Most consultants would rather walk barefoot on Lego than tell you their prices upfront. We're different. We believe you shouldn't need a secret handshake, three reference calls, and a 90-minute "discovery session" just to find out what ISO 27001 might cost.

WELCOME TO PRICING THAT DOESN'T REQUIRE A DECODER RING

Trusted by

Startup & Scaleups

"We've been working with ISO Serious since mid last year, and they’ve been nothing short of phenomenal. They truly get startups and instantly understood what Gocertify was about and how to create an ISMS that worked for us. When I said I wanted to build our ISMS in Notion, it was no problem for them - they were flexible, supportive, and fully on board. Thanks to their expert guidance, we passed our certification with zero non-conformities and crucially have a security system that works and is going to grow with us. Honestly, they’re just epic to work with."

Josie Morrison, Operations Lead, Gocertify

"Working with the ISO Serious team has been fantastic. They’ve demystified the process, breaking it down into manageable steps and guiding us through it with practical, collaborative workshops. It’s made something that felt complex feel achievable. As an early-stage company, we’ve especially appreciated their flexibility, speed, and support. We’d highly recommend them to anyone tackling new standards or accreditations"

Brian Snyder, COO, AIDE Health

HOW OUR PRICING WORKS

We base our prices primarily on your company size and complexity, because - shockingly - securing a 200-person top secret defence-tech business takes more work than a 10-person startup selling quirky t-shirts made from the recycled tracing paper of failed art students. Within each size category, we provide a range because every business is unique. Your actual price depends on factors like how complicated your IT setup is, whether you're in a highly regulated industry, and if you need certification at warp speed.

THE MONEY-BACK GUARANTEE (YES, IT'S REAL)

If you don't pass certification because of something we did (or didn't do), you get your money back. Not store credit. Not a discount on your next purchase. Actual money, back in your account. Why? Because we believe consultants should be accountable for results, not just billable hours. Radical thinking in consulting circles, we know.

FIND YOUR SIZE, FIND YOUR PRICE

YOUR COMPANY SIZE WHAT YOU’LL LIKELY PAY
Tiny But Mighty
1–10 employees
(We know your CTO is also the CEO and makes the tea)		 £8,000 – £12,000
Small But Serious
11–20 employees
(You probably have actual job titles now)		 £10,000 – £14,000
Medium and Motivated
21–50 employees
(You’re too big for a WhatsApp group)		 £12,000 – £16,000
Properly Professional
51–100 employees
(You have an org chart and everything)		 £14,000 – £18,000
Genuinely Growing
101–150 employees
(You’ve probably got an HR department by now)		 £16,000 – £20,000
Substantially Sizeable
151–200 employees
(People have started using the word “enterprise”)		 £18,000 – £22,000
Extremely Impressive
200+ employees
(You probably have a procurement team looking at this)		 £20,000+
*Somewhere between £20k and ONE MILLION DOLLARS.

WANT SOMETHING DIFFERENT?

THE BARE NECESSITIES PACKAGE

For DIY enthusiasts with some internal resources. Includes templates, guidance, and our good wishes.

Roughly 25–30% less than the range above.

(We’ll give you the map and compass, but you’re driving the car)

THE ALL–IN EXPERIENCE

For those who want the VIP treatment with 12 months of post-certification support.

About 80–100% more, but it fixes the price for a whole year!

(Like having a security co-pilot for a full year, plus some sparkling wine)

NEED BOTH ISO 27001 AND SOC 2?

Let’s talk. We can make this much more efficient than doing them separately.

(Life’s too short to duplicate security work)

THE SMALL PRINT THAT'S NOT ACTUALLY SMALL

  • External audit costs aren't included in these prices (we can’t certify you ourselves even if we wanted to - that has be done externally)

  • These prices are for the bog-standard approach to getting ISO 27001 (see the "What's Included" section)

  • VAT will be added at the standard rate (sorry, can't fix that one)

  • Prices are a rough guide - and we may decide to update this document from time to time as costs evolve

  • Your quoted price may be above or below the estimates we’ve shared - e.g. if you’re very complex, very behind, and need certification by next week, you might come in above the estimated price range we’ve shared

WHAT AFFECTS YOUR PRICE? (THE HONEST TRUTH)

INDUSTRY MATTERS (SOME ARE JUST MORE COMPLICATED)

Healthcare: Comes with a side of additional patient data protection requirements.

Impact: Puts you closer to the upper end (but saves you from potential GDPR nightmares)

Financial Services: Where money and regulation go hand in hand.

Impact: Pushes the price up a bit (but helps you avoid those pesky FCA fines)

Defence/Government: Where "top secret" isn't just something in spy films.

Impact: Makes it likely to be at the top of the range (but better than explaining a security breach to the MOD)

Technology/SaaS: Generally straightforward unless you're handling particularly sensitive data.

Impact: Standard pricing (lucky you!)

HOW COMPLICATED IS YOUR IT SETUP?

"We're all in the cloud, mate" - Simplest scenario

Impact: You might fall at the lower end of your price range (congratulations on your good life choices)

"We've got a bit of cloud, some on-premise, and Dave's old server in the cupboard" - Mixed environment

"It's a complex hybrid environment built up over 15 years with legacy systems nobody understands anymore" - Complex

Impact: Upper end of your range (but think of the stories you'll be able to tell)

Impact: Middle of the range (we'll help sort out Dave's server too)

YOUR CURRENT SECURITY POSTURE

"Security? We've got a password on the WiFi" - Starting from scratch

"We do some security things, but it's not very organised" - Some foundations

"We're fairly organised, just need the certification to prove it" - Good foundations

Impact: Upper end of the range (we'll be building from the ground up)

Impact: Middle of the range (we'll bring the method to your madness)

Impact: Lower end of the range (you smart cookie, you)

HOW QUICKLY DO YOU NEED THIS?

"Standard timeline (4-6 months)" - The sensible approach

Impact: Standard pricing applies (we like you already)

"Yesterday, if possible" - The ambitious approach

Impact: Upper end (we'll need extra coffee and possibly time travel)

"We've got a big client pitch next month and need to at least show progress" - The pragmatic approach

Impact: We can work with that (and might even make you look like heroes)

GEOGRAPHIC SPREAD

"We're all in one office in Croydon" - Simple

Impact: Simplest scenario (lucky you)

"We've got offices in London, Manchester, and Edinburgh" - UK-based

Impact: Slight complexity (but nothing we can't handle)

"We've got people all over the world and nobody knows where half of them work from" - Global

Impact: Upper end of the range (but we'll make it work no matter where your team hides)

Most companies fall somewhere in the middle of their size-based price range. But if you've got multiple complicating factors above, you might be at the upper end. If you're a simple setup with good foundations, you might be pleasantly surprised.

WHAT YOU ACTUALLY GET (NO FLUFF, ALL SUBSTANCE)

THE GOLDILOCKS PACKAGE: NOT TOO MUCH, NOT TOO LITTLE - JUST RIGHT FOR GETTING ISO 27001 CERTIFIED

BEFORE WE START

  1. A sigh of relief that you've found consultants who speak proper English

  2. The blissful release of knowing your consultants also genuinely understand startups and scaleups (and have all worked in them for years)

  3. The realisation that this won't be the bureaucratic nightmare you feared

  4. Permission to use the word "ISMS" at the pub (we'll teach you how)

THE HEAVY LIFTING (WE DO THIS PART)

  1. Onboarding workshops that won't make you want to pull the fire alarm

  2. A risk assessment that actually reflects YOUR business (not copied from the last client)

  3. Policies people might actually read (revolutionary, we know)

  4. Management meetings that stay on topic and end in time for tea

  5. Pre-certification audit where we find the issues before the real auditors do

  6. Unlimited support - answering all of your panicked "Is this normal?" questions

  7. Someone to hold your hand during the external audit (metaphorically... unless requested)

  8. 24/7 breach line (because security incidents never happen during office hours)

THE PAPERWORK (BECAUSE AUDITORS LOVE PAPER)

  1. All the documentation with none of the consultant-speak

  2. An Information Security Policy that makes sense to non-security people

  3. Risk documents that help rather than confuse

  4. Evidence that doesn't require making it all up

  5. No unnecessary 200-page manuals that nobody will ever read

AFTER YOU'RE CERTIFIED

  1. 30 days of post-certification support as you adjust to life as a security-conscious organisation (longer if you want!)

  2. Guidance on maintaining your certification without it becoming a second job

  3. The ability to stop saying "we're working on it" when clients ask about your security

AFTER YOU'RE CERTIFIED

  1. The joy of ticking "yes" on those security questionnaires

  2. The confidence to talk about your security posture without crossing your fingers

  3. The sweet, sweet feeling of winning deals that previously stalled on security

  4. Security awareness that doesn't involve scary stock photos of hooded hackers

QUESTIONS? CONCERNS? EXISTENTIAL DOUBTS?

Email: tom@isoserious.com

Phone: 01634 558841

Carrier pigeon: Please don't, they make a mess