Search for ISO 27001 implementation cost and the numbers are alarming. Six-figure estimates are common, twelve-month timelines are the norm in many articles, and the underlying assumption is usually that the organisation will engage a large consulting firm with substantial billable hours. None of this is universally true. Smaller organisations get certified every year on much more modest budgets, with shorter timelines, often without external consultants. The pattern that works is not exotic; it is scoping honestly, sequencing deliberately, and resisting the upsell toward elaboration that the implementation does not need.
Scope Aggressively at the Start
The single most consequential cost lever is scope. A 200-employee company that certifies its entire estate spends meaningfully more than one that certifies the product engineering organisation and the systems supporting it. The standard explicitly permits scope to be defined to a subset of the organisation; the certification covers what is in scope. Expansion to additional scope is a future decision rather than a precondition for the first certificate. Aggressive initial scoping is not a workaround — it is the correct way to manage implementation risk and cost.
Use the Templates That Already Exist
Most of the ISMS documentation a smaller organisation needs — information security policy, risk methodology, statement of applicability, asset inventory, supplier management — exists as templated material. The work is not in writing them from scratch; it is in customising templates to reflect the organisation's actual practice. Consulting firms charge significantly for the writing. Reasonable templates from existing implementations, training providers, or the standard's informative annexes give a smaller organisation 80% of the document estate at a fraction of the cost.
Where External Help Pays Back
Not every part of the implementation should be in-house. A risk assessment workshop facilitated by an external practitioner is often higher quality than one run internally for the first time. A pre-certification gap assessment by someone who has been through Stage 2 audits before catches issues that internal review will miss. A lightweight retainer for questions during implementation costs much less than a full consulting engagement and provides the access points where external experience actually matters.
A common pattern: an organisation engages a consulting firm for the entire implementation, the firm produces a comprehensive ISMS that is well-documented but never operationalised by the internal team, and certification audit findings cluster around evidence that the controls actually run. The audit team can tell when the ISMS belongs to a consultant rather than to the organisation. Internal ownership with selective external help reliably produces stronger certifications than external delivery with internal acceptance.
Pick a Certification Body That Fits Your Size
Certification body pricing varies more than expected. The largest brands carry premium pricing that smaller organisations rarely need. Accredited but smaller certification bodies offer the same certificate against the same standard at materially lower cost. The choice matters mostly when major enterprise customers have a list of accepted certification bodies — in which case picking from that list is a procurement decision. Otherwise, any UKAS / ANAB / IAF-MLA accredited body produces a certificate that is recognised internationally.
The Components That Actually Take Time
- Risk assessment that genuinely covers the in-scope environment, not a generic template
- Statement of Applicability customised to the organisation's actual control set
- Implementation of any controls that do not currently exist (typically a smaller list for digital-native orgs)
- Internal audit programme, with at least one round before Stage 2
- Management review with documented decisions
- Training and awareness — required by the standard, often underweighted
- Evidence collection that supports each control claimed as implemented
Realistic Cost and Timeline
For a 50-200 person digital-native company with an existing security baseline, a scoped ISMS implementation often runs 4-7 months of effort with a fractional security lead, modest external help, and certification audit fees in the low-to-mid five figures. The total spend is meaningfully less than what large-consulting estimates suggest. The certification produced is the same certificate as the one a larger implementation produces, and it satisfies the procurement requirement that drove the implementation in the first place. The honest budget question is not how much certification costs; it is how much certification costs when implemented with discipline at the scope the organisation actually needs.