The service
ISO 27001 consultancy for UK organisations
A senior CyPro practitioner owns your programme from gap analysis to certificate: the ISMS built, the documents written, the internal audit done, and your team supported through the UKAS assessment. Fixed fees by headcount, published in full.
What you get
The four blocks of work
Gap analysis and roadmap
Where your ISMS stands against clauses 4 to 10 and all 93 Annex A controls, sequenced into a costed plan. If you only buy one week of help, buy this one.
ISMS design and build
Scope, risk methodology, Statement of Applicability, policies and the mandatory documents, built around how your organisation actually operates.
Control implementation
Hands-on help putting the selected Annex A controls in place, from access control and supplier management to logging and incident response, with your team or for them.
Internal audit and certification support
The independent clause 9.2 internal audit, management review preparation, then support through your certification body's Stage 1 and Stage 2 assessments.
The step-by-step journey, including where the certification body comes in, is on the process and timeline page.
The differences that matter
How this consultancy is built
The ISO 27001 market sells day rates, toolkits, platforms and audits, often from the same company. We deliberately sell one thing: readiness, priced fixed, independent of whoever certifies you.
UK-wide and remote-first, with on-site days where the work needs them, and London coverage as standard.
Fixed fees, not day rates
Our bands are published on the cost page and hold regardless of how many workshops it takes. A day-rate consultant has no incentive to finish; a fixed-fee one has no incentive to linger.
We are not the certification body
Certification is issued by the UKAS-accredited body you choose. Because we never mark our own homework, our documentation has to survive someone else's scrutiny, which is exactly the discipline you are paying for.
We are not selling a platform
No subscription rides along with our advice. If a compliance platform genuinely suits you, we will say so and work with it; the comparison page exists because we can afford to be straight about it.
Practitioners, not template couriers
The people on your programme run security operations, incident response and CISO services across CyPro's client base. Your ISMS is written by people who have operated one.
Quick answers
Consultancy questions, answered
What does an ISO 27001 consultant actually do?
Everything between deciding you need the certificate and holding it: gap analysis, ISMS design, documentation, risk assessment, control implementation, the mandatory internal audit and preparation for the certification body's assessments. The consultant does the thinking and drafting; your team makes the decisions only you can make.
Do we need a consultant, or can we do ISO 27001 ourselves?
Plenty of organisations self-implement with a toolkit, and for some it is the right call. The trade is your team's time, typically months of it, and the risk of documentation that does not match practice. Our route comparison sets out the year-one costs of all three approaches side by side.
How much does ISO 27001 consultancy cost?
Published UK analyses put consultancy-led readiness for organisations under 50 staff at roughly £8,000 to £15,000, rising with headcount. Our own fees are fixed by headcount band and published in full on the cost page, with the certification body's audit fee shown separately.
Do you work with organisations outside London?
Yes. The team is UK-wide and remote-first, with on-site days where the work genuinely needs them, typically the gap analysis kick-off and audit support. Location does not change the fee band.
Scope it properly
Put your programme in front of a practitioner
A free 45 minute scoping call maps your estate, your deadline and your band. You leave with a fixed fee whether or not you use us.