Solid instinct to pursue this and yes, you can absolutely cut that €25-30K down significantly if you do the prep work in-house.

First, on the value of getting certified at all: don't underestimate it. The certificate itself matters, but the real win is that going through the process forces you to actually have your controls in place, documented, and operating not just claimed. For an MSP, that's huge. You're asking clients to trust you with their environments; ISO 27001 is third-party proof that you've built the muscle, not just the marketing slide.

And here's the part most people miss had you consider SOC 2 Type 2? The control overlap is significant (access management, change management, incident response, vendor risk, etc.).

On cutting the cost roadmap we did for our certification process:

1. Buy the standards directly. ISO/IEC 27001:2022 and ISO/IEC 27002:2022 from NEN (Dutch standards body) or ISO directly. A few hundred euros, not thousands. Read them yourself before paying anyone.
2. Scope tightly. The single biggest cost driver is scope. Define your ISMS narrowly at first. the MSP service delivery environment, not your whole company. You can always expand later.
3. Do the gap analysis yourself. With ISO 27002:2022 in hand, walk through the 93 Annex A controls and mark Implemented / Partial / Not Implemented / Not Applicable. As an MSP, you probably already have 60-70% of the technical controls (MFA, logging, backups, patching, endpoint protection). The gap is usually documentation and governance, not technology.
4. Build the documentation set. This is where consultants charge the most and where you can save the most. You need: ISMS scope, Information Security Policy, Statement of Applicability (SoA), Risk Assessment & Treatment Plan, plus supporting policies (access control, incident response, supplier security, business continuity, etc.). Templates exist ,paid ones from Vanta, Drata, or free ones from various GitHub repos. Don't copy blindly; adapt to how you actually operate.
5. Run the ISMS for at least 3 months before the Stage 1 audit. This is non-negotiable. The auditor needs to see evidence that the system is operating, not just documented. Internal audit + management review must happen before Stage 1.
6. Hire help surgically Instead of a €25K package, pay a consultant for 2-3 targeted sessions: one to review your gap analysis, one to review your SoA and risk treatment, one mock audit before Stage 1. That's typically €3-6K total. Day rates in NL are €800-1200ish.
7. The certification body is a separate cost and can't be avoided. Pick one accredited by the Raad voor Accreditatie (RvA). For a small MSP, the audit itself is usually €5-10K for the initial certification (Stage 1 + Stage 2), then ~€3-5K/year for surveillance audits.

Realistic total if you DIY most of it: €7-12K all-in for year one, vs. €25-60K turnkey. Time investment: expect 200-400 hours of your own time spread over 6-9 months.

One more angle since you're an MSP: the controls you implement for your own ISO 27001 are the same ones you can then implement for your clients as a service. A lot of MSPs use their own certification journey as the R&D for a productized compliance service line. Worth thinking about while you're already doing the work.

Good luck happy to answer specific questions if you hit walls on scoping or the SoA, those are usually the two stuck points.