Pricing that reflects the risk we remove
Ledger Audits prices on value, not hours. Here is where each engagement starts, what drives the number, and how to think about it against the cost of a failed or delayed audit.
Gap Sprint
Fixed scope. Typical range $10,000 to $40,000.
- Gap assessment vs. SOC 2 TSC or ISO 27001 Annex A and SoA
- Control matrix and evidence-requirements map
- Scope and system-description review
- Prioritized remediation roadmap
Evidence Engine
Or $15,000 to $28,000 per quarter.
- Operating-effectiveness monitoring across the window
- Evidence repository with chain of custody
- Monthly or quarterly reviews and gap closure
- Mock fieldwork dry run and auditor liaison
Assurance Program
Typical range $60,000 to $150,000+.
- Annual ISO 27001 Clause 9.2 internal audit program
- Multi-cycle audits and management review support
- Stage 1, Stage 2, and surveillance prep
- Annual readiness statement to leadership
All figures in US dollars and confirmed per engagement. We localize to GBP, EUR, AUD, and AED for clients in the UK, EU, Australia, and the UAE.
What drives the price
Two companies pursuing the same framework can sit at very different points in these ranges. The honest drivers are:
- Scope. The number of products, environments, and entities in your audit boundary, and which Trust Services Criteria or Annex A controls apply.
- Framework and type. A SOC 2 Type II across a long window, or a multi-framework ISO program, takes more than a single Type I.
- Starting maturity. Thin documentation, no GRC platform, or a prior failed audit means more to verify and remediate.
- Cadence. A one-time assessment costs less than a retainer that keeps you ready across a whole period.
How to think about it
For context, the market puts a SOC 2 readiness assessment anywhere from roughly $4,000 to $25,000, and full ISO 27001 consultancy at £10,000 to £40,000 in the UK or AUD 30,000 to 80,000 in Australia. We sit at the premium end of that range on purpose, because the alternative is cheaper. A qualified opinion or a delayed certificate does not just cost the re-audit. It costs the enterprise deal the report was meant to unlock, and recovery from a qualified opinion typically takes six to twelve months. Priced against that, genuine readiness is the inexpensive option.
What you never pay for
We do not bill for attestation or certification, because we do not do it. We provide readiness and internal-audit work only. You engage an independent CPA firm or accredited certification body for the report or certificate itself.
Pricing, answered
How much does a SOC 2 readiness assessment cost?
Our fixed-scope Gap Sprint starts at $10,000, typically $10,000 to $40,000 depending on the size of your environment and the framework. The wider market ranges from about $4,000 to $25,000 for readiness alone, and we sit at the senior-led, fully-verified end of that range.
How much does an outsourced ISO 27001 internal audit cost?
Our Assurance Program, which includes the annual Clause 9.2 internal audit program and continuous assurance, starts at $60,000 per year. A single internal audit cycle can be scoped on its own.
How much is the Evidence Engine retainer?
From $5,000 per month, or $15,000 to $28,000 per quarter, scoped to your audit window and environment.
Do you offer fixed pricing?
Yes. The Gap Sprint is fixed scope and fixed fee. Retainers are billed monthly or quarterly in advance. Every figure is confirmed in writing before we start.
Do you price in local currency?
We quote in US dollars and localize to GBP, EUR, AUD, and AED for clients in the UK, EU, Australia, and the UAE. Pricing reflects value and risk avoided, not hourly rates.
Book a discovery call
Tell us your framework, scope, and timeline, and we will send a fixed, written figure within one business day.