When putting together a proposal to achieve certification to a standard such as ISO27001, ISO20000 or ISO22301, one of the key items to establish is how much does ISO certification cost? What should the budget be set at for the initial project and what will it cost to maintain the certification once you’ve gained it? An answer to this question may be needed to get the project approved in the first place and to judge whether the expected benefits are justified.
In this blog article, we examine the main items on your budget list and how they may vary.
The first thing you should look to spend money on is a copy of the relevant standard itself. The requirements document is a must-have, otherwise you won’t be sure exactly what it is you’re trying to achieve conformance to. For each standard there are a number of supporting codes of practice which can add to your knowledge of how to approach the requirements. For ISO/IEC 27001 there is ISO/IEC 27002, for ISO/IEC 20000 Part 1 there is Part 2 and for ISO22301 there is ISO22313. Each of these is highly desirable for understanding each of the relevant requirements standards. Beyond these there is a long list of other standards documents that may help to fill in the gaps in areas such as risk assessment, implementation approach, scope and many more, depending on how much help you need and your budget.
Standards vary in price but are generally around GBP 100 or so and can be bought from a variety of sources, including the ISO website.
CertiKit’s Enhanced Gap Assessments are a great alternative to purchasing the standard, and include the exact text of the standard, broken down by individual requirement within a user-friendly spreadsheet. It allows you to assess every single requirement without referring back to the standard document itself. The spreadsheet is built in Microsoft Excel and includes tables and dashboards that show your status and progress to a precise level of detail, making it particularly useful for reporting and audit readiness reviews.
Probably your biggest expense in real terms will be the time of existing employees, not only in putting additional procedures etc. in place but also perhaps in running them on an ongoing basis. You could estimate this cost on an hourly or a daily rate basis and it will depend upon how much work is involved in your particular organization to get to the point where it is conformant with your standard of choice. Some of the time may be judged to be part of existing roles and therefore not an additional cost, whilst in some cases new roles may be defined and recruited to, possibly making cost estimation more straightforward. Depending on how budgets work in your organization, this cost may or may not be required to made visible at the project signoff stage.
Training will generally fall into two main areas; external training on the standard itself and how to implement and audit it, and internal training on the new procedures, processes and controls that are put in place. Various qualifications are available relating to the standards, including Lead Auditor, Lead Implementer, Foundation and Internal Auditor and these will vary from one to five days of classroom training per attendee. A Google search is your best source of precise costs for these in your area. You may decide to pursue specific industry qualifications in subjects such as information security where the CISSP (Certified Information Security Systems Professional) and CISA (Certified Information Systems Auditor) badges are quite common, or IT service management where ITIL may be relevant. You may also need to allow for admin courses in any software tools you put in as part of your project.
Internal training costs will depend upon the degree of change to your processes and procedures and how you decide to deliver it. This may include awareness training and process specific courses in areas such as change management, risk assessment and problem management.
If you decide to use consultants during your implementation then a budget will need to be set aside for this. Costs vary enormously both across and within countries depending on the company you engage and the subject of the consultancy. Rates are rarely advertised so you will need to request a quote from some potential consultants before deciding if this is for you.
Using the CertiKit toolkits (available for a variety of ISO standards) will save you a lot of time and money in this area so no prizes for guessing that we recommend you invest in one of our products here. We also offer ISO27001 consultancy for those who require additional help with their ISMS.
Fairly early on you will need to assess whether the software you currently use will be sufficient in the future or whether you need to invest in licenses for software in one or more of a number of areas, including (depending on the standard you are implementing):
The various standards do not insist on software-based solutions so in theory none of the above is necessary, but it may be a good time to identify where software can help to reduce cost and improve efficiency in any number of areas.
Each standard has a requirement to conduct regular internal audits so you will need to create that capability if you don’t already have it. This could be by retraining an internal employee or by bringing in an external auditor, as long as they aren’t involved in the running of your management system. The length of the audits will depend on the size of your organization and the scope of your management system.
Finally we have the cost of the certification audit itself. In fact at first there are two visits – a Stage One and a Stage Two. The first is often a 1-2 day visit to go through the main points and inspect your documentation. The second visit is the actual certification audit and can last anywhere from a single day up to several weeks depending on how big your organization is. Often a formula is used to calculate this which is based on a combination of factors including the number of employees and number of sites. You will need to select an RCB (Registered Certification Body) and get a quote from them to find out costs. Once certified, the RCB will come back every year for surveillance audits so these will need to go on your list too.
It’s worthwhile getting a clear idea of expected ISO certification costs as early as you can in the process so that you don’t experience any unwelcome surprises later on. Like most things, it’s possible to cut your cloth according to your budget and minimize expenditure where you think appropriate. The only area where it’s almost impossible to avoid costs is in the certification audits themselves but since this is all about credibility we suggest that the use of a reputable RCB is essential if anyone is to take your certification seriously.
Editor’s note: The original post was published in December 2016, and updates have been made in February 2022 for accuracy and comprehensiveness.