ISO 27001 Consultancy
Most ISO 27001 projects start because a client or procurement team has demanded it, often with a deadline already running. We take UK organisations from no ISMS to certified in under six months. Fixed pricing from £8,000. Our consultants hold ISO 27001 themselves.
We take you from no ISMS to certified. Fixed-price.
ISO 27001 consultancy is a specialist service guiding organisations through every stage of certification: gap analysis, ISMS design, risk assessment, internal audit, and Stage 2 certification body liaison. Our consultants hold the certification themselves and have supported organisations through BSI, NQA, and Alcumus ISOQAR audits.
Book a Free Scoping CallISO 27001 Implementation
Services
Every phase of ISO 27001 implementation, from your first gap analysis through to Stage 2 certification. Our UK consultants hold ISO 27001:2022 themselves and have supported organisations through BSI, NQA, and Alcumus ISOQAR audits.
Gap Analysis & Readiness Assessment
We assess your organisation against every clause (Clauses 4-10) and all 93 Annex A controls in ISO 27001:2022. Gaps are scored by severity and effort. You receive a gap report with a prioritised remediation roadmap and realistic timeline to certification, not a template, a working document specific to your scope.
ISMS Design & Implementation
We design your ISMS framework from the ground up: scope definition, risk assessment methodology (aligned to Clause 6.1.2), Statement of Applicability, information security policies, and procedures. Typical output is 15-25 policy and procedure documents. We use ISO 27001:2022 Annex A as the control reference, structured across four categories: organisational (37 controls), people (8 controls), physical (14 controls), and technological (34 controls).
Risk Assessment & Treatment
A structured risk assessment aligned to ISO 27001 Clause 6.1.2, identifying threats and vulnerabilities across your information assets. We produce a risk treatment plan with proportionate controls mapped to Annex A, risk acceptance criteria, and named control owners, the exact evidence a certification body will expect to see.
Internal Audit & Management Review
We conduct a full internal audit against ISO 27001:2022 Clauses 4-10 and all applicable Annex A controls, then facilitate the management review meeting (Clause 9) before your certification body visits. You will have the internal audit report and management review minutes your Stage 1 auditor expects.
Certification Body Liaison
We support Stage 1 (documentation review) and Stage 2 (implementation audit) with your chosen UKAS-accredited certification body: BSI, NQA, Alcumus ISOQAR, Bureau Veritas, or others. Our consultants attend both audits alongside your team. Where nonconformities are raised, we lead the corrective action response.
Engagement Workflow
Structured to minimise operational friction and maximise the value of the testing window.
Gap Analysis
We assess your organisation against every clause and Annex A control in ISO 27001:2022. You receive a detailed gap report with a prioritised remediation roadmap and realistic timeline to certification. Deliverable: Gap report with clause-by-clause and control-by-control assessment, effort estimates per gap, and a project plan to certification.
ISMS Build
We design your ISMS framework: scope definition, risk assessment methodology, Statement of Applicability, information security policies, and procedures. All documentation is tailored to your organisation, not generic templates. Deliverable: Scope statement, risk assessment methodology document, initial Statement of Applicability, and core policy suite (typically 15-25 documents).
Implementation & Training
We implement controls across your organisation, deliver staff awareness training, and embed information security into your business processes. Risk assessments and treatment plans are completed during this phase. Deliverable: Completed risk register, risk treatment plan, asset register, control implementation evidence, and staff awareness training records.
Audit & Certification
Internal audit, management review, and full support through Stage 1 (documentation review) and Stage 2 (implementation audit) with your chosen UKAS-accredited certification body, BSI, NQA, Alcumus ISOQAR, or Bureau Veritas. Deliverable: Internal audit report (Clause 9), management review minutes, nonconformity responses if raised, and ISO 27001:2022 certificate.
Situations We See Regularly
Most ISO 27001 projects are triggered by one of these four scenarios. If any apply, you are in the right place.
What if we are too small?
ISO 27001 is not just for large organisations. We regularly certify companies with 20-30 employees in professional services, SaaS, and technology, particularly where enterprise clients or government procurement require it. Scope definition determines the size of your ISMS, not your headcount.
What if we have already started in-house?
If you have an existing ISMS, even a partial one, our gap analysis will identify what you have, what is missing, and what can be retained. We work with what you have built rather than replacing it. Many clients engage us mid-project to rescue timelines or prepare for a specific audit date.
What if we are on the 2013 version?
All new certifications must now be against ISO 27001:2022. If you are currently certified to the 2013 standard, the transition deadline has passed and you are now overdue. We conduct a transition gap analysis and produce the updated documentation for your next surveillance or recertification audit.
What if we have a client deadline driving this?
This is the most common scenario. We have taken organisations from no ISMS to certified in under six months. Tell us your deadline at the first call and we structure the project plan around your date, including certification body booking timelines.
ISO 27001 Certification Cost UK
ISO 27001 certification has two cost components that are often conflated: consultancy fees and certification body audit fees. All quotes are fixed-price, no day rates, no scope creep, no hidden extras.
Certification body audit fees are separate. Expect £3,000-£8,000 for a UKAS-accredited body (BSI, NQA, Alcumus ISOQAR) depending on scope, with annual surveillance audits at £1,500-£3,000. Fixed-price quotes are provided after an initial scoping call.
Get a Scoping CallMaintaining Your ISMS.
After Certification.
ISO 27001 certification is the start, not the finish. Annex A controls 8.15 (logging), 8.16 (monitoring), and 5.37 (documented operating procedures) require active security operations after certification. Our SOC and MDR services provide the continuous monitoring your ISMS requires, keeping your Annex A evidence current for annual surveillance audits.
Explore Defensive ServicesSOC / 24/7 Monitoring
Annex A 8.15-8.16 evidence. Continuous monitoring for your ISMS.
Managed Detection & Response
Continuous threat monitoring across your endpoint and cloud environment.
Penetration Testing
Annual Annex A requirement. CREST-certified testing for your ISMS evidence.
Cyber Essentials
Government contract eligibility. Pair with ISO 27001 for full compliance coverage.
Full Penetration Testing Catalogue
Comprehensive penetration testing services tailored to your environment.
Internal Testing
Post-perimeter assessments targeting Active Directory, lateral movement, privilege escalation, and segmentation validation from inside your network.
Ready to start your ISO 27001 project?
Book a free scoping call. We assess your current maturity, confirm scope, and provide a fixed-price quote within 48 hours. No obligation. No day-rate surprises.
ISO 27001 Consultancy: Frequently Asked Questions
Pricing, timelines, requirements, and how to choose the right consultant.
ISO 27001 consultancy typically costs between £8,000 and £25,000 depending on organisational size, scope complexity, and current security maturity. A standard implementation for a UK SME (50-150 employees) averages £12,000-£15,000 for full consultancy from gap analysis through to successful certification. Smaller organisations (under 50 employees) with simple scope typically invest £8,000-£10,000. Larger or more complex organisations (150+ employees, multiple locations, complex IT infrastructure) typically require £18,000-£25,000. Certification body audit fees are separate and range from £3,000-£8,000 depending on scope. We provide fixed-price quotes after an initial scoping call to understand your specific requirements.
ISO 27001 certification costs in the UK have two separate components: consultancy fees and certification body audit fees. Consultancy fees cover the implementation work, gap analysis, ISMS design, risk assessment, documentation, internal audit, and support through the certification audit. For UK organisations, expect £8,000-£25,000 depending on scope. Certification body audit fees are charged separately by a UKAS-accredited body (BSI, NQA, Alcumus ISOQAR) and typically range from £3,000-£8,000 for initial certification, with annual surveillance audits at £1,500-£3,000. Total first-year cost for a standard UK SME is typically £14,000-£23,000.
ISO 27001:2022 requires organisations to establish, implement, maintain, and continually improve an Information Security Management System (ISMS). The mandatory clauses cover: organisational context (Clause 4), leadership commitment (Clause 5), planning and risk assessment (Clause 6), resource and competence (Clause 7), operational controls (Clause 8), performance evaluation and internal audit (Clause 9), and continual improvement (Clause 10). Additionally, organisations must select applicable controls from Annex A (93 controls across four categories) and document their choices in a Statement of Applicability.
ISO 27001 is the international standard for information security management systems (ISMS). It provides a systematic framework for managing sensitive company information, ensuring confidentiality, integrity, and availability. The current version is ISO 27001:2022, which includes 93 controls across four categories in Annex A.
For most UK SMEs, the process from gap analysis to certification takes 3-6 months depending on your starting maturity, organisational size, and scope. Month 1-2: Gap analysis and ISMS build. Month 2-4: Implementation, controls, and staff awareness training. Month 4-5: Internal audit and management review. Month 5-6: Stage 1 and Stage 2 certification audit. Organisations with existing security policies and processes often achieve certification faster. We provide a realistic timeline during the initial gap analysis and structure the project around your deadline.
Yes. The transition deadline for ISO 27001:2013 to ISO 27001:2022 was October 2025. Organisations still holding 2013 certifications are now technically non-compliant with the current standard. Any new certification must be against ISO 27001:2022. Organisations with 2013 certifications should plan their transition audit with their certification body and engage a consultant to update their ISMS documentation, including mapping to the new Annex A structure and implementing the 11 new controls introduced in the 2022 revision.
When selecting an ISO 27001 consultant, look for: (1) the consultancy holds ISO 27001 certification for its own operations, they should practise what they recommend; (2) named experience with your preferred certification body (BSI, NQA, Alcumus ISOQAR); (3) fixed-price proposals rather than open-ended day rates; (4) sector-specific experience if you are in a regulated industry (financial services, healthcare, government supply chain); (5) references or case studies from organisations of similar size and scope. Avoid consultancies that offer guaranteed certification, the certification body makes the decision, not the consultant.
Technically yes, but it is significantly harder and often more expensive in hidden costs. DIY implementation typically takes 12-18 months (versus 3-6 months with consultancy), requires significant internal resource allocation, and has higher failure rates at certification audit. Common pitfalls include over-engineering the ISMS with unnecessary documentation, misinterpreting clause requirements, incomplete risk assessments, and inadequate evidence collection. For organisations with dedicated internal compliance expertise, we offer light-touch consultancy packages for guidance and review rather than full implementation.
No. ISO 27001 requires you to assess which controls are applicable through a Statement of Applicability (SoA). You must justify any exclusions based on your risk assessment. Most organisations implement the majority of controls but can exclude those genuinely not applicable to their scope.
Yes. Precursor Security holds ISO 27001 certification for our own operations, as well as ISO 9001 and Cyber Essentials Plus. Our consultants have implemented and maintained the same systems they help clients build.
ISO 27001 certification is valid for three years, subject to annual surveillance audits by your certification body. We provide ongoing support including internal audit services, management review facilitation, and continual improvement guidance to maintain and strengthen your ISMS. Annex A controls 8.15 (logging) and 8.16 (monitoring) require active security operations after certification.
Cyber Essentials covers five baseline technical controls and is primarily a self-assessment or technical audit. ISO 27001 is a comprehensive management system standard covering governance, risk management, policies, people, processes, and technology. Enterprise clients and regulated industries increasingly require ISO 27001 as a supply chain prerequisite. Many organisations pursue both: Cyber Essentials for government contract eligibility, ISO 27001 for enterprise supply chain assurance and comprehensive security governance.