What Does a Fractional CISO Cost in the UK? (2026 Guide)
If you’ve started looking into fractional CISO arrangements, you’ve probably noticed that nobody publishes rates. You get vague talk about “competitive pricing” and “tailored engagements” but no actual numbers.
This is my attempt to fix that. I’ll give you the real ranges, explain what moves the price, and give you the comparison you actually need: fractional versus a permanent hire.
What You’re Actually Buying
Before we get to numbers, it’s worth being clear about what a Fractional CISO engagement actually covers — because the answer affects the cost.
A Fractional CISO is not a security consultant who writes reports. That’s a different engagement model. A Fractional CISO is a part-time member of your senior leadership, operating as your de facto Chief Information Security Officer with all the accountability that implies.
In practice, that means:
Ownership of your security posture. Not advice about it. Actual ownership — setting strategy, making decisions, reporting to the board or CEO on risk.
Ongoing availability. Not just fixed project days. A good Fractional CISO is reachable when something happens — a supplier breach, an insurance questionnaire, a board request for a risk briefing.
Day-to-day security leadership. Reviewing controls, managing incidents, overseeing your IT team or MSP on security matters, making sure the work actually gets done.
External credibility. Being able to put a named CISO on a client questionnaire, a contract, or an audit scope. For mid-market businesses dealing with enterprise customers, this alone is often worth the fee.
That distinction matters because it separates fractional from project-based work, and the price reflects it.
Typical Cost Ranges in the UK Market
Here are the real numbers as of 2026, based on the UK market specifically:
Entry-level engagement: £2,500–£4,000/month
Usually one day a week, or a structured retainer. Covers governance, policy, and light-touch oversight. Right for smaller businesses (20–80 people) who need a documented security posture and someone accountable for it, but don’t have complex infrastructure or active compliance requirements.
Mid-range engagement: £4,000–£7,000/month
One to two days a week. This is the most common arrangement for UK SMEs between 80 and 300 people. Covers strategy, compliance (Cyber Essentials Plus, ISO 27001 readiness, GDPR accountability), board reporting, incident management, and oversight of your technical security team or MSP.
Higher-intensity engagement: £7,000–£12,000/month
Two to three days per week, or a fixed-scope intensive engagement (post-incident stabilisation, pre-acquisition security readiness, major compliance programme). At this level you’re getting something close to a full-time CISO presence without the full-time cost.
Some providers price by day rate rather than monthly retainer. In that case, expect senior Fractional CISO day rates in the UK to sit between £900 and £1,800 per day, depending on experience and specialism.
What Affects the Price
The same fractional CISO will charge differently for different engagements. Here’s what moves the number:
Days committed per month. The main variable. More days, more cost — but also more hands-on delivery versus purely strategic oversight.
Compliance scope. If you’re pursuing ISO 27001, preparing for a major enterprise audit, or navigating sector-specific requirements (financial services, healthcare, defence supply chain), the workload increases substantially. Expect to pay for it.
Incident history. Starting from scratch is easier than cleaning up after a breach or a failed audit. Post-incident engagements are more intensive and more expensive in the early months.
Organisation complexity. 50 people in one office with a single cloud environment is a different engagement to 200 people across four countries with a mix of legacy systems, SaaS, and on-premise infrastructure.
Urgency. A phased 12-month engagement costs less per month than a 90-day sprint to get you through a due diligence process. You pay for speed.
Fractional vs Full-Time: The Real Comparison
A permanent CISO in the UK costs, on a fully-loaded basis:
– Base salary: £90,000–£160,000 (senior hire in London; less outside)
– Employer NI: ~13.8% on salary
– Pension contributions: typically 5–8%
– Benefits package: private health, life assurance, income protection
– Recruitment fees: typically 20–25% of first-year salary if using an agency
Add it up and a full-time CISO typically costs £130,000–£220,000 per year all-in before you’ve counted their office space, equipment, management overhead, or the time it takes to find the right person.
A mid-range fractional engagement at £5,000/month is £60,000 per year. You get senior-level security leadership at roughly half the cost, with no recruitment risk, no notice period to serve, and the ability to scale the days up or down as your needs change.
For most UK SMEs, the only reason not to go fractional is if your security workload genuinely justifies full-time attention — and that usually means you’re above 500 people with a complex regulatory environment, active threat landscape, or significant security-critical product development.
The Starting Point: A Discovery Audit
For most businesses, the right first engagement isn’t a retainer. It’s a Discovery Audit: a structured review of your current security posture that takes two to three days and produces a prioritised action plan.
It answers the question: where do we actually stand? It removes the uncertainty from any ongoing engagement that follows, and it’s the honest way to scope a fractional arrangement — you don’t know what you’re buying until you know what the problems are.
If you’re comparing providers, ask whether they’ll do a discovery engagement before committing to a retainer. If the answer is no, that’s a signal.
—
If you’d like to talk through what a fractional CISO engagement might look like for your business — scope, cost, timeline — see the services page or get in touch directly. I’ll give you a straight answer about whether it makes sense.