ISO 27001 certification is the global gold standard for organisations who want to set up or improve processes on information security. While starting your journey to be ISO 27001 certified, understanding how to budget for your ISO 27001 project is important, since this should account for the costs of the implementation and the certification.
The costs for ISO 27001 certification can vary. In order to help you, we’ve outlined a cost breakdown to help you budget as you progress toward obtaining the ISO 27001 certification.
In this article
- What is ISO 27001?
- Factors that may influence the ISO 27001 certification cost
- ISO 27001 Design and Implementation cost
- Cost of assessing risk and internal audit
- External audit and certification cost
- Surveillance audit cost
- Is ISO 27001 expensive?
What is ISO 27001?
The ISO framework is a set of policies and procedures that businesses can use. ISO 27001 provides a framework for organisations of any size or industry to use an Information Security Management System to protect their information in a methodical and cost-effective manner (ISMS).
The ISO 27001 Standard certification is widely recognised and relays to your customers that your information security management system (ISMS) is compliant with industry best practices.
What does it take to get ISO 27001 certified?
Once you have set up your ISMS with the relevant security controls, you can register for ISO 27001 certification, proving that your ISMS meets the requirements of the ISO 27001 standard.
Part of the certification process requires you to perform a gap analysis of your company to identify and bridge existing security weaknesses and train your staff on ISO 27001 requirements and their infosec responsibilities. Certification ends with an internal and external audit of your ISMS.
Once you receive your ISO 27001 certification, it is valid for three years. During this time, your ISMS must be maintained and audited annually for you to retain your certification.
How much does it cost to get ISO 27001 certified?
The cost of securing an auditor for stages 1 and 2 of the audit-certification process usually costs between £4,400 ($5,500) and £14,600 ($18,000). However, the exact cost depends on the following factors:
- The ISMS’s current maturity level
- The types of activities carried out under the ISMS's scope
- The scope and variety of technology used in the ISMS's numerous aspects
- The level of outsourcing and third-party arrangements within the scope of the ISMS
- The difference between the actual state and the desired state of the control environment
- The capability inside the company to develop the ISMS and close the highlighted gaps
- How fast the certificate has to be provided to the client
The main variable is workflow automation and guidance from an ISO 27001 expert. You’ll need to scope your ISMS, perform a gap analysis to identify the control areas which need to be established and walk through the implementation of those controls.
The average ranges for the precertification phase:
Precertification Phase I
(Scope, Definition, Risk Assessment, Risk Treatment Plan, Gap Assessment, Phase II Remediation plan)
Precertification Phase II
(Gap closure (collaboratively), Registrar Selection, ISMS Artefact Development, Risk Management Committee, Incident Response, Internal ISMS audit, On-Site Certification Audit support)
The process of getting ISO 27001 certified takes between 6-12 months and you can expect to pay the following additional fees:
|Compliance Manager Salary (US)||£100,000 Annually|
|Cost of Compliance Software and Tools||£15,000-£100,000 Annually|
|Time needed||6-12 Months|
Cost of assessing risk and internal audit
To stay compliant, you will need to keep your ISMS and the applicable controls up to date. On top of the cost of auditors, this will make the time of a compliance consultant or an in-house consultant compulsory.
If a business is obtaining ISO 27001 for the first time, this also requires an independent internal audit prior to determining readiness for an external audit.
The average ranges for risk assessments and internal audits:
|Compliance Consultant Cost||£140/hour|
|Time needed (Consulting hours)||24-160 hours|
External audit and certification cost
While a small business with 5 employees and 1 location might only require a few days of auditing, a larger, multi-site company could take up to 1 month of auditing.
The average ranges for audit and certification:
|ISO 27001 Auditor cost||£5,500 - £18,000|
|Time needed||3-10 days|
Surveillance Audit cost
Surveillance audits can determine whether or not the company is still operating as it was originally represented in the initial certification year.
To stay in compliance, you’ll need to keep your ISMS up-to-date along with the relevant controls.
The average ranges for surveillance audits:
|Compliance Specialist Salary||£75,000-£90,000 Annually|
|Cost of ISO 27001 Audit||£5,500-£12,000|
|Time Needed||1-4 days|
Is it difficult to get ISO 27001 certified?
It may surprise you, but implementing ISO 27001 is not as difficult or expensive as you may expect. If you are already practising good information security, the ISO will help you frame and improve it over time. If you don't, then it will tell you how.
Business owners may believe that the certification may require thousands of instructions, a large investment in IT equipment and systems, and will take a long time to implement.
However, depending on your business, you may not need to purchase new systems or security measures to comply with the Standard. Many of the technological controls in ISO 27001 may be addressed using Microsoft Windows' built-in capabilities and tools.
The total cost of ISO 27001 certification can start as low as £10,000 and range up to £48,000, which isn't a significant price when you consider that the average cost of a data breach in 2016 was £4 million. The cost of the certification, on the other hand, is determined by the size of your company and the certification authority you choose.
Your customers will benefit from ISO 27001 implementation as it increases customer trust in the company and lowers the chance of their personal information getting into the wrong hands.
InfoSec-as-a-Service by DataGuard is a complete solution for managing information security. We can help you get things done right, whether you need industry-specific guidance, help setting up your ISMS, or prepare for an external audit.
DataGuard helps software companies and tech startups on matters such as Privacy by Design and Default, data exchanges with third-party service providers, and erasure principles for each product.
Approaching ISO 27001 certification is easier when your company is armed with a structured plan and the advice of an expert. To book a free consultation, contact us.
Does ISO 27001 cover cyber security?
Yes, to an extent. Some aspects of ISO 27001 certainly help to protect the confidentiality, integrity, and availability of sensitive data frequently targeted by hackers. All companies, small and large, can benefit from implementing ISO 27001 amid the rise in cyber attacks these days.
However, while the main focus of ISO 27001 is information security, its sister standard—ISO 27032—is internationally recognised for providing guidance on cybersecurity for companies. You can use it to better prepare for and respond to cyber assaults and to better control the risks that come with using technology.
Can you self-certify ISO 27001?
While the option to self-certify would be quicker and less costly, external certification is necessary for ISO 27001. While you can certainly comply with ISO 27001 regulations on your own initiative, pursuing an ISO 27001 certification requires that an independent third party audit you. You cannot claim to be ISO 27001 certified if you have not undergone the official process.
Can an individual get ISO 27001 certified?
Yes, an individual can get certified in ISO 27001 by undergoing training and passing an exam conducted by an authorised training centre.
Individuals can become certified in ISO 27001 foundational knowledge or train to become Lead Auditors and Lead Implementers. Exams for these certifications are open-book.
Can you fail an ISO 27001 audit?
Yes, you can. Pursuing ISO 27001 certification for the first time can be a tough process to navigate, and there is a chance you could fail your external ISO 27001 audit if you don’t have the right guidance.
If you don’t pass your external audit, your certification body will inform you of the areas that need improvement and allow you time to make the necessary corrections with documented proof, so not all is lost.
Once your auditor finds your ISMS to be compliant, you can expect to receive your ISO 27001 certification very soon.
How often do you need to renew ISO 27001?
Your ISO 27001 certification must be renewed every three years. The ISMS, however, requires ongoing administration and maintenance. While certification is in effect, the certifying body's auditors will make yearly visits for supervision.
Are you looking for ISO 27001 Certification?
- Certified external Information Security Officer (ISO)
- Industry specific expertise
- Personal and individual advice
Find out more about our scope of services and costs.Book a demo