ISO 27001 certification is an internationally recognized framework that addresses your organization’s ISMS (Information Security Management System) and how seriously your organization takes the security of its data. In deciding to pursue an ISO 27001 certification for your business, one of the first questions that will come up is: How much will this cost?
The amount of money an ISO 27001 certification will cost is dependent upon many factors, including the size of your organization, the number of office locations, the type of data your organization processes, and resource expertise/availability. Breaking down the costs of an ISO 27001 certification is the first step in being able to estimate your organization’s cost of certification.
ISO 27001 cost can vary greatly; estimates range from $5,000 to over $100,000 for a small to medium-sized business, inclusive of all readiness stages and the actual audit. Proper planning is a requirement for ensuring that your organization stays within the established budget for ISO 27001 certification.
This article will break up the costs of the ISO 27001 certification process into benchmarks based on stages, so you can ensure you remain on budget and the ability to course correct is spread amongst those benchmarks.
(NOTE: If you’re looking for consulting for ISO 27001 Certification, our free tool below matches your firm with a top-rated ISO 27001 consulant that can meet your needs and budget.)
The 3 Stages of ISO 27001 Certification
Separating ISO 27001 certification into three audit stages will assist in determining the total costs for certification. The first two stages, readiness and implementation go hand in hand in preparing your organization for the formal certification audit – it is also the most labor and resource-intensive phase of ISO27001 certification.
During the readiness phase, your organization will be taking steps to prepare for the ISO 27001 certification audit. These steps include identifying the team that will perform all ISO 27001-related activities, defining your ISMS scope, conducting a gap assessment, defining your policies and procedures, conducting a risk assessment, and developing or planning your risk treatment plan based on the completed risk assessment.
The organization then needs to develop a Statement of Applicability (SoA) which will state which ISO 27001 controls and policies are currently in place. This is a mandatory document and is a part of your ISMS that will need to be reviewed by the external auditor during the documentation phase of your formal certification audit.
Implementation, the second stage of preparing for your organization’s ISO 27001 certification audit includes activities such as identifying your information assets, identifying your current security baseline, and implementing a risk treatment plan for the risks that were identified in phase one.
To begin to effectively apply the controls for ISO 27001 certification, your organization will be required to begin to monitor, evaluate, and review the controls that are in place. This must be documented so that evidence can be reviewed by the external auditor. You’ll also perform a formal internal audit – this is a mandatory portion of ISO 27001 certification and should be thoroughly documented. One of the final steps of phase two is the implementation of the documentation identified and created in phase one as well as the completion of training of your employees on how to adhere to the ISMS.
Due to the numerous steps involved, companies occasionally will bring in Consultants to speed up preparation time as well as provide guidance and support throughout the certification process. Although it is not required, organizations can use a consultant’s expertise to ensure necessary processes, documentation, and tooling are in place to prove an effective, operational Information Security Management System.
The final stage, the formal certification audit occurs in two stages: Documentation Audit and Certification Audit. Before this stage, your organization will secure an auditor to perform the initial audit as well as annual surveillance and recertification audits.
The total cost for this auditor for a small business can range from $30,000 to upward of $50,000 depending on the type of auditor you choose and from what kind of firm they hail. Choosing a Big Four firm will cost a premium amount, however, if your client base requires that you are certified by a highly respected company, this may be the best option. If not, a smaller accredited, boutique auditing firm can save you thousands of dollars.
Each Phase & Its Costs
Phase 1: Readiness
For any organization the phase that is going to incur the most cost and resources is the readiness phase.
Readiness can last anywhere from a few months up to over a year. The organization should start by putting together an ISO 27001 team. The ISO 27001 project team should consist of senior management, management of applicable teams within the organization, and subject matter experts (SMSs) from key areas of the organization. If the organization has an information security SME, it would be of great service to the team.
Once the team has been assimilated, timelines and goals should be established. From there, steps should be taken to determine the scoping. Conducting a gap assessment will provide an accurate look at the company’s current security standing and identify deficiencies/weaknesses.
Once identified, a risk assessment will need to be conducted and a risk treatment plan developed. Additionally, policies and procedures will be created at this stage that adheres to the standards required in ISO 27001.
The team must then develop a plan for implementation that will occur in Phase two. The organization then needs to develop a Statement of Applicability (SoA) which will state which ISO 27001 controls and policies are currently in place, this is a mandatory document and is a part of your ISMS that will need to be reviewed by the external auditor during the documentation phase of your formal certification audit.
Your organization will spend most of its time in this readiness stage.
Key Cost: Documentation and Assessing
The total cost of the readiness stage, when performed internally ranges from $10,000-$40,000.
Using a consultant will cost at least $30,000, however, will cover all phases, making it a competitive option. Utilizing a compliance platform and DIY methods are also an option and would cost anywhere between $3,000 and $10,000
Phase 2: Implementation
Moving into the second phase of your company’s ISO 27001 certification audit includes utilizing information obtained in phase one to progress your information security management system into a mature and compliant state.
Your organization will do this by implementing and testing your company’s ISMS and ensuring that your organization is effectively applying all processes and controls identified within the SoA.
The way that your organization will do this is by performing an internal assessment – this will assist your organization in identifying its security baseline and determining what steps need to occur to close any identified gaps. The internal assessment is a mandatory step in obtaining your certification and if possible, should be performed by a neutral third party. In the event it cannot be performed by a neutral third party an internal auditor is acceptable provided that the internal assessor was not involved in the development or implementation of the ISMS, this helps to ensure neutrality. Once internal assessments have been completed, any non-conformities should be identified and eliminated.
In tandem with the implementation process, your organization should be applying identified controls from phase one and collecting evidence that controls are performing as expected. This includes conducting training with your internal teams on the ISMS and security controls. Phase 2 timing can range from a few weeks to a month or longer as corrective actions are uncovered, remediated, and re-tested. If your organization is utilizing a Consultant this time can be greatly reduced.
For a small to medium-sized business should expect to spend anywhere from $10,000-$20,000 on the implementation phase of ISO certification.
Key Cost: Testing & Remediation
Phase two key costs are completing the testing against your ISMS and ensuring that the controls in place have been implemented correctly and are performing as expected. Additionally, monitoring the implementation of controls can be labor-intensive for all 144 controls.
Total costs for the implementation phase range from $10,000 to $50,000.
Phase 3: Formal Certification Audit
The formal certification audit is performed by an accredited certification body that specializes in ISO 27001 accreditation and assures that the auditor is regularly monitored for performance, quality, and competence by the accrediting body such as ANSI-ASQ National Accreditation Board (ANAB).
Your organization should research accredited certification bodies to ensure the agency has experience with your industry and company size and has a positive reputation. The costs of the audit include audit days and time, travel for on-site auditing requirements, and administrative fees.
The certification body you use will perform a two-step audit, the first of which is a documentation audit. The auditor will examine your organization’s policies, procedures, standards, and documentation ensuring that it meets ISO 27001 standards, as well as is regularly updated and reviewed.
The second step of the formal certification audit is called the field review or evidence audit. The auditor will review evidence that shows the policies in the ISMS documentation are being followed, observe the actual working of the ISMS by conducting interviews with staff members, perform audit tests in order to validate submitted evidence, and document the results of all steps.
Once these steps are completed the auditor then analyzes the data from the documentation and interviews and creates an audit report that either grants certification or lists CAPs (corrective action plans) that must be remediated and retested for certification.
Once your organization has been granted ISO 27001 certification, you will be required to have annual surveillance audits performed to ensure continued adherence to ISO 27001 standards.
Key Cost: The Auditing Body
The auditing body that you select for your audit will determine the cost of the actual audit.
Stage one and two audit pricing can range from $15,000 for a small company to upwards of $40,000 for an enterprise-size company or a Big 4 auditing body.
Costs for a Consultant vs Internal Teams
There are multiple ways organizations complete the phases required for ISO 27001 certification, the main three are:
Internal Completion
Utilizing resources within the organization in a DIY method. Using resources readily available is a possible option but may not be the best one. If your organization already has a Senior Security Analyst or Information System Security Officer that is knowledgeable in ISO 27001 – it could take between two and four months to design and implement the required ISMS and documentation. This alone could cost between $30,000 and $50,000.00. With the possibility of still needing to utilize a platform, and or consultant this can quickly become the most expensive option.
Bringing on a Consultant
This is an option that companies use as their expertise in ISO 27001 provides invaluable support to the certification process. ISO 27001 Consultants can range from $30,000 to $50,000, however, they will handle the majority of the readiness stages – including documentation and internal audits which allow your internal resources to continue to support internal processes and operations, minimizing business impact.
GRC Software
The third option is the use of governance, risk, and compliance software. Utilizing a platform allows your organization to automate the collection of evidence, provides a way to create and streamline workflows, and often includes a repository of documentation templates for policies and procedures that will also reduce resource workload and fatigue. Additionally, a platform can allow an eagle-eye view of your organization’s current compliances and provide recommendations on areas of improvement.
GRC platforms can range from $3,000 to $10,000+ depending on the company and its offerings.
These options are often used in tandem with each other to reduce resource usage and cost. A combination of these options will often produce the most effective result for your organization’s certification process.
How ISO Costs Are Spread Over Time
The process to obtain ISO 27001 certification can last for over 12 months meaning that costs can somewhat be spread over that period.
Keep in mind that certain costs will be required to be paid in lump sums – generally, consultants require upfront payment – although some will allow payment over a predetermined amount of time.
Any software or compliance platforms purchased will also require an upfront payment, and that formal auditor will also require payment in full.
All other payments can be spread over the period that it takes to complete all stages and the final audit.
Can ISO 27001 Costs Be Reduced?
The certification process for ISO 27001 is a costly endeavor, and understandably, a business will want to explore ways of minimizing costs. One of the quickest and most effective ways to minimize your cost is to shop around the vendors that you may be interested in utilizing and ensure that they will meet your particular business’s needs as well as have a solid reputation within your industry.
Utilizing software or a compliance-based platform will assist you in saving costs as often they include templates for policies and documentation as well as provide a high-level overview of your current your organization’s current security standing and what improvements are necessary to reach compliance.
Compliance platforms will review your current ISMS and ensure that all the 114 standards are addressed effectively, inform you of your organization’s current GAPS, as well as provide recommendations on how to address them to be compliant with ISO 27001s standards.
At the formal audit phase, costs can be reduced by shopping around for the auditing firm your organization will utilize, as well as eliminating ancillary additions.
How Much Could ISO 27001 Save You?
ISO 27001 certification is certainly worth the endeavor due to the immeasurable benefits that come with certification.
More and more of your clients are requiring ISO 27001 certification to ensure your organization is serious about its data security. When you have access to more clients, you are destined to win more contracts.
Implementing ISO 27001 standards across your organization results in a company that is much more security-focused and has increased awareness and respect for data security.
Certification can save your organization from the many breaches which occur on a daily basis, in turn, this can save your company from expensive fines due to non-compliance with various federal requirements such as HIPAA and/or GDPR.
ISO 27001 certification has the potential to save your business millions of dollars in fines and lost data.
