as one-stop ISO 27001 enablers. In practice the value distributes unevenly across what they offer.
| Capability | Typical platform value | What still needs people |
|---|---|---|
| Continuous evidence collection | High | Evidence interpretation, audit-day narrative |
| Control mapping across standards | High | Edge-case mapping decisions |
| Policy templates | Medium | Editorial work, organisation-specific tailoring |
| Integrations with cloud and SaaS | Medium to high (cloud-native) | Non-cloud-native systems, custom workflows |
| Automated risk assessment | Low | Risk register decisions, business-context judgement |
| Audit-day support | Medium | Auditor questions, evidence narration |
The pattern: platforms produce real saving on evidence collection and standards-overlap mapping. They do not produce saving on the parts of the ISMS that require human judgement. A budget paper that treats the platform as an end-to-end automation layer typically overstates saving by 30 to 50 percent.
Typical contract values by company size
UK and US public reseller pages, partner-programme disclosures and practitioner reports converge on the following bands. Pricing models differ across vendors (per-employee, per-product, tier-banded), so the bands below are total annual contract value, not list price.
| Company size | Entry tier | Mid tier | Top tier |
|---|---|---|---|
| Under 50 FTE | £5,500 – £8,500 | £7,500 – £12,000 | £10,000 – £18,000 |
| 50 – 250 FTE | £12,000 – £18,000 | £18,000 – £28,000 | £28,000 – £45,000 |
| 250 – 1,000 FTE | £28,000 – £45,000 | £40,000 – £70,000 | £60,000 – £100,000 |
| 1,000+ FTE | £45,000 – £80,000 | £75,000 – £140,000 | £120,000 – £250,000+ |
Year-2 spend is broadly equal to year-1, sometimes with a small renewal increase. Multi-year contracts (2 or 3 year terms) typically carry 10 to 15 percent discount. The largest swing factor outside company size is the number of frameworks bundled (ISO 27001 alone, versus ISO 27001 + SOC 2 + GDPR mappings).
Vendor positioning
A short editorial note on each of the major vendors. This is not a comparison grid (cluster anti-pattern); it is positioning context for the contract-value bands above.
Vanta
The broadest coverage and the premium positioning. Strong on US-led SaaS, increasingly strong UK presence. Tends to anchor at the higher end of the bands above. Wide framework support means the same subscription tends to absorb SOC 2 and ISO 27001 together, which can improve unit economics where multi-standard certification is in scope.
Drata
Engineering-led, strong integrations layer, mid-premium pricing. Particularly well-suited to engineering-heavy organisations where continuous evidence from cloud infrastructure is the primary value. UK contract values typically sit in the mid-tier band of the table above.
Sprinto
Cost-effective in the SME band, growing rapidly into mid-market. Strong content and SEO presence which keeps it visible. Pricing often anchors at the entry tier in the table above. Fit is best for under-100 FTE organisations pursuing first-time certification.
Scytale
Mid-market focus, strong on multi-framework engagements. Pricing tends to mid-tier. Particularly visible in UK and European mid-market accounts.
Secureframe
Enterprise-leaning positioning, broad framework support, premium pricing for the larger bands. Strong on US enterprise, growing UK presence. Pricing tends to anchor at top tier in the table above.
Comp AI and newer entrants
A wave of lower-cost entrants is reshaping the entry tier of the market. Capability gaps relative to incumbent platforms exist (integrations breadth, framework coverage), but for a small SME pursuing first-time certification at the price floor, these are worth evaluating.
When a platform pays back
The crossover with consultant-led implementation is the relevant decision. As a heuristic: at a £20,000 consultant equivalent and 50+ FTE, platform spend is justified. Below that, an in-house spreadsheet-and-Drive baseline plus light advisory support often wins on combined cost, with the tradeoff that surveillance years two and three are harder to maintain without the platform.
What platforms do not solve
Four ISMS responsibilities sit outside what GRC platforms can automate. Understanding them prevents over-spending on platform tier to compensate.
- Policy authoring beyond template adaptation. Templates produce structure; the substance still needs human writing.
- Risk-register decisions. The platform can host the register and track treatment; it cannot make the risk-treatment decision.
- Vendor management depth. Inventory yes; substantive supplier security review no.
- Post-audit remediation execution. The platform tracks open findings; it does not fix them.
Where to read next
For the consultant-versus-internal pathway decision that determines platform necessity, see the internal vs consultant page. For the multi-standard bundling case where platform value compounds, see the multi-standard page. For the wider cost-driver context, see the cost drivers page.