Cybersecurity and regulatory compliance are the two biggest concerns of today’s corporate boards, according to Gartner. A growing number of companies are choosing to adopt a trusted security framework, and ISO 27001, as a globally recognized certification, is the framework of choice for many. In fact, ISO 27001 saw a 24.7% increase in worldwide certifications in 2020 alone.
Clearly, ISO 27001 is valuable. But it’s not cheap. In some cases, the hard costs of the full, three-year certification cycle can add up to $75,000—and that doesn’t include the cost of the time your employees will need to spend on the process.
Let’s take a look at how to calculate the costs involved in becoming certified and share some tried and true ways of minimizing those costs.
Breaking Down the Cost of ISO 27001
ISO 27001 is a multi-stage process, and each stage includes a different set of costs. We’ll break down each stage and look at the costs involved. Because certification costs depend heavily on company size, we’ll simplify things by taking a small start-up with 50 employees as our example.
ISO 27001 Cost: Readiness Stage, $10K—$39K
During the readiness stage of the certification process, your company will need to do some of the heaviest lifting. This is the stage during which you need to define the scope of your information security management system (ISMS), identify where sensitive information is stored, conduct a risk assessment, and then implement the policies and controls that mitigate those risks.
You’ll prepare a Statement of Applicability (SoA), which summarizes the controls you implemented and provides a justification for those you chose not to implement, and a risk treatment plan, which outlines how your organization will respond to all risks that were identified in your risk assessment.
And finally, you’ll train your team to support the new ISMS and conduct an internal audit to make sure you’re ready for the external auditor to review your documentation.
The costs involved in this stage vary widely, from $10,000 to nearly $40,000, depending on the option you choose.
Option 1: DIY
The most expensive way to complete the readiness stage can sometimes seem like the least expensive at first glance. After all, isn’t the DIY route usually the best way to save money?
But when you factor in the cost of your internal team’s time, the real cost of getting through the initial stage of ISO 27001 without any help becomes devastatingly clear. Let’s take the average salary of a senior analyst—the role with the skills to lead this stage of the process. At $118K per year, every day of this person’s time costs about $491. With the readiness stage requiring between two and four months to complete, the cost of having an employee complete the work unaided will be $24,583 to $39,333, making this the most expensive option.
Option 2: The consultant
While hiring a consultant may seem like an expensive way to get through the readiness stage, it’s likely to cost your organization less overall. Consultancy fees average $30,000, so they’re not negligible, but in return, you can leave most of the heavy lifting, including time-intensive documentation and the internal audit, in the hands of your consultant. In this scenario, your high-dollar engineering lead can go back to focusing on supporting product development and operations.
Option 3: The platform
Investing in a compliance can further reduce costs. Compliance software delivers a clear value proposition, whether used in conjunction with a consultant or as part of a DIY approach. By automating evidence collection, streamlining workflows, and providing prebuilt templates for best-practice policies and procedures, a platform reduces workload significantly.
In fact, if your head of engineering is leading the readiness stage, it will cut the amount of time required by 88%. In other words, instead of spending four months at a cost of $39,333, your engineer can spend just four weeks at a cost of $4,720. Even factoring in the cost of the platform at $3,000, it’s still the least expensive option.
ISO 27001 cost: Stage 1 and 2 audits, $14K—$16K
There are two main stages to the audit-certification process. Stage 1 is the documentation audit, and stage 2 is the certification audit. The cost of securing an auditor for these stages will run between $14,000 and $16,000 for a small start-up.
The difference in auditor costs is largely dependent on the prestige of the auditor you choose. Hiring a Big Four firm (PwC, Deloitte, Ernst & Young, and KPMG) comes at a premium, but in exchange, you’ll get certified by a high-profile, highly respected company. For some companies, the extra cost is worth it. For others, a reputable, accredited boutique auditing firm may be a better fit.
When deciding which type of auditor to choose, consider these two key questions:
If the answer to either question is a “yes,” the extra cost could be well worth it.
ISO 27001 cost: Surveillance and recertification audits, $20K—$23K
Once your company passes the certification audit, it is fully ISO 27001 certified. However, to maintain certification, you must undergo a surveillance audit annually in years one and two, plus a recertification audit in year three.
The surveillance audits are less intensive than the initial documentation and certification audits, so they are likely to cost less—usually between $6,000 and $7,500 each. The recertification audit is as detailed as the original certification audit, so you can expect it to cost as much.
Putting it all together
As you can see, many variables can affect the cost of becoming ISO 27001 certified. In addition to the size of your company and the scope of your ISMS, the decision to move forward with a consultant, a compliance platform, or a pure DIY approach can have a big impact on the ultimate price tag. Here’s a chart that sums it all up.