How much does ISO 27001 certification cost?
How much does ISO 27001 certification co...

How much does ISO 27001 certification cost?

Depending on company size, the ISO 27001 process can take multiple years and cost tens of thousands of dollars. Here's the breakdown.

OneTrust

clock6 Min Read

Featured Image

Cybersecurity and regulatory compliance are the two biggest concerns of today’s corporate boards, according to Gartner. A growing number of companies are choosing to adopt a trusted security framework, and ISO 27001, as a globally recognized certification, is the framework of choice for many. In fact, ISO 27001 saw a 24.7% increase in worldwide certifications in 2020 alone. 

Clearly, ISO 27001 is valuable. But it’s not cheap. In some cases, the hard costs of the full, three-year certification cycle can add up to $75,000—and that doesn’t include the cost of the time your employees will need to spend on the process.  

Let’s take a look at how to calculate the costs involved in becoming certified and share some tried and true ways of minimizing those costs.  

Breaking Down the Cost of ISO 27001 

ISO 27001 is a multi-stage process, and each stage includes a different set of costs. We’ll break down each stage and look at the costs involved. Because certification costs depend heavily on company size, we’ll simplify things by taking a small start-up with 50 employees as our example.   

ISO 27001 Cost: Readiness Stage, $10K—$39K 

During the readiness stage of the certification process, your company will need to do some of the heaviest lifting. This is the stage during which you need to define the scope of your information security management system (ISMS), identify where sensitive information is stored, conduct a risk assessment, and then implement the policies and controls that mitigate those risks. 

You’ll prepare a Statement of Applicability (SoA), which summarizes the controls you implemented and provides a justification for those you chose not to implement, and a risk treatment plan, which outlines how your organization will respond to all risks that were identified in your risk assessment. 

And finally, you’ll train your team to support the new ISMS and conduct an internal audit to make sure you’re ready for the external auditor to review your documentation. 

The costs involved in this stage vary widely, from $10,000 to nearly $40,000, depending on the option you choose.  

Option 1: DIY 

The most expensive way to complete the readiness stage can sometimes seem like the least expensive at first glance. After all, isn’t the DIY route usually the best way to save money? 

But when you factor in the cost of your internal team’s time, the real cost of getting through the initial stage of ISO 27001 without any help becomes devastatingly clear. Let’s take the average salary of a senior analyst—the role with the skills to lead this stage of the process. At $118K per year, every day of this person’s time costs about $491. With the readiness stage requiring between two and four months to complete, the cost of having an employee complete the work unaided will be $24,583 to $39,333, making this the most expensive option.  

Option 2: The consultant  

While hiring a consultant may seem like an expensive way to get through the readiness stage, it’s likely to cost your organization less overall. Consultancy fees average $30,000, so they’re not negligible, but in return, you can leave most of the heavy lifting, including time-intensive documentation and the internal audit, in the hands of your consultant. In this scenario, your high-dollar engineering lead can go back to focusing on supporting product development and operations.  

Option 3: The platform 

Investing in a compliance can further reduce costs. Compliance software delivers a clear value proposition, whether used in conjunction with a consultant or as part of a DIY approach. By automating evidence collection, streamlining workflows, and providing prebuilt templates for best-practice policies and procedures, a platform reduces workload significantly.  

In fact, if your head of engineering is leading the readiness stage, it will cut the amount of time required by 88%. In other words, instead of spending four months at a cost of $39,333, your engineer can spend just four weeks at a cost of $4,720. Even factoring in the cost of the platform at $3,000, it’s still the least expensive option.  

ISO 27001 cost: Stage 1 and 2 audits, $14K—$16K   

There are two main stages to the audit-certification process. Stage 1 is the documentation audit, and stage 2 is the certification audit. The cost of securing an auditor for these stages will run between $14,000 and $16,000 for a small start-up. 

The difference in auditor costs is largely dependent on the prestige of the auditor you choose. Hiring a Big Four firm (PwC, Deloitte, Ernst & Young, and KPMG) comes at a premium, but in exchange, you’ll get certified by a high-profile, highly respected company. For some companies, the extra cost is worth it. For others, a reputable, accredited boutique auditing firm may be a better fit.  

When deciding which type of auditor to choose, consider these two key questions:  

  • Does the prestige of the Big Four carry weight with your CEO? Are they more likely to trust the choice if it comes with a top-tier label? 
  • Do your customers prefer a Big Four auditor? Will they be more inclined to trust the audit findings and your company’s commitment to information security? 

If the answer to either question is a “yes,” the extra cost could be well worth it. 

ISO 27001 cost: Surveillance and recertification audits, $20K—$23K 

Once your company passes the certification audit, it is fully ISO 27001 certified. However, to maintain certification, you must undergo a surveillance audit annually in years one and two, plus a recertification audit in year three.  

The surveillance audits are less intensive than the initial documentation and certification audits, so they are likely to cost less—usually between $6,000 and $7,500 each. The recertification audit is as detailed as the original certification audit, so you can expect it to cost as much.  

Putting it all together

As you can see, many variables can affect the cost of becoming ISO 27001 certified. In addition to the size of your company and the scope of your ISMS, the decision to move forward with a consultant, a compliance platform, or a pure DIY approach can have a big impact on the ultimate price tag. Here’s a chart that sums it all up.   

Start-up with 50 employees

 

Option 1: DIY 

 

Option 2: Consultant 

Option 3: Compliance Platform 

Readiness stage 

$24,583-$39,333 

$30,000 

 

$10,450-$12,220 

 

Documentation and certification audits (year 1) 

 

$14,000-$16,000 

Surveillance audits (year 2 and 3) 

 

$12,000-$15,000 

 

Recertification audit (year 4)

 

 

$7,000-$8,000 

 

Total

$57,583-78,333 

$66,000-69,000 

$43,450-51,220 

 

Learn more about gaining compliance by downloading this eBook about the ISO 27001 journey. To request a demo for OneTrust’s Certification Automation tool, go here.  

You Might Also Be Interested In


JANUARY 25, 2023

Your guide to celebrating Data Privacy Day 2023

JANUARY 17, 2023

Speak-up culture toolkit: Leveraging disclosure data to drive a speak-up culture

JANUARY 13, 2023

Addressing UK app Code of Practice requirements with OneTrust

JANUARY 12, 2023

Ultimate guide to the EU CSRD ESG regulation for businesses

JANUARY 11, 2023

Continuous improvement: The leading indicator for successful compliance programs

JANUARY 10, 2023

Build trust, promote your program in the Third-Party Risk Exchange

JANUARY 9, 2023

Building trust in a zero trust world

JANUARY 9, 2023

Consent management by the numbers: 2022 DMA report summary

BackToTop
Onetrust All Rights Reserved