Skip to content
Cyvex Security
ISO 27001 certification

ISO 27001 consultants for first-time certification

We take UK SMEs from scoping to a UKAS-accredited certificate in four to six months — with transparent pricing, a reusable control set, and continuous evidence collection you keep after the audit.

Book a scoping callEmail an ISO 27001 lead

Our approach

We run a single, opinionated certification path so nothing slips between strategy, implementation, and audit. Every deliverable is reusable across SOC 2, Cyber Essentials Plus, and NIST CSF.

Pragmatic, not theatrical

We install controls you will actually run, not a binder that collects dust after certification.

Evidence once, reused forever

Evidence flows into the Cyvex platform continuously so surveillance audits, SOC 2, and investor diligence all pull from the same source.

Senior consultants end-to-end

A named lead consultant runs your engagement from kick-off to Stage 2. No delivery handoffs.

Stage-gated timeline

  1. 1

    Scoping & gap analysis

    Weeks 1–3

    Define the scope of your ISMS, interview stakeholders, and benchmark current controls against the Annex A reference set.

  2. 2

    Risk assessment & treatment plan

    Weeks 3–6

    Run a Cyvex-led risk assessment, produce the Statement of Applicability, and agree a remediation plan with owners and dates.

  3. 3

    Policies & controls build

    Weeks 6–12

    Deploy policy templates, wire up evidence collection in the Cyvex platform, and operationalise access, change, and incident processes.

  4. 4

    Internal audit & management review

    Weeks 12–16

    Internal audit the ISMS, close non-conformities, and run a management review to certify operational readiness.

  5. 5

    Stage 1 & Stage 2 external audits

    Weeks 16–24

    Support you through the certification body audits, respond to findings, and transition to ongoing surveillance support.

What drives the cost

Typical first-year investment for a UK SME is £18,000–£35,000, including consulting, policy set, internal audit, and the UKAS-accredited Stage 1 + Stage 2 external audit. Four factors swing the number:

Scope & number of locations

Multi-site, multi-entity scopes carry higher audit time and evidence overhead.

Headcount

Certification bodies price on FTE bands; larger teams mean more audit days.

Existing control maturity

If SOC 2 or Cyber Essentials Plus are already in place, reuse can cut consulting effort significantly.

Certification body

UKAS-accredited bodies charge different day rates; we help you shortlist the right one.

Frequently asked questions

How much does ISO 27001 certification cost?

For a typical UK SME (25–100 staff, single office, SaaS product) the first-year cost is usually £18,000–£35,000. That includes Cyvex consulting, the Statement of Applicability, policy set, internal audit, and a UKAS-accredited Stage 1 + Stage 2 audit. Annual surveillance audits from year two typically run £4,000–£8,000.

How long does it take to get certified?

Most clients complete initial certification in 4–6 months. Teams already running SOC 2 controls often reach Stage 2 in 10–14 weeks.

Do I need a dedicated information security manager?

You need a named ISMS owner, but it does not have to be full-time. Cyvex can act as your virtual CISO and manage the ISMS day-to-day if you prefer.

What happens after certification?

ISO 27001 is a three-year cycle with annual surveillance audits and a recertification audit in year three. Cyvex provides continuous evidence collection, policy reviews, and risk reassessments to keep you audit-ready year-round.

Can we reuse evidence from SOC 2 or Cyber Essentials?

Yes. We map controls across SOC 2, Cyber Essentials Plus, NIST CSF, and ISO 27001 so evidence collected once satisfies multiple audits.

Related work

Ready to scope your ISO 27001 programme?

Book a 30-minute scoping call. We will send a fixed-fee proposal within 48 hours, with a stage-gated timeline and named consultant.

Book a scoping call