Free Risk Register
Contact Us Free Risk Register

ISO 27001 for MSPs — How to Deliver It as a Managed Service

  • 24 Mar 2026
  • MSP
  • SnapGRC Team

ISO 27001 is one of the fastest growing service opportunities for UK MSPs. Here's how to deliver it profitably as a managed service without building compliance tooling from scratch.

ISO 27001 is no longer just for large enterprises. Mid-sized businesses, SaaS companies, professional services firms, and even small organisations are being pushed toward certification by clients, insurers, and procurement teams. And when those businesses look for help, the first call many of them make is to their MSP.

For MSPs this is a significant commercial opportunity. ISO 27001 engagements are high value, recurring, and sticky — clients don't switch compliance providers lightly once the programme is embedded. But delivering ISO 27001 well requires a structured approach, the right tooling, and a clear understanding of where the MSP role begins and ends.

This guide covers everything an MSP needs to know to deliver ISO 27001 as a profitable managed service.

Why MSPs are well positioned to deliver ISO 27001

ISO 27001 is fundamentally about managing information security risk across an organisation. MSPs already do a version of this — managing endpoints, networks, backups, patching, and access controls on behalf of clients. The infrastructure knowledge, the client trust relationship, and the technical credibility are already there.

What ISO 27001 adds is a management framework around the technical controls — documented policies, a risk register, an audit trail, supplier assessments, staff awareness training, and a formal certification process. MSPs who can wrap that framework around the technical work they're already doing are in a uniquely strong position to deliver the whole package.

The alternative for most clients is either doing it themselves on spreadsheets, which quickly becomes unmanageable, or engaging a specialist compliance consultancy at significant cost. An MSP that can offer a credible, affordable compliance managed service sits squarely between those two options.

What ISO 27001 actually requires

Before you can deliver ISO 27001 to clients you need to understand what certification actually involves. The standard requires an organisation to establish, implement, maintain, and continually improve an Information Security Management System — an ISMS. That involves several key components.

Risk assessment and treatment

The ISMS is built on a risk-based approach. The client needs to identify their information assets, assess the threats and vulnerabilities that could affect them, evaluate the likelihood and impact of those risks, and decide how to treat each one — mitigate, accept, transfer, or avoid. This becomes the risk register, which needs to be maintained and reviewed on an ongoing basis.

Annex A controls

ISO 27001:2022 includes 93 controls across four domains — organisational, people, physical, and technological. Not every control applies to every organisation. The client produces a Statement of Applicability that documents which controls are applicable, which are implemented, and the justification for any that have been excluded.

Mandatory documentation

ISO 27001 requires a specific set of documented information. This includes the information security policy, the risk assessment methodology, the risk register, the Statement of Applicability, the risk treatment plan, and records of various operational activities including internal audits and management reviews. Many clients will have none of this in place when they start the programme.

Internal audit and management review

Before the external certification audit, the client must conduct an internal audit of the ISMS and hold a management review with senior leadership. These are not optional — they are mandatory requirements of the standard and the certifying body will want evidence that both have taken place.

External certification audit

Certification is granted by a UKAS-accredited certifying body following a two-stage audit. Stage 1 is a documentation review — the auditor checks that the ISMS is properly designed and documented. Stage 2 is the implementation audit — the auditor verifies that the controls are actually working in practice. Certification is typically valid for three years, with annual surveillance audits in between.

How to structure your ISO 27001 managed service

The most effective way to deliver ISO 27001 as an MSP is to structure it as a phased engagement with a clear transition from the initial implementation project to an ongoing managed service.

Phase 1 — Gap analysis and scoping

The first phase involves understanding where the client currently stands against the standard. Conduct a gap analysis across all 93 Annex A controls and the mandatory clauses, agree the scope of the ISMS, and produce a prioritised remediation plan. This phase typically takes two to four weeks depending on the size and complexity of the client.

Phase 2 — Remediation and documentation

The second phase is where most of the work happens. Working through the findings from the gap analysis, you implement missing controls, write the mandatory documentation, configure systems, and build the evidence base. For most small business clients this phase takes between two and four months. The timeline depends heavily on how quickly the client can review and sign off documentation and complete actions on their side.

Phase 3 — Internal audit and certification

Once the remediation work is complete, conduct the internal audit, support the management review, and prepare the client for their external certification audit. Help them select a certifying body, brief them on what to expect, and be available to support them through the Stage 1 and Stage 2 audits.

Ongoing managed service

Post-certification the engagement transitions to an ongoing managed service. This typically includes maintaining and updating the risk register, conducting annual internal audits, supporting the annual surveillance audit, managing supplier assessments, distributing and tracking policy acknowledgements, delivering security awareness training, and responding to any changes in the client's business or the threat landscape that require updates to the ISMS. This is where the recurring revenue sits.

How to price ISO 27001 as a managed service

Pricing varies significantly depending on the size and complexity of the client, the scope of the ISMS, and how much of the work the MSP is doing versus the client. As a general framework, most MSPs structure their ISO 27001 offering in two parts.

The first is an implementation fee that covers the gap analysis, remediation, documentation, and certification support. For a small business this typically ranges from £5,000 to £15,000 depending on scope and complexity.

The second is a monthly managed service fee that covers ongoing maintenance, annual internal audit, surveillance audit support, and continuous compliance management. For small business clients this typically ranges from £500 to £2,000 per month depending on what's included.

The key principle when pricing is that your ongoing fee should reflect the genuine value of keeping the client audit-ready continuously rather than the cost of a scramble before each surveillance audit. Clients who understand the alternative — managing this themselves, or losing their certification — will recognise that value.

The tooling challenge

One of the biggest barriers for MSPs wanting to offer ISO 27001 is the tooling. Enterprise platforms like Vanta and Drata are designed for larger organisations and priced accordingly — typically £10,000 to £20,000 per year per client. That pricing makes it difficult to build a profitable managed service for small business clients.

Managing ISO 27001 on spreadsheets is technically possible but quickly becomes unsustainable at any meaningful scale. Tracking 93 controls across multiple clients, maintaining risk registers, collecting and storing evidence, managing supplier questionnaires, tracking policy acknowledgements — across separate spreadsheets for each client — is an administrative burden that grows linearly with every client you add.

The solution is a purpose-built platform that gives MSPs multi-tenant capability at a price point that works for small business clients. SnapGRC is built specifically for this use case — one dashboard to manage multiple client ISO 27001 programmes simultaneously, with controls tracking, evidence management, risk registers, supplier questionnaires, and policy distribution all built in. Rather than charging per user or per standard, SnapGRC uses flat pricing so MSPs can offer it to clients of all sizes without the cost scaling out of control.

If you're delivering or planning to deliver ISO 27001 as a managed service, book a free 20-minute demo to see how SnapGRC works for MSPs, or explore the SnapGRC knowledge base for more compliance guides.

Common mistakes MSPs make delivering ISO 27001

Understanding what to avoid is as valuable as knowing what to do. The most common mistakes MSPs make when delivering ISO 27001 for the first time are worth covering.

Underestimating the documentation workload is the most frequent. Many MSPs are confident in the technical controls but underestimate how much time the mandatory documentation takes — particularly the risk assessment, Statement of Applicability, and operational procedures. Build more time into your project plan than you think you need.

Treating it as an IT project rather than a business programme creates problems down the line. ISO 27001 requires buy-in and active participation from senior leadership, HR, finance, and operations. If the programme is being driven entirely by the IT team without broader business engagement, the auditor will find it — and the certification attempt will fail.

Leaving evidence collection until the end is another common mistake. Evidence needs to be collected continuously as controls are implemented and operated. Trying to retrospectively gather evidence in the weeks before an audit is stressful, incomplete, and unconvincing.

Finally, failing to transition clearly to a managed service after certification leaves revenue on the table and clients under-supported. Make sure the ongoing managed service scope, deliverables, and fee are agreed as part of the initial engagement — not as an afterthought after certification.

Getting started

If you're an MSP considering adding ISO 27001 to your service portfolio, the best starting point is getting familiar with the standard itself and running your own gap analysis against it. Understanding what certification involves from the inside out makes you a far more credible and effective delivery partner for your clients.

The second step is getting the right tooling in place before you take on your first engagement — not after. Trying to manage your first ISO 27001 client on spreadsheets while simultaneously learning the standard is a recipe for a difficult first project.

SnapGRC offers MSPs a platform specifically designed for multi-client compliance delivery, with the commercial model to match. Get in touch to discuss how it works for your practice.

Tags:
MSP, ISO27001

Related Articles

Knowledge Base Image
How to Onboard a Client onto a Compliance Programme

A practical guide for MSPs on how to onboard a client onto a compliance programme — from initial sc…

Read More
Knowledge Base Image
GRC Software for MSPs: What to Look For and What's Actually Worth Using

Compliance is becoming one of the most common conversations UK MSPs are having with clients. ISO 27…

Read More
Knowledge Base Image
How to Offer Compliance as a Service as a UK MSP

Compliance is quietly becoming one of the most in-demand services UK MSPs can offer — and most aren…

Read More

Copyright © 2025 SnapGRC