Obtaining an ISO 27001 certification costs money. Not only do you have to engage with and pay an accredited body for the audit itself but laying the foundation for the Information Security Management System (ISMS) and implementing the respective security controls can also eat up a good deal of internal resource. All the more aggravating if, for your efforts, you do not pass the audit, all you get is un-certified ISMS that is worth very little, or worse, nothing.
It is recommended that any company who wants to undergo an ISO 27001 certification needs to make sure they have their Information Security Management System (ISMS) audited by an accredited body. This article will explain the differences between an accredited and a non-accredited Information Security Management System (ISMS) .
What you need to know in a nutshell?
- Certification according to the ISO 27001 standard has a number of advantages, including minimizing risks and optimizing processes.
- It is also ideal for communicating an internationally recognized information security standard to the outside world. However, there are three key differences here.
- The time and cost necessary for ISO 27001 certification by an accredited body depends heavily on the size of the company, e.g. the number of employees and the complexity of the information security processes.
In this article
- What is an ISO 27001 certification anyway?
- What are the different paths to certification?
- What is ISO 27001 compliance?
- What is the difference between ISO 27001 compliance and an accredited certification?
- How much time and money will an ISO 27001 certification by an accredited body cost?
What is an ISO 27001 certification anyway?
ISO 27001 is an international standard that describes the requirements for the implementation and documentation of an information security management system or ISMS for short. Besides IT security, this includes management processes, staff training, and compliance topics such as data protection. By implementing the standard, companies can detect and fix related vulnerabilities.
The ISO 27001 certification entails an entire range of benefits:
- Minimisation of risks
- Company-wide integration of IT security principles
- Process optimisation
- Overlap with legislation such as GDPR and other compliance topics
- Proof of IT security for business partners
- Increased trust leading to a competitive market advantage
- In cases of liability: Proof of due diligence in IT
What are the different paths to certification?
So, you have decided that you want to implement the ISO 27001 standard in your company. Doing so will bring you all the benefits mentioned above. But how can you show your business partners and the market at large that you take IT security seriously? That is where certifications come into play.
There are three ways of communicating to the outside world that your company has implemented ISO 27001:
- ISO 27001 compliance
- ISO 27001 certification
- ISO 27001 certification by an accredited body
What is ISO 27001 compliance?
ISO 27001 compliance is a mere claim. That is, a company decides at its own discretion whether it has sufficiently taken into consideration the requirements of the ISO 27001 standard and implemented them. The company can then claim vis-à-vis third parties, e.g., on its website: “We are ISO 27001-compliant.”
While claims of this nature are a sign that a company has engaged with topics of IT security management, at least on some level, they really do not state much more than that.
Contractual partners rarely deem claims of ISO 27001 compliance as sufficient for conducting business.
What is the difference between ISO 27001 compliance and an accredited certification?
The picture is different if your ISO 27001 compliance is confirmed by a third party, such as when you have your company audited by an approved certification body.
There are several accredited certification bodies for ISO 27001 in the United Kingdom that have been inspected and accredited by UKAS, the national accreditation body of the United Kingdom. UKAS gives assurance that an organisation is competent and meets the highest standards. It carries rigorous audit process to ensure compliance is met.
We recommend pursuing certification only through an accredited body. Certifications not confirmed by the international accreditation body are often not recognised by business partners. Indeed, most contracts that require ISO 27001 certification do mean certification by an accredited body.
How much time and money will an ISO 27001 certification by an accredited body cost?
For companies seeking ISO 27001 certification, implementation itself generally incurs the greatest cost. Meeting the various requirements can take months or even years, and third-party consultant services, often a must, rarely charge daily rates under € 1,500.
The certification process itself pales in comparison to the run-up to it. But when it comes to your company’s implementation measures, the proof is in the pudding: If the certification body decides your company falls considerably short of compliance and you fail the audit, you’ll have to arrange a new audit – the process starts over, and the costs increase.
A medium-sized company with 100 employees and low process complexity per 15 to 20 employees can roughly expect the ISO 27001 audit to wrap up in one day. For larger organisations, audits will be more time intensive. The actual duration will naturally depend on how complex your information security processes are as well as on the scope you have defined for your ISMS to cover. Based on our experience, for smaller companies with only one location, certification will run about € 10,000. You can contact a certification body for a binding quotation for your company.
Gaining ISO 27001 certification for your company’s ISMS is advisable if you wish or are required to provide proof of your IT security to third parties – that is to say, ISO 27001 certification is advisable for every enterprise. Since implementing the standard is not an easy undertaking, one that generally costs a good deal of both time and money, it really makes little sense to try to cut costs when it comes to the certification itself.