One of the biggest issues in modern business with regard to information security is how to judge whether your suppliers are doing their part to lessen the risk of threats such as ransomware and data theft. This is often a high priority question when your customers are considering whether they want to do business with your organization; how do they know you are taking information security seriously? One way to tell is for them to ask lots of in-depth questions about the controls you have in place. Perhaps a better way is for your organization to become certified to the ISO27001 standard because this means that someone independent has looked in detail at the information security measures you employ and has found them to be sufficient. This saves everyone a lot of time and provides a greater degree of assurance.
But becoming certified to the ISO27001 standard has a cost associated with it, both in terms of the initial implementation and in terms of keeping it going. And before you start down that road your senior management will want some figures. So in this blog we’re going to look at the question “how much does ISO27001 certification cost?”.
In making a calculation for the total costs of getting to the point where you have a certificate on the wall, there are a number of main areas where costs are pretty sure to be incurred, and lots of other areas where you might have to spend some money depending on where you’re starting from.
The main certainty is of course the cost of the certification body to perform the assessment. Certification is a two-stage process (usefully called “Stage One” (document review) and “Stage Two” (certification audit)) and is priced according to the number of audit days required. Most certification bodies have a formula that they use to calculate the audit days and this usually depends on factors such as the number of employees, number of sites and the level of risk involved. This last factor can have a big influence as they will want to look much more closely at an organization that provides mission-critical services to a life and death industry such as medical, than at a company that provides optional services to an industry with less importance. This means that you will need to be careful with your answers to the questions they ask, so as not to give a false impression of risk. What you will receive from a typical certification body will be a quote for a specified number of audit days, at a specified daily rate. Note that the daily rates for ISO27001 auditing can be significantly more than those for other standards such as ISO9001, due to the scarcity of the resources and the technical skills required. Some certification bodies also charge administration fees and supplements for half days too. As a rough guide (2022 prices in UK) you might pay anywhere between GBP 1000 to GBP 1500 per day for a UKAS-accredited certification body to perform your audits, possibly with an annual management fee on top of GBP 300 to GBP 500. As with anything, you may want to shop around to get the best deal, but beware very cheap quotes from companies whose certificates are not worth the cost of printing them.
Another ISO27001 certification cost is the internal audit. To become certified you’ll need to have performed an internal audit of all areas of the standard before the certification body’s auditor arrives for the Stage Two. If you have an existing internal audit department then it would make sense to use their resources, but bear in mind that some training in ISO27001 may be required. The other option is to use an external third party who is already qualified, and this will come at a cost, both prior to certification and as an ongoing internal audit programme afterwards. Guideline daily rates for such services might be between GBP 500 and GBP 1000 if you use a smaller company, possibly much more if you use one of the big ones.
As well as training in ISO27001 itself, there may be a need for courses or other methods covering general information security concepts, or in the software being used to implement the controls, such as Microsoft Endpoint Manager or an anti-malware platform. It’s worth considering some of the qualifications available as these provide some focus to the training and often have continuing professional education (CPE) requirements to keep skills up to date. Such qualifications are available from bodies such as ISACA, ISC2 and the main cloud providers such as AWS and Microsoft. From a cost viewpoint, this will require budget for exams, professional memberships and ongoing training (although much of this is free). As a rough indication, you might pay anywhere between GBP 1500 to GBP 2500 for a 5-day ISO27001 Lead Auditor course.
You may decide to do all the work yourself, or you may want some external help with getting your ISMS (information security management system) in place. A do it yourself ISO27001 toolkit such as the rather excellent one from CertiKit will cost around GBP 700 and consultancy is generally charged either by the hour or by the day, often depending on whether it is remote or onsite. The number of hours or days you use is really up to you and rates are usually similar to those for internal auditing.
You may want to have a gap assessment carried out against the ISO27001 standard to identify how much work will be involved in getting to certification, and these typically take 2 or 3 days to perform. Other common areas for help are scope, risk assessment, statement of applicability and management reviews and the amount of help required (for example an hour’s remote guidance through to several days of in-depth assistance) will determine the cost involved.
Depending on where you’re starting from, you may need to invest in additional software or cloud services in order to get your ISMS and associated controls in place. Common areas are anti-malware, phishing testing and training, threat monitoring, security configuration management and backups. These will all come with a range of functionality and pricing so you’ll need to take some difficult decisions about the level of protection you feel is necessary and how much you want to spend.
Don’t forget to budget for a copy of the ISO27001 standard itself (currently CHF 118 (that’s Swiss Francs) from the ISO website) and any other related standards you feel will be helpful – consider ISO27002 (more detail on the controls), ISO27005 (risk assessment) and ISO27017 (cloud security) for example. You might also want to purchase the odd book in either old-fashioned hardcopy or electronic format.
We’ve been through some of the external costs you may need to consider, but don’t underestimate the cost of the internal resources you will need to bring to bear to get to certification. People are not free and the amount of time it’s going to take your project team to get things in place must be carefully considered. Whether you need to express these internal resources in hard money terms will largely depend on your organization’s attitude to budgeting. If any of your team are contractors then it’s likely their cost will need to be included.
When trying to answer the question “how much does ISO27001 certification cost?” it’s important to keep some focus on the benefits of achieving the goal. These will mainly depend on the reasons for doing it in the first place. For example, if certification is likely to help to win more business then this may be a quantifiable benefit, based on a few reasonable assumptions. Similarly, simply staying level with the competition in an industry where ISO27001 certification has become the norm has its own benefits in terms of business survival. Taking some of the published costs of cyber attacks (for example headlines such as “Survey says the average cost of recovery from ransomware is $1m”) may also add weight to the argument for certification.
There are definitely costs associated with becoming certified to the ISO27001 standard and only your organization itself can decide whether these costs are justified by the anticipated benefits. But being clear about these costs (and of course the benefits too) from the outset will help to get management commitment to the goal and smooth the path to certification.
Written by CertiKit’s CEO, Ken Holmes CISSP, CIPP/E. Ken is an ISO27001 Lead Auditor and has helped to implement, operate and audit ISO certifications over a varied 30-year career in the Information Technology industry.
For more information on the certification process, download our free ISO27001: 10 steps to certification guide to learn: