The top ISO 27001 consultants in the UK – according to founders
Based on feedback from dozens of UK companies we have put together the definitive list of UK’s top ISO 27001 consultants for startups and SMBs. If you want to get ISO certified and are looking for help – look no further.
A short introduction to ISO 270001
Before jumping right into the list of top consultants, lets briefly recap what ISO 27001 is and why it matters if you are a startup or SMB.
What is ISO 27001?
ISO 27001 is an internationally recognised standard for information security. It sets out a framework for organisations of any size to protect their information, based on an information security management system (ISMS) tailored to the certified company.
Why is ISO 27001 important?
Implementing ISO 27001 helps companies manage information security by addressing people, processes, and technology. ISO 27001 is globally recognised and as result provides a valuable certification to show customers and partners that you safeguard their data
Why has ISO 27001 become so popular recently?
With the explosive growth of business software in the last 5 years, companies are storing more and more data, even small to mid-sized companies. Data about their employees, suppliers, customers, financial data, market data and more. Regulation like GDPR and institutions like the ICO show that governments take it seriously protect their citizens from abuse of their data. While data security has been a topic mostly relevant for large enterprises 10 years ago it is now top of mind also for SMBs, resulting in growing demand for information security certifications like ISO 27001, SOC2 and CyberEssentials.
The shortlist of the best ISO 27001 consultancies
If you’re new to the world of information security or would benefit from expert guidance when implementing ISO 27001 there are a whole host of consultants to choose from. However, making the right choice is difficult. We’ve compiled a list of our top ISO27001 consultants based on reviews, recommendations and our experience
Inavate Consulting is a specialist ISO 27001 consultancy and cyber security practice. With over 200 independently audited ISO 27001 implementations they deliver practical and commercially advantageous cyber security strategies across all business sectors. They have specific focus on Hi-Tech startups and regulated markets including iGaming, Financial and Technology across the UK, European and US markets. Having successfully helped GoCardless achieve ISO 27001 certification (read more here) they are a great partner for fast paced start-ups to achieve certification
Residual Risk Management
Led by Garry Bridgewater & Kerion Barnes, Residual Risk Management has more than 30 years of combined industry knowledge and practical experience in managing non-financial risk areas across Asia, the Middle East, the Americas & Europe, making them a great choice for your ISO 27001 implementation. Residual Risk Management has adopted an Integrated Services Risk Management approach offering bespoke solutions covering the following areas:
- Health & safety
- Security (information & physical)
- Environment management standards (ISO, BSC, BSi)
- Business continuity & crisis management
- Facilities and fleet management
Evalian is a data protection and security services provider. They specialise in data protection compliance, GDPR, information security, penetration testing and ISO 27001 consultancy based across the UK. They have a broad range of clients from large multinational firms to start-ups, which means they’re well suited to helping you achieve certification. You can read up on some of their testimonials and case studies here
Blackmores was founded in 2006 by Melanie Blackmore and is based in Hertfordshire. They have a team of 14 consultants in the UK, plus 12 international associates, with backgrounds and expertise in quality, environmental and risk standards. Perfectly suited to help teams achieving ISO 27001 certification. You can check out their case studies, reviews and approach to ISO 27001 certification here . Blackmores also has a very handy ISO 27001 podcast that gives an overview of both their approach and the checklists & procedures you should have in place when going through certification. Take a listen here
AvISO Consultancy offers training and consultancy solutions for managing risk, compliance, and governance – this includes effective and efficient solutions to ISO certification requirements. They have an industry-leading reputation, and a 100% success rate with ISO Certification, and are recommended by all the major UKAS accredited Certification Bodies. They have offices around the UK and in Lisbon and have worked with companies of all sizes, helping the University of Oxford achieve ISO 27001 certification. You can read more of their reviews and case studies here . AvISO are also the only consultancy that we know of who provide access to free legal registers for all of the standards that they work on, which is a very useful resource when going through certification.
How to prepare for ISO 270001?
Besides building a tailored information security management system together with your consultant, you need to get your business systems set up to be able to comply with the requirements and Annex A controls, ideally without adding too much overhead.
ISO 27001 security controls: Device register and device security
From an IT perspective, you need to establish a central asset register for your company’s devices. Whether they are owned by the company, rented or BYOB devices, you need to be able to list all devices that access company data in one central register, in real-time.
On top of that, devices need to be protected to a reasonable degree in order to prevent sensitive data from leaking. For example, you may want to be able to apply company level security configurations such as password rules and encryption, remotely install antivirus software for new computers and be able to remotely lock a device in the unfortunate case of loss or theft.
ISO 27001 controls: Access management
You need to be able to monitor in real-time who has access to any computer system that holds potentially sensitive data. This spans all core business systems like HR, payroll, accounting and CRM but also productivity and communication tools like Google Workspace, Microsoft 365, Slack, Notion, Salesforce or AWS.
Also, you need to have a system in place for onboarding new joiners and offboarding leavers to make sure your record of access is always up to date.
ISO 27001 controls: Secure HR platform for employee data
Employee data is some of the most sensitive data you as a data controller possess and it is vital to store it securely – in order to comply with controls in Annex A7.
A modern HR system ensures that data is stored encrypted in the cloud, that your team members can see coworkers’ data only on a need-to-know basis (i.e. managers see more than non-managers) and that data does not leave the system unnecessarily, for example by viewing data and documents directly in the browser rather than having to export it into the computer or sharing it via email with others.
ISO 27001 Frequently asked questions
ISO 27001 vs SOC2: How do they differ?
Both the ISO 27001 standard and SOC 2 state that organisations only need to adopt a control if it applies to them, but the way they approach this differs slightly.
ISO 27001 focuses on the development and maintenance of an ISMS. In order to remain compliant, you must conduct a risk assessment, identify and implement security controls and regularly review their effectiveness.
SOC 2, is much more flexible. It comprises five Trust Services Principles: Security, Availability, Processing Integrity, Confidentiality and Privacy, but only the first of those is mandatory.
Overall, on the question of SOC2 vs ISO 27001, the former is easier and less expensive to implement and maintain, but it’s also less rigorous.
ISO 27001 vs Cyber Essentials: How do they differ?
The Cyber Essentials certification is required to be able to work with public bodies in the UK but is also very popular with private companies seeking to demonstrate data security.
While ISO takes a risk-adjusted approach, where you as a company can apply a certain level of judgement about the amount of risk related to a control, CyberEssentials has a more rigid approach.
For small companies this may result in a number of measure that have to be taken that in an ISO 270001 certification would have not been necessary due to a low amount of risk. For other companies however, for example larger enterprises, CyberEssentials may end up being less labour insensitive for the same reason.
We can recommend CyberSmart to help you get CyberEssentials Plus certified.
What are the ISO 27001 security principals?
The three ISO 27001 security principals are confidentially, integrity and availability of data. Together, these three principles help organisations adopt an Information Security Management System (ISMS) that will help minimise the chances of an information security breach as well as limit its impact (if it still happens).
Should I buy an ISO 27001 toolkit?
If you’re a new ISO 27001 lead implementor then purchasing an ISO 27001 toolkit could be a good way to help with your ISO 27001 training whilst keeping your ISO 27001 cost down. An ISO 27001 toolkit will typically contain a list of templates such as an ISO 27001 risk assessment that allow you to speed up your ISO 27001 implementation process. Whilst ISO 27001 toolkits can speed up the time before you get an ISO 27001 auditor into to asses your business, they won’t be sufficient by themselves to get your through ISO 27001 certification and you should be careful to avoid businesses that overpromise in this area.
What are the ISO 27001 benefits?
The main ISO 27001 benefit is that it provides your business with greater quality assurance and higher levels of trust for stakeholders.The ISO 27001 auditing process follows a rigid framework, which results in a business adopting a set of ISO 27001 controls that demonstrate that data is being handled with integrity. Furthermore, ISO 27001 certification demonstrates that strategies are in place to continually review data handling processes & policies.
What are the ISO 27001 controls?
The ISO 27001 controls (Annex A controls) are split into 14 categories and within those there are 114 controls that are outlined as tools for effective risk management. Each category of ISO 27001 controls can be attributed to a different area of your business and they’re not all IT related. They range from organisational , IT, HR, legal and physical controls. ISO 27001 controls are implemented to mitigate risks identified in an ISO 27001 risk assessment, which your ISO 27001 auditor will ask to see evidence for during your audit.
How much does ISO 27001 certification cost?
ISO 27001 certification costs can be broken down into a few elements. The first is the cost of ISO 27001 training. An ISO 27001 lead implementer course can be around £2225 with a company such as BSI, however, if you’re looking to keep the cost down, there is great free material from companies such as Advisera. The cost of an ISO 27001 toolkit would typically be into the low to mid hundreds of pounds.
The second cost to take into account is that of an ISO 27001 consultant, which would typically be around £140 per hour. On average a business may need anywhere from 24 – 160 hours of ISO 27001 consultancy work in order to achieve ISO 27001 certification. This would put the cost between £3360 – £22,400.
The ISO 27001 cost of auditing is typically based on the number of employees within an organisation. The range then depends on which ISO 27001 auditor you choose and how many on-site days and how many remote days they need to spend with your business to do their ISO 27001 auditing.
|Number of Employees||Estimated Cost|
|1 – 45||£3,750 – £7,500|
|46- 125||£8,750 – £10,00|
|126 – 425||£11,250 – £12,500|
|426 – 625||£13,750|
|626 – 875||£15,000|
|876 – 1175||£16,250|