Table of contents
- What is ISO 27001?
- What is ISO 27001 Certification?
- What is the process of ISO 27001 Certification?
- How much does ISO 27001 certification cost?
- What ISO 27001 Costs Are There?
- What ISO 27001 Certification costs are there?
- ISO 27001 Implementation Costs
- Online ISMS Platform Costs
- ISO 27001 Certification Audit Costs
- ISO 27001 Surveillance Audit Costs
- ISO 27001 Re-Certification Audit Costs
- How much does the ISO 27001 on going annual external certifications cost?
- How much is the ongoing cost to run the ISO 27001 information security management system?
- Commons ISO 27001 Cost Mistakes People Make
- What will affect your ISO 27001 certification costs?
- The on going costs of ISO 27001
- How should you implement ISO 27001?
- ISO 27001 Do It Yourself
- The costly mistake of not implementing ISO 27001 yourself
- Free ISO 27001 Implementation Checklist
- Free 30 minute ISO 27001 strategy session
- ISO 27001 Costs FAQ
ISO 27001 Certification Cost
You are looking to get an ISO 27001 certification because someone has asked you for it.
How much should you pay for ISO 27001 certification? Are you over paying for ISO 27001 certification? How much does ISO 27001 certification really cost?
Some certifications are free. Others are over £20,000 all in.
To make matters even more complicated there are different ways to go about it and hundreds of providers on the market today. Trying to find the best ISO 27001 certification company without overpaying can feel like an impossible task.
Fortunately, I am going to let you in on a little secret – you do not have to over pay for ISO 27001 certification.
This guide will teach you the truth about ISO 27001 certification costs. I have identified the tops costs associated with ISO 27001 certification and how to evaluate those costs as you are shopping around.
By the end of this post, you will know what you need and what you should pay for an ISO 27001 certification that meets your needs.
You must read this before you implement ISO 27001.
What is ISO 27001?
ISO 27001 is the international standard for information security. It is an information security management system that shows that you are managing your information security, have identified your risks and have implemented controls to mitigate the risks and meet business needs.
What is ISO 27001 Certification?
ISO 27001 certification is the process of getting independent verification that you are meeting the requirements of the standard. The result of the ISO 27001 certification process is an ISO 27001 certificate that you can share with prospects, customers and clients.
What is the process of ISO 27001 Certification?
When you have implemented the standard, have evidence that you are operating it and have completed and internal audit you will apply for ISO 27001 Certification. The process of ISO 27001 certification is a 2 stage process.
Stage 1 will primarily look at your documentation and management system. The output of stage one is a recommendation to proceed to stage 2.
Stage 2 will look at evidence of the operation of controls. The auditor will review your documents and observe your processes in action.
How much does ISO 27001 certification cost?
The external costs vary depending on your size and complexity but each of the accredited certification bodies follows guidance set down to them. The guidance provides the number of days they will take to audit you. The day rate costs vary but let us look at that guidance and show estimated costs.
|Number of employees||Total Audit Days||Estimated Certification Body Cost|
|11 – 15||6||£6,000|
|16 – 25||7||£7,000|
|26 – 45||8.5||£9,000|
|46 – 65||10||£10,000|
|66 – 85||11||£11,000|
|86 – 125||12||£12,000|
|126 – 175||13||£13,000|
|176 – 275||14||£14,000|
|276 – 425||15||£15,000|
|426 – 625||16.5||£17,000|
|626 – 875||17.5||£18,000|
|876 – 1175||18.5||£19,000|
|1176 – 1550||19.5||£20,000|
|1551 – 2025||21||£21,000|
|2026 – 2675||22||£22,000|
|3451 – 4350||24||£24,000|
|4351 – 5450||25||£25,000|
|5451 – 6800||26||£26,000|
|6801 – 8500||27||£27,000|
|8501 – 10700||28||£28,000|
The cost of the ISO 27001 certification cost audit will be in the region of £6,000 to £12,000 depending on the size of your organisation.
Cost of ISO 27001 Certification UK
The typical cost for UK ISO 27001 certification is £8,000. This is the median of the small business costs. You should speak to the certification body for a quote. The cost of a UK ISO 27001 Certification is usually cheaper than international counter parts.
Cost of ISO 27001 Certification Australia
The typical cost of Australian ISO 27001 certification is $15,000 AUD. This is the median of small business costs.
Cost of ISO 27001 Certification USA
The typical cost of USA ISO 27001 certification is $12,000 This is the median of small business costs.
What ISO 27001 Costs Are There?
The costs for ISO 27001 fall into 3 categories.
- The cost of implementing ISO 27001
- The cost of taking the ISO 27001 Certification audit
- The cost of maintaining ISO 27001
What ISO 27001 Certification costs are there?
There are four categories of ISO 27001 Certification costs. They are
1. The cost of the actual ISO 27001 Certification and Taking the Test
2. The cost of implementing ISO 27001 and building your information security management system
3. The cost of running the ISO 27001 Information Security Management System
4. The ongoing annual cost of external certification audit
ISO 27001 Implementation Costs
Putting in place the documents, templates, policies and processes of the management system and the associated controls will take a combination of time and money. Some of the costs are known and explicit. Some of the costs are hidden and implicit.
Either you are going to pay in your time to do it yourself or in money for someone to do it for you.
The costs for implementing ISO 27001 range from a few hundred pounds to buy an ISO 27001 toolkit with step by step guides to £/$10’s of thousands to get external help.
A Comparison of ISO 27001 Implementation Options and Costs
Considering the approaches of doing it yourself, getting a contractor or employing High Table let us compare typical expected costs side by side.
|Do It Yourself||Consultant||Employee||Contractor|
|circa £500||£5k to £15k||min £40k per year||£39k to £160k|
|30 to 90 days duration||5 to 15 days duration||6 to 12 months duration||3 to 12 months duration|
|Comes with all templates, policies, guides||Comes with all templates, policies, guides||Needs to write all policies||Will write all policies|
|Track record of delivery and certification||Track record of delivery and certification|
How much does it cost to build and implement ISO 27001?
ISO 27001 implementation costs range from as low as £500 if you do it yourself through to £20,000+ for a fully managed service. You should definitely shop around.
Online ISMS Platform Costs
These are by and far the most significant and unnecessary cost of any ISO 27001 certification. You can read more in the ISO 27001: Why You Should Use A Document Toolkit Over An Online ISMS Portal
There are a wide variety of online ISMS platforms that offer a range of products and services. On the whole these are expensive and tailored to large, complex environments that employ a full time person to take care of information security. These are often an extra unnecessary cost that can double or even triple your ISO 27001 costs as well as tying you in to long term contracts and recurring monthly fees. It is often the case that you can engage an experienced real world consultant to take care of ISO 27001 for you verses the same costs for what amounts to a document management system.
Think very carefully before you engage an online ISMS platform solution as you will still require the skills and experience of a consultant and / or the documents and processes to operate the ISO 27001.
How much do online ISO 27001 platforms cost?
On average the cost of an online ISO 27001 ISMS is between £10,000 and £20,000 per year. Expect to pay a set up fee and an ongoing maintenance fee. They are expensive and have many hidden fees.
ISO 27001 Certification Audit Costs
ISO 27001 Certification costs are set by the certification body. To have meaning you will want a UKAS accredited certification. It is worth shopping around. The UKAS website lists all the accredited bodies.
The costs vary depending on your size and the ‘risk’ the certification body assigns to your business.
For a small business expect to pay £6k to £8k typical as a year 1 cost.
For a medium size business expect to pay £12k to £18k typical as a year 1 cost.
You then have on going yearly costs.
Do different ISO 27001 certification bodies charge different amounts?
Yes. They will tell you that they do not work on a day rate but they do. As a result, the number of audit days will be fairly consistent between the certification bodies but the rate they charge will differ. The product at the end, the ISO 27001 certification, is exactly the same. In fact they often outsource the certification audit itself to a small pool of independent contractor auditors. This means that irrelevant of who you pay you can end up with the same auditor and will get the same product and the same outcomes. Get at least 3 quotes and shop around. Whilst the standard is the standard the amount that you are quoted or charged will be different depending on the ISO 27001 certification body that you choose.
What can affect the ISO 27001 Certification Costs?
The ISO 27001 certification costs are affected by
1. The size of your organisation
2. The scope of your information security management system
3. The risk that the certification body thinks your organisation is exposed to
4. The actual certification body that you choose
Why do different ISO 27001 certification bodies charge different amounts?
Different ISO 27001 certification bodies charge different amounts as they have different costs to account for. The amount that they pay their staff or consultants, the amount they charge for their processes, additional services that they provide, spend on marketing all contribute to the certification bodies charging different amounts.
Do ISO 27001 certification bodies use the same auditors but charge different amounts?
Yes, sometimes. The industry relies on a pool of freelance consultants to perform that ISO 27001 audits working for multiple ISO 27001 certification bodies at the same time. Sometimes a certification will have full time, permanent staff, usually in an attempt to reduce costs. You should ask when you engage with the ISO 27001 certification body what staffing model they adopt.
ISO 27001 Surveillance Audit Costs
ISO 27001 Surveillance Audits are the annual audits that are performed to maintain your ISO 27001 certification. Every year up to your recertification audit the certification body will come back and perform a mini audit to ensure that the management system is still working.
The cost of the ISO 27001 Surveillance Audit is roughly 1/3 the cost of your certification audit.
ISO 27001 Re-Certification Audit Costs
You will do a full re certification audit every 3 years. This is exactly the same as the ISO 27001 audit. The cost of the ISO 27001 re-certification audit is exactly the same as the ISO 27001 certification audit. You can expect to pay more due to the affects of inflation but the cost and process is exactly the same.
How much does the ISO 27001 on going annual external certifications cost?
ISO 27001 costs are annual. This is an ongoing processes with on going costs.
- Year 1 cost of £6,000 to £12,000
- Year 2 and year 3 cost of £2,000 to £5,000
- You then start the process over again and go back to Year 1.
How much is the ongoing cost to run the ISO 27001 information security management system?
There are many factors to consider but in brief, if you employ someone full time expect to pay £40,000 to £60,000 per year. If you outsource it expect to pay £12,000 to £36,000 per year. If you get an existing staff member to do it expect to pay training fees for them of around £2,000 to £5,000 per year.
Commons ISO 27001 Cost Mistakes People Make
Not knowing what you need
The number 1 mistake most people make is not knowing what they need and what their options are.
They get sucked in by fancy marketing.
They believe the hype, that it is hard, when in fact it is not.
They accept the high prices that are banded around without question.
Not Shopping Around
The number 2 mistake most people make is not shopping around.
An accredited certification is an accredited certification.
Whilst you might belief the hype that they are not in it for profit, they are.
The reality is costs vary wildly.
Do your research.
Get at least 3 quotes.
Choose the ISO 27001 Certification Body that meets your finance requirements, your values and your needs.
To get the ISO 27001 certification you must become ISO 27001 certified. To be ISO 27001 certified you must pass and ISO 27001 audit which to all intents and purposes is a test. The test comes at a cost.
What will affect your ISO 27001 certification costs?
ISO 27001 certification costs can vary based on a number of factors. The consequences of getting these wrong means that costs can up quickly and steeply.
The scope of your ISO 27001 certification
You should spend time on defining your scope for certification including what is in scope and what is out of scope. The more that is in scope the more work you have to do and the more you need to be audited. Read our How to Define ISO 27001 Scope as a guide.
The size of your organisation
The bigger you are the more the certification body will charge you. It is a simple as that. This one is outside your control of influence but be prepared for it.
The number of locations that are in scope
Once you have defined your scope work out how many locations are included. If they are your physical locations then an auditor will need to visit them. This will incur costs. More sites, more visits, more costs.
The certification body you choose
Not all certification bodies are equal in what they charge. As a rule, the larger the certification body, the more they will charge.
The cheapest, most cost effective way for a small business to implement ISO 27001 and get ISO 27001 certification is to do it yourself. They just do not realise that it is an option. It is.
It is not hard.
It is not complicated.
The on going costs of ISO 27001
You would be forgiven for thinking that the costs for ISO 27001 end at certification. Sadly this is not the case. ISO 27001 is a management system that is based on continual operation and continual improvement. As a result of this there are several ongoing costs that you should consider. They include:
Annual recertification audit costs
To maintain the certification the certification body is going to audit you every year. It is actually a cycle of audits over 3 years but be prepared for audit costs for the next 2 years of around 25% of your year one cost. Then on the 3rd year you do the whole thing again from scratch with a full audit and at the full audit cost.
Annual operational costs
The ISMS and associated controls have to be operated. This will come at a cost. The cost will either be in hiring new resources or in people’s time who will be diverted from their day job to complete the mandatory tasks required.
The biggest operational cost from the perspective of the standard will be the internal audit costs. I raise this here for special consideration as this is the one area that you are likely to require specialist resource that is independent of the areas being audited. Not only does the certification body audit you but you are expected to audit yourself on an ongoing basis. You can learn more about ISO 27001 Clause 9.2 Internal Audit to understand more on the requirement and read our guide on How to Conduct an Internal Audit to see what is involved and how you can do it yourself.
How should you implement ISO 27001?
It sounds simple but work out what you actually need.
Fundamentally it will come down to your costs verses your time.
ISO 27001 Do It Yourself
The most cost effective way to get ISO 27001 is to do the implementation yourself and get specialist help on the areas where you get stuck. The costs of doing it yourself start at around £500 and the cost of a consultant on demand range from £750 to £1000 per day.
Stop Spanking £10,000s on consultants and ISMS online-tools.
The costly mistake of not implementing ISO 27001 yourself
I am not saying that consultants, contractors or full time employees do not have their place.
If you use a contractor or a full time employee the costs can soon mount up. The main reason being that you are paying for their time irrespective of the outcome. We often see projects that should take 10 days stretch to 3, 6 and even 12 months.
Of the options of getting help it is our experience that working with a consultant on a fixed price basis is the most cost effective way to implement ISO 27001. The benefits are
- Fixed and know cost
- Often includes all required documentation and policies
Free ISO 27001 Implementation Checklist
To give you a head start and understand what is involved I am going to provide you here with a free ISO 27001 implementation checklist. This is both a free ISO 27001 checklist excel sheet that you can use practically, with simple step by step instructions, and a free ISO 27001 checklist PDF.
Free 30 minute ISO 27001 strategy session
I know it can be daunting and no doubt you still have questions. To help navigate the mine field and offer practical answers to questions with practical guidance I offer a free 30 minute ISO 27001 strategy session. Just click on the link below.
ISO 27001 Costs FAQ
An ISO 27001 consultant will charge between £12,000 and £60,000 per year depending on what they do for you.
An ISO 27001 consultant day rate will range between £400 and £1,500 per day depending on experience.
An ISO 27001 consultants hourly rate will range from £50 per hour to £250 per hour depending on experience.
The actual ISO 27001 standard costs around £150. Shop around. It is also only 14 pages long.
There are no free ISO 27001 templates that are any good. Google is your friend but ‘buyer’ beware.
Partly because the ISO 27001 standard has been built in such a way that it excludes small business on cost. The ‘official’ framework of certification bodies is bureaucratic and doesn’t take into account the size of your organisation. They work on audit days not company size. It is not designed to be in your favour but, as they say, it is what it is.