It's gunna cost ya

How much does ISO 27001 cost

We look at what is the cost of ISO 27001 certification.

How much does ISO 27001 cost

Ever notice how companies duck the actual question when it comes to answering how much does ISO 27001 cost. Well here they are. Buckle up because it is not cheap. Is it worth it? Most certainly. But it isn’t cheap.

Total Implementation Cost

Expect to pay £8,000 to £15,000

Your implementation costs using our recommended approach of using an experience consultant with documents, process, intellectual property and experience of getting companies certified.

Total Certification Cost for 1 Cycle

Expect to pay £9,000 to £14,000

Your certification costs alone over 4 years for someone to tell you you are doing the right thing and issue that all important certificate are going to be between £9,000 and £14,000, roughly for 1 cycle.

Read on for a break down of the costs and options

The ISO 27001 certification cost

These are the expected costs of the certification only. This is just to take the test and hopefully be issued the certificate. Before you consider any cost of implementation. ISO 27001 certification costs are high and can be a barrier for smaller business. An accredited certification from an accredited certification body is required to have any value.

Total Certification Cost for 1 Cycle

Expect to pay £9,000 to £14,000

Your certification costs alone over 4 years for someone to tell you you are doing the right thing and issue that all important certificate are going to be between £9,000 and £14,000, roughly for 1 cycle.

The Breakdown

Year 1

expect to pay £6000 to £8000

For you to take the test and get the ISO 27001 certificate you are in the region of £6000 to £8000 year 1 cost.

Years 2 / 3

expect to pay  £1,500 to £3,000

Oh, they didn’t tell you they come back every year to make sure you are doing what you said you were? They do and it will cost you anywhere between £1500 to £3000 for the pleasure.

Year 4

expect to pay £6,000 to £8,000

What is year 4 you ask? Well every 3 to 4 years typically you have to fully re-certify which means doing the whole of year 1 over again. Fun isn’t it. So be sure to budget for it.

The ISO 27001 implementation cost

To implement ISO 27001 you have options. Remember you have an information security management system to build and around 114 controls. I have known people do it themselves with templates off the internet but it took them a long time and a lot of pain. Here we explore the options and costs.

Total Implementation Cost

Expect to pay £8,000 to £15,000

Your implementation costs using our recommended approach of using an experience consultant with documents, process, intellectual property and experience of getting companies certified.

The Breakdown

Do it yourself 

‘Free’ – expect it to cost a lot of time

The main cost of doing it yourself is going to be time. Depending on your experience and ability there is an ISMS to build, 114 controls to implement and a lot, and we mean, a lot of documentation to write. You have the option to purchase templates from the internet which can range range from tens of pounds to hundreds of pounds but be warned these are generic templates that require some work and usually come with no guarantees. Your cost here is employee wage costs and opportunity costs.

Use a Consultant

expect to pay £8,000 up to £15,000

A consultant will usually specialise and come with all of the intellectual property and documents needed as well as the implementation experience. They are going to build and deliver your information security management system. Optionally they may take the certification for you as well. What they won’t do is implement the 114 required controls but they can advise on the best way to do it.

Employ a Contractor

expect to pay £30,000 up to £120,000

Contractor costs are on a day rate so this cost can soon add up. Like a consultant the end result is the same but the relationship is one of a contractor who will be on the project full time from anywhere from 3 months if they are good, to 6 months typical up to 12 months if they see it as a good revenue stream for them. So expect to pay at the low end £30,000 up to £120,000.

Employ someone full time

expect to pay £40,000 up to £120,000

Full time employee costs are similar to the contractor costs with overhead of finding, training and keeping a full time employee. Resources with relevant experience are scare but this is a good option for a larger or more mature business. Keeping them is another matter.

High Table ISO 27001

20+ years in companies like yours across hundreds of ISO 27001 implementations and audits. We have your back. Proven documents and processes honed over decades of continual improvement and external ISO 27001 audit.

Author Stuart Barker - The Data Security Guy

More posts by Stuart Barker - The Data Security Guy