Get in touch

Get in touch

  • This field is for validation purposes and should be left unchanged.

Privacy Notice


When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.

Reveal Menu

How Much Does ISO Certification Cost?



When putting together a proposal to achieve certification to a standard such as ISO27001, ISO20000 or ISO22301, one of the key items of information needed is cost. What should the budget be set at for the initial project and what will it cost to maintain the certification once we’ve gained it? An answer to this question may be needed to get the project approved in the first place and to judge whether the expected benefits are justified. In this blog article, we examine the main items on your budget list and how they may vary.

Screen Shot 2015-08-26 at 15.04.05

Standards Purchase

The first thing you should look to spend money on is a copy of the relevant standard itself. The requirements document is a must-have, otherwise you won’t be sure exactly what it is you’re trying to achieve conformance to. For each standard there are a number of supporting codes of practice which can add to your knowledge of how to approach the requirements. For ISO/IEC 27001 there is ISO/IEC 27002, for ISO/IEC 20000 Part 1 there is Part 2 and for ISO22301 there is ISO22313. Each of these is highly desirable for understanding each of the relevant requirements standards. Beyond these there is a long list of other standards documents that may help to fill in the gaps in areas such as risk assessment, implementation approach, scope and many more, depending on how much help you need and your budget.

Standards vary in price but are generally around GBP 100 or so and can be bought from a variety of sources, often the cheapest being the ISO website itself.

Internal Resources

Probably your biggest expense in real terms will be the time of existing employees, not only in putting additional procedures etc. in place but also perhaps in running them on an ongoing basis. You could estimate this cost on an hourly or a daily rate basis and it will depend upon how much work is involved in your particular organization to get to the point where it is conformant with your standard of choice. Some of the time may be judged to be part of existing roles and therefore not an additional cost, whilst in some cases new roles may be defined and recruited to, possibly making cost estimation more straightforward. Depending on how budgets work in your organization, this cost may or may not be required to made visible at the project signoff stage.


Training will generally fall into two main areas; external training on the standard itself and how to implement and audit it, and internal training on the new procedures, processes and controls that are put in place. Various qualifications are available relating to the standards, including Lead Auditor, Lead Implementer, Foundation and Internal Auditor and these will vary from one to five days of classroom training per attendee. A Google search is your best source of precise costs for these in your area. You may decide to pursue specific industry qualifications in subjects such as information security where the CISSP (Certified Information Security Systems Professional) and CISA (Certified Information Systems Auditor) badges are quite common, or IT service management where ITIL may be relevant. You may also need to allow for admin courses in any software tools you put in as part of your project.

Internal training costs will depend upon the degree of change to your processes and procedures and how you decide to deliver it. This may include awareness training and process specific courses in areas such as change management, risk assessment and problem management.

External Resources

If you decide to use consultants during your implementation then a budget will need to be set aside for this. Costs vary enormously both across and within countries depending on the company you engage and the subject of the consultancy. Rates are rarely advertised so you will need to request a quote from some potential consultants before deciding if this is for you.

Using the CertiKit toolkits will save you a lot of time and money in this area so no prizes for guessing that we recommend you invest in one of our products here.


Fairly early on you will need to assess whether the software you currently use will be sufficient in the future or whether you need to invest in licenses for software in one or more of a number of areas, including (depending on the standard you are implementing):

  • IT service management system
  • Log management
  • Risk management
  • Document management
  • Mobile device management
  • Data classification
  • Data loss prevention
  • Encryption
  • Backup management
  • Intrusion detection and prevention

The various standards do not insist on software-based solutions so in theory none of the above is necessary, but it may be a good time to identify where software can help to reduce cost and improve effectiveness in any number of areas.

Internal Auditing

Each standard has a requirement to conduct regular internal audits so you will need to create that capability if you don’t already have it. This could be by retraining an internal employee or by bringing in someone from outside, as long as they aren’t involved in the running of your management system. The length of the audits will depend on the size of your organization and the scope of your management system.

Certification Audits

Finally we have the cost of the certification audit itself. In fact at first there are two visits – a Stage One and a Stage Two. The first is often a 1-2 day visit to go through the main points and inspect your documentation. The second visit is the actual certification audit and can last anywhere from a single day up to several weeks depending on how big your organization is. Often a formula is used to calculate this which is based on a combination of factors including the number of employees and number of sites. You will need to select an RCB (Registered Certification Body) and get a quote from them to find out costs. Once certified, the RCB will come back every year for surveillance audits so these will need to go on your list too.

In Summary

It’s worthwhile getting as clear an idea of likely costs as early as you can in the certification process so that you don’t experience any unwelcome surprises later on. Like most things, it’s possible to cut your cloth according to your budget and minimize expenditure where you think appropriate. The only area where it’s almost impossible to avoid costs is in the certification audits themselves but since this is all about credibility we suggest that the use of a reputable RCB is essential if anyone is to take your certification seriously.

Over 3000 businesses have purchased our toolkits


Compared to competing toolkits, your ISO27001 document structure was very good. The provided "Introduction" of each was useful (I have moved those out of the core documents and into a more comprehensive manual) for the general audience vs security staff. The inclusion of references to 27017 and 27018 were appreciated. You provided more "ISMS-C" oriented artefacts than competitors.

Trusted By Design Inc.

View all Testimonials