Choosing an ISO 27001 Certification Body
The certification body you choose affects your audit cost, certificate recognition, and the experience of the audit process itself. This guide covers what to look for and how major certification bodies compare.
Major Certification Bodies
BSI Group
UK | Global
Typical fee range
$8,000 to $25,000
One of the most widely recognised. UKAS accredited. Popular with UK, EMEA, and global organisations. Typically higher fees but strong brand recognition.
Bureau Veritas
France | Global (190 countries)
Typical fee range
$6,000 to $20,000
Strong industrial and manufacturing presence. Competitive pricing. Accredited by multiple national bodies. Good option for multi-standard organisations (ISO 9001, 14001 alongside 27001).
SGS
Switzerland | Global
Typical fee range
$6,000 to $18,000
One of the largest testing and certification companies worldwide. Competitive on price for SMBs. Broad sector coverage including technology, finance, and healthcare.
LRQA (Lloyd's Register)
UK | Global
Typical fee range
$7,000 to $22,000
Strong reputation in regulated industries. Known for rigorous audit process. Good for financial services and critical infrastructure organisations.
Schellman
US | North America, Europe
Typical fee range
$10,000 to $30,000
Specialist cybersecurity certification body. Also issues SOC 2 reports. Popular with US tech companies seeking both ISO 27001 and SOC 2 from a single auditor.
A-LIGN
US | North America
Typical fee range
$8,000 to $20,000
Specialist information security certification body. Strong in the SaaS and tech sector. Often bundled with FedRAMP, SOC 2, and PCI engagements.
Selection Criteria
UKAS / ANAB Accreditation
CriticalThe certification body must be accredited by a recognised national accreditation body. In the UK this is UKAS. In the US it is ANAB. Without this, your certificate will not be accepted by most enterprise customers or regulatory bodies.
Industry Sector Expertise
ImportantChoose a body with auditors experienced in your sector. A financial services firm benefits from a body with FS-sector auditors who understand PCI-DSS context. A healthcare company needs auditors familiar with clinical workflows.
Geographic Coverage
ImportantIf you have multiple international locations, confirm the body can conduct on-site audits in all relevant countries with local auditors. Remote auditing reduces cost but some certification bodies still require at least one on-site visit per location.
Pricing Transparency
ImportantRequest itemised quotes showing auditor day rates, travel expenses, certificate administration fees, and surveillance audit pricing. Some bodies quote low for Stage 1 and Stage 2 but charge heavily for annual surveillance.
Multi-standard Capability
UsefulIf you plan to pursue ISO 9001, ISO 22301, or SOC 2 alongside ISO 27001, a body that handles multiple standards can reduce administrative overhead and sometimes offer combined audit discounts.
Auditor Continuity
UsefulAsk whether the same lead auditor will conduct both the Stage 1 and Stage 2 audits, and ideally your surveillance audits. Continuity reduces re-familiarisation time and is less disruptive for your team.
How to Get and Compare Quotes
- Get at least three written quotes before selecting a certification body.
- Ask each body to itemise Stage 1 days, Stage 2 days, travel, admin fees, and surveillance pricing separately.
- Confirm that the quoted auditors hold ISO 27001 lead auditor qualifications.
- Ask for references from similar-sized organisations in your industry.
- Confirm accreditation status directly on the national accreditation body website (UKAS.com or ANAB.org).