SMALL ORGANISATION
Up to 25 Employees
Typical timeline: 3 to 6 months to certification readiness.
Typical budget: GBP 15,000 to GBP 45,000 including consulting, readiness work, and certification audit fees.
ISO/IEC 27001 helps organisations build a repeatable information security management system that auditors can verify and customers can trust. Primelo Cyber supports the complete journey from first gap review through certification and continual improvement.
ISO/IEC 27001 is the international standard for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). The current main edition is ISO/IEC 27001:2022, supported by ISO/IEC 27002:2022 guidance.
The standard requires a risk-based management system, leadership oversight, defined policies, measurable objectives, internal audits, management review, and evidence that controls are operating effectively. Annex A contains 93 controls grouped across organisational, people, physical, and technological themes.
The ranges below are practical planning benchmarks for organisations starting from low-to-moderate maturity. Actual timelines and investment depend on existing controls, complexity, geographic footprint, cloud usage, regulatory overlap, and internal resource availability.
Typical timeline: 3 to 6 months to certification readiness.
Typical budget: GBP 15,000 to GBP 45,000 including consulting, readiness work, and certification audit fees.
Typical timeline: 4 to 8 months, especially where tooling and process ownership need formalisation.
Typical budget: GBP 35,000 to GBP 90,000 depending on multi-site scope and control maturity.
Typical timeline: 6 to 12 months with cross-functional work across engineering, IT, HR, legal, and operations.
Typical budget: GBP 70,000 to GBP 200,000 based on complexity, tooling uplift, and external support model.
Typical timeline: 9 to 18 months for global or highly regulated environments.
Typical budget: GBP 180,000+ with multiple entities, deep supplier dependencies, and strong evidence requirements.
More locations, products, legal entities, and outsourced functions increase control mapping, evidence collection effort, and audit time.
Teams with existing policies, risk management, and security operations progress faster than teams building governance from scratch.
Dedicated control owners and executive sponsorship reduce delays. Limited internal bandwidth usually extends project length and spend.
Tooling for asset inventory, access governance, logging, and vulnerability management can materially improve audit readiness and reduce manual work.
Primelo Cyber provides a structured delivery model designed to accelerate certification while building controls that remain practical after the audit window.
Detailed baseline review against ISO/IEC 27001:2022 clauses and Annex A controls. The output includes a quantified gap register, risk ratings, and a prioritised remediation roadmap.
Hands-on support to design and embed required policies, procedures, risk workflows, technical safeguards, and evidence processes aligned to your operating model.
Independent internal audit services to validate control effectiveness, identify nonconformities early, and ensure management review is fully audit-ready.
End-to-end advisory from scoping and readiness to certification body coordination, corrective actions, surveillance audit preparation, and ongoing improvement.