How much does ISO 27001 certification cost?
How much does ISO 27001 certification co...

How much does ISO 27001 certification cost?

Depending on company size, the ISO 27001 process can take multiple years and cost tens of thousands of dollars. Here's the breakdown.

OneTrust

clock6 Min Read

Featured Image

Cybersecurity and regulatory compliance are the two biggest concerns of today’s corporate boards, according to Gartner. A growing number of companies are choosing to adopt a trusted security framework, and ISO 27001, as a globally recognized certification, is the framework of choice for many. In fact, ISO 27001 saw a 24.7% increase in worldwide certifications in 2020 alone. 

Clearly, ISO 27001 is valuable. But it’s not cheap. In some cases, the hard costs of the full, three-year certification cycle can add up to $75,000—and that doesn’t include the cost of the time your employees will need to spend on the process.  

Let’s take a look at how to calculate the costs involved in becoming certified and share some tried and true ways of minimizing those costs.  

Breaking Down the Cost of ISO 27001 

ISO 27001 is a multi-stage process, and each stage includes a different set of costs. We’ll break down each stage and look at the costs involved. Because certification costs depend heavily on company size, we’ll simplify things by taking a small start-up with 50 employees as our example.   

ISO 27001 Cost: Readiness Stage, $10K—$39K 

During the readiness stage of the certification process, your company will need to do some of the heaviest lifting. This is the stage during which you need to define the scope of your information security management system (ISMS), identify where sensitive information is stored, conduct a risk assessment, and then implement the policies and controls that mitigate those risks. 

You’ll prepare a Statement of Applicability (SoA), which summarizes the controls you implemented and provides a justification for those you chose not to implement, and a risk treatment plan, which outlines how your organization will respond to all risks that were identified in your risk assessment. 

And finally, you’ll train your team to support the new ISMS and conduct an internal audit to make sure you’re ready for the external auditor to review your documentation. 

The costs involved in this stage vary widely, from $10,000 to nearly $40,000, depending on the option you choose.  

Option 1: DIY 

The most expensive way to complete the readiness stage can sometimes seem like the least expensive at first glance. After all, isn’t the DIY route usually the best way to save money? 

But when you factor in the cost of your internal team’s time, the real cost of getting through the initial stage of ISO 27001 without any help becomes devastatingly clear. Let’s take the average salary of a senior analyst—the role with the skills to lead this stage of the process. At $118K per year, every day of this person’s time costs about $491. With the readiness stage requiring between two and four months to complete, the cost of having an employee complete the work unaided will be $24,583 to $39,333, making this the most expensive option.  

Option 2: The consultant  

While hiring a consultant may seem like an expensive way to get through the readiness stage, it’s likely to cost your organization less overall. Consultancy fees average $30,000, so they’re not negligible, but in return, you can leave most of the heavy lifting, including time-intensive documentation and the internal audit, in the hands of your consultant. In this scenario, your high-dollar engineering lead can go back to focusing on supporting product development and operations.  

Option 3: The platform 

Investing in a compliance can further reduce costs. Compliance software delivers a clear value proposition, whether used in conjunction with a consultant or as part of a DIY approach. By automating evidence collection, streamlining workflows, and providing prebuilt templates for best-practice policies and procedures, a platform reduces workload significantly.  

In fact, if your head of engineering is leading the readiness stage, it will cut the amount of time required by 88%. In other words, instead of spending four months at a cost of $39,333, your engineer can spend just four weeks at a cost of $4,720. Even factoring in the cost of the platform at $3,000, it’s still the least expensive option.  

ISO 27001 cost: Stage 1 and 2 audits, $14K—$16K   

There are two main stages to the audit-certification process. Stage 1 is the documentation audit, and stage 2 is the certification audit. The cost of securing an auditor for these stages will run between $14,000 and $16,000 for a small start-up. 

The difference in auditor costs is largely dependent on the prestige of the auditor you choose. Hiring a Big Four firm (PwC, Deloitte, Ernst & Young, and KPMG) comes at a premium, but in exchange, you’ll get certified by a high-profile, highly respected company. For some companies, the extra cost is worth it. For others, a reputable, accredited boutique auditing firm may be a better fit.  

When deciding which type of auditor to choose, consider these two key questions:  

  • Does the prestige of the Big Four carry weight with your CEO? Are they more likely to trust the choice if it comes with a top-tier label? 
  • Do your customers prefer a Big Four auditor? Will they be more inclined to trust the audit findings and your company’s commitment to information security? 

If the answer to either question is a “yes,” the extra cost could be well worth it. 

ISO 27001 cost: Surveillance and recertification audits, $20K—$23K 

Once your company passes the certification audit, it is fully ISO 27001 certified. However, to maintain certification, you must undergo a surveillance audit annually in years one and two, plus a recertification audit in year three.  

The surveillance audits are less intensive than the initial documentation and certification audits, so they are likely to cost less—usually between $6,000 and $7,500 each. The recertification audit is as detailed as the original certification audit, so you can expect it to cost as much.  

Putting it all together

As you can see, many variables can affect the cost of becoming ISO 27001 certified. In addition to the size of your company and the scope of your ISMS, the decision to move forward with a consultant, a compliance platform, or a pure DIY approach can have a big impact on the ultimate price tag. Here’s a chart that sums it all up.   

Start-up with 50 employees

 

Option 1: DIY 

 

Option 2: Consultant 

Option 3: Compliance Platform 

Readiness stage 

$24,583-$39,333 

$30,000 

 

$10,450-$12,220 

 

Documentation and certification audits (year 1) 

 

$14,000-$16,000 

Surveillance audits (year 2 and 3) 

 

$12,000-$15,000 

 

Recertification audit (year 4)

 

 

$7,000-$8,000 

 

Total

$57,583-78,333 

$66,000-69,000 

$43,450-51,220 

 

Learn more about gaining compliance by downloading this eBook about the ISO 27001 journey. To request a demo for OneTrust’s Certification Automation tool, go here.  

You Might Also Be Interested In


NOVEMBER 28, 2022

From Sapin II to Sapin III: France’s anti-corruption fight

NOVEMBER 25, 2022

7 myths about SOC 2 compliance

NOVEMBER 18, 2022

What every Chief Privacy Officer should know  about third-party risk management

NOVEMBER 17, 2022

The role of disclosures in risk assessment and mitigation 

NOVEMBER 15, 2022

US climate risk rule could affect more than 5,700 federal suppliers

NOVEMBER 14, 2022

The COP27 climate summit: What to expect and why it matters

NOVEMBER 10, 2022

CSRD update: EU approves new ESG disclosure rules

NOVEMBER 9, 2022

SOC 2: Starting your audit process

BackToTop
Onetrust All Rights Reserved