Why Most ISO 27001 Projects Run Over Budget (And the Four Red Flags to Watch For in a Proposal)

Roughly 60 percent of ISO 27001 implementation projects in the UK come in over their original quoted budget. The overrun is usually 30 to 90 percent above the original number, with a median around 45 percent. The reason is almost never the quality of the work or the difficulty of the standard. The reason is structural choices made at the proposal stage that make overrun statistically inevitable, regardless of how well-intentioned the consultancy is. This guide explains the four red flags that predict budget overrun, the contract structures that prevent it, and what to ask for at the proposal stage so that the number you sign for is the number you pay.

Red Flag 1: Hourly Billing or Day Rate Pricing. If a proposal quotes a day rate, an hourly rate, or an estimated number of days at a daily fee, the proposal is not a fixed-fee proposal. It is an open-ended commitment with a number on the front page. Day-rate pricing transfers all scope risk from the consultancy to the client. Every additional workshop, every revision cycle, every clarifying call adds to the bill. The fix is fixed-fee pricing with a defined deliverables list. Red Flag 2: Vague Deliverables. Proposals that describe the engagement in process terms rather than artefact terms are setting up a budget overrun. The fix is to demand a deliverables list with named documents, document owner, completion date, and acceptance criteria.

Red Flag 3: No Named Lead Auditor or Implementation Lead. Proposals that do not name the specific consultant who will lead your engagement are quoting on a junior delivery model. The senior consultant in the sales meeting is not the consultant who will run your project. Junior consultants take longer to do the same work, escalate routine decisions to senior consultants who bill at a higher rate, and produce documentation that requires more rework after auditor feedback. The fix is to insist on a named lead consultant with stated credentials before signing. Red Flag 4: No Audit Body Booking at Kickoff. Proposals that treat the audit body relationship as a separate workstream, to be initiated after the implementation work is complete, are guaranteed to slip the timeline. UKAS-accredited certification bodies are typically booked 8 to 12 weeks ahead. The fix is to require the audit body and the Stage 1 and Stage 2 dates in the proposal itself.

Beyond avoiding the four red flags, three contract mechanics protect the client from budget surprises. First, fixed-fee pricing with a defined change order process: the total fee is stated in pounds, changes to scope are quoted separately in writing before work starts, and the client controls whether to accept or decline each change order. Second, milestone-based payment: payment is structured against project milestones, not against time, with a typical schedule of 30 percent on signature, 30 percent on documentation completion, 30 percent on internal audit completion, and 10 percent on Stage 2 audit pass. The final 10 percent creates the consultant's incentive to support the audit through to certification. Third, re-audit coverage commitment: the contract should commit the consultancy to closing any non-conformities raised at Stage 2 and supporting the re-audit at no additional cost.

A well-structured ISO 27001 implementation proposal for a UK technology business of 30 to 100 employees should include: a fixed total fee in pounds rather than an hourly rate or day count, a named lead consultant with stated credentials, a deliverables list specifying every artefact with completion criteria, the named UKAS-accredited certification body and provisional Stage 1 and Stage 2 dates, a milestone-based payment schedule with at least 10 percent withheld until certification, a written re-audit support commitment, and a clearly defined post-certification support period typically of 90 days. If the proposal in front of you does not contain these elements, the budget is unreliable regardless of how low the headline number looks.

This is the counterintuitive finding from running and reviewing dozens of ISO 27001 proposals over the last decade. The lowest quoted price typically reflects the loosest scope, the most aggressive change order regime, and the highest likelihood of overrun. The total cost paid by the client at the end of the project is frequently 40 to 60 percent above the original headline. Mid-priced proposals from firms with named lead consultants, fixed fees, deliverables lists, and milestone-based payment terms typically come in at exactly the quoted figure. They start higher on the headline but finish lower on the total. The cheapest quote is usually the most expensive engagement.