ISO 27001 Certification Cost Explained Simply

Home / ISO 27001 / ISO 27001 Certification Cost Explained Simply

The complete breakdown of ISO 27001 certification costs, cost calculator and hidden fees.

ISO 27001 Certification Cost

The table below outlines the recommended ISMS audit durations based on organisation size, as per ISO/IEC 27006:2015, along with estimated certification costs.

Number of employeesTotal Audit DaysEstimated Certification Body Cost
1 -10 5£5,000
11 – 156£6,000
16 – 257£7,000
26 – 458.5£9,000
46 – 6510£10,000
66 – 8511£11,000
86 – 12512£12,000
126 – 17513£13,000
176 – 27514£14,000
276 – 42515£15,000
426 – 62516.5£17,000
626 – 87517.5£18,000
876 – 117518.5£19,000
1176 – 155019.5£20,000
1551 – 202521£21,000
2026 – 267522£22,000
2676 -345023£23,000
3451 – 435024£24,000
4351 – 545025£25,000
5451 – 680026£26,000
6801 – 8500 27£27,000
8501 – 1070028£28,000
ISO 27001 Certification Costs

The list of the best ISO 27001 certification companies.

ISO 27001 certification costs can vary based on a number of factors. The consequences of getting these wrong means that costs can go up quickly and steeply.

The ISO 27001 certification costs are affected by

  • The size of your organisation: The bigger you are the more the certification body will charge you. It is a simple as that. This one is outside your control of influence but be prepared for it.
  • The scope of your ISO 27001 certification: You should spend time on defining your scope for certification including what is in scope and what is out of scope. The more that is in scope the more work you have to do and the more you need to be audited.
  • The number of locations that are in scope: Once you have defined your scope work out how many locations are included. If they are your physical locations then an auditor will need to visit them. This will incur costs. More sites, more visits, more costs.
  • The certification body you choose: Not all certification bodies are equal in what they charge. As a rule, the larger the certification body, the more they will charge. See more in the list of the best ISO 27001 certification companies.

Let us look at the typical ISO 27001 certification costs per country.

ISO 27001 Certification Cost UK

The typical cost for ISO 27001 certification in the United Kingdom (UK) is £8,000. This is the median of the small business costs. The cost of a UK ISO 27001 Certification is usually cheaper than international counter parts.

ISO 27001 Certification Cost Australia

The typical cost of Australian ISO 27001 certification is $15,000 AUD. This is the median of small business costs.

ISO 27001 Certification Cost USA

The typical cost of USA ISO 27001 certification is $12,000 This is the median of small business costs.

ISO 27001 Cost Breakdown

There are four categories of ISO 27001 Certification costs. They are:

  1. The cost of implementing ISO 27001 and building your Information Security Management System
  2. The cost of the actual ISO 27001 Certification and taking the test
  3. The cost of running the ISO 27001 Information Security Management System
  4. The ongoing annual cost of external certification audit

Implementation Costs

Putting in place the documents, templates, policies and processes of the management system and the associated controls will take a combination of time and money. Some of the costs are known and explicit. Some of the costs are hidden and implicit.

Either you are going to pay in your time to do it yourself or in money for someone to do it for you.

The costs for implementing ISO 27001 range from a few hundred pounds to buy an ISO 27001 toolkit with step by step guides to £/$10’s of thousands to get external help. The most expensive option is an ISMS Online Platform where costs range from £10,000 to £100,000 per year.

ISO 27001 implementation costs will vary considerably depending on if you use an ISO 27001 toolkit, employ someone full time, employ a contractor or engage a consultant.

A Comparison of ISO 27001 Implementation Options and Costs

Considering the approaches of doing it yourself, getting a contractor or employing High Table let us compare typical expected costs side by side.

Do It YourselfConsultantEmployeeContractor
circa £500£5k to £15kmin £40k per year£39k to £160k
30 to 90 days duration5 to 15 days duration6 to 12 months duration3 to 12 months duration
Comes with all templates, policies, guidesComes with all templates, policies, guidesNeeds to write all policies Will write all policies
Track record of delivery and certificationTrack record of delivery and certification

Surveillance Audit Costs

ISO 27001 Surveillance Audits are the annual audits that are performed to maintain your ISO 27001 certification. Every year up to your recertification audit the certification body will come back and perform a mini audit to ensure that the management system is still working.

The cost of the ISO 27001 Surveillance Audit is roughly 1/3 the cost of your certification audit.

Re-Certification Audit Costs

You will do a full re certification audit every 3 years. This is exactly the same as the ISO 27001 audit. The cost of the ISO 27001 re-certification audit is exactly the same as the ISO 27001 certification audit. You can expect to pay more due to the affects of inflation but the cost and process is exactly the same.

  • Year 1 cost of £6,000 to £12,000
  • Year 2 and year 3 cost of £2,000 to £5,000
  • You then start the process over again and go back to Year 1.

On Going Costs

You would be forgiven for thinking that the costs for ISO 27001 end at certification. Sadly this is not the case. ISO 27001 is a management system that is based on continual operation and continual improvement. As a result of this there are several ongoing costs that you should consider. They include:

  • Resource cost

There are many factors to consider but in brief, if you employ someone full time expect to pay £40,000 to £60,000 per year. If you outsource it expect to pay £12,000 to £36,000 per year. If you get an existing staff member to do it expect to pay training fees for them of around £2,000 to £5,000 per year.

  • Annual recertification audit costs

To maintain the certification the certification body is going to audit you every year. It is actually a cycle of audits over 3 years but be prepared for audit costs for the next 2 years of around 33% of your year one cost. Then on the 3rd year you do the whole thing again from scratch with a full audit and at the full audit cost.

  • Annual operational costs

The ISMS and associated controls have to be operated. This will come at a cost. The cost will either be in hiring new resources or in people’s time who will be diverted from their day job to complete the mandatory tasks required.

The biggest operational cost from the perspective of the standard will be the internal audit costs. I raise this here for special consideration as this is the one area that you are likely to require specialist resource that is independent of the areas being audited. Not only does the certification body audit you but you are expected to audit yourself on an ongoing basis. You can learn more about ISO 27001 Clause 9.2 Internal Audit to understand more on the requirement and read our guide on How to Conduct an Internal Audit to see what is involved and how you can do it yourself.

Mistakes People Make

  • Not knowing what you need: The number 1 mistake most people make is not knowing what they need and what their options are. They get sucked in by fancy marketing. They believe the hype, that it is hard, when in fact it is not. They accept the high prices that are banded around without question.
  • Not Shopping Around: The number 2 mistake most people make is not shopping around.An accredited certification is an accredited certification. Whilst you might belief the hype that they are not in it for profit, they are. The reality is costs vary wildly. Do your research. Get at least 3 quotes. Choose the ISO 27001 Certification Body that meets your finance requirements, your values and your needs.

FAQ

What is ISO 27001 Certification?

ISO 27001 certification is the process of getting independent verification that you are meeting the requirements of the standard. The result of the ISO 27001 certification process is an ISO 27001 certificate that you can share with prospects, customers and clients.

What is the process of ISO 27001 Certification?

When you have implemented the standard, have evidence that you are operating it and have completed and internal audit you will apply for ISO 27001 Certification. The process of ISO 27001 certification is a 2 stage process.
Stage 1 will primarily look at your documentation and management system. The output of stage one is a recommendation to proceed to stage 2.
Stage 2 will look at evidence of the operation of controls. The auditor will review your documents and observe your processes in action.

Do different ISO 27001 certification bodies charge different amounts?

Yes. They will tell you that they do not work on a day rate but they do. As a result, the number of audit days will be fairly consistent between the certification bodies but the rate they charge will differ. The product at the end, the ISO 27001 certification, is exactly the same. In fact they often outsource the certification audit itself to a small pool of independent contractor auditors. This means that irrelevant of who you pay you can end up with the same auditor and will get the same product and the same outcomes. Get at least 3 quotes and shop around. Whilst the standard is the standard the amount that you are quoted or charged will be different depending on the ISO 27001 certification body that you choose.

Why do different ISO 27001 certification bodies charge different amounts?

Different ISO 27001 certification bodies charge different amounts as they have different costs to account for. The amount that they pay their staff or consultants, the amount they charge for their processes, additional services that they provide, spend on marketing all contribute to the certification bodies charging different amounts.

Do ISO 27001 certification bodies use the same auditors but charge different amounts?

Yes, sometimes. The industry relies on a pool of freelance consultants to perform that ISO 27001 audits working for multiple ISO 27001 certification bodies at the same time. Sometimes a certification will have full time, permanent staff, usually in an attempt to reduce costs. You should ask when you engage with the ISO 27001 certification body what staffing model they adopt.

How much do online ISO 27001 platforms cost?

On average the cost of an online ISO 27001 ISMS is between £10,000 and £100,000 per year. Expect to pay a set up fee and an ongoing maintenance fee. They are expensive and have many hidden fees.

What is an ISO 27001 consultants day rate?

An ISO 27001 consultant day rate will range between £400 and £1,500 per day depending on experience.

How much does an ISO 27001 consultant charge?

An ISO 27001 consultant will charge between £12,000 and £60,000 per year depending on what they do for you.

What is an ISO 27001 consultants hourly rate?

An ISO 27001 consultants hourly rate will range from £50 per hour to £250 per hour depending on experience.

What is the cost of the ISO 27001 standard?

The actual ISO 27001 standard costs around £150. Shop around. It is also only 14 pages long.

Can I get ISO 27001 certified for free?

No.

Is it possible to download ISO 27001 for free?

No.

Where can I get free ISO 27001 templates?

There are no free ISO 27001 templates that are any good. Google is your friend but ‘buyer’ beware.

We are a small company, why does ISO 27001 cost so much?

Partly because the ISO 27001 standard has been built in such a way that it excludes small business on cost. The ‘official’ framework of certification bodies is bureaucratic and doesn’t take into account the size of your organisation. They work on audit days not company size. It is not designed to be in your favour but, as they say, it is what it is.

How should you implement ISO 27001?

It sounds simple but work out what you actually need.
Fundamentally it will come down to your costs verses your time.

Can I get ISO 27001 certified without a consultant?

Yes, you can get ISO 27001 certified without a consultant. HighTable provide an ISO 27001 Toolkit that allows you to do it yourself. It provides all the templates you need and an easy to follow step-by-step implementation guide.

Is ISO 27001 certification a one-time cost?

No. There are many costs involved in ISO 27001 including annual audit costs and recertification costs.

How long does ISO 27001 certification take?

It varies based on how you go about it but it typically takes 3-12 months.

How can I find a reputable ISO 27001 certification body?

The list of the best ISO 27001 certification companies.

How can I reduce the cost of ISO 27001 certification?

The more that you can do yourself, the less it will cost you.

What happens after I get ISO 27001 certified?

ISO 27001 is a management system the you will continue to operate and each year will be audited to ensure that you are still following it.

Can you self-certify ISO 27001?

No. ISO 27001 certification must be carried out by an independent third party.

Can you fail ISO 27001 certification?

Yes, you can fail the ISO 27001 certification audit if you do not follow the ISO 27001 standard and meet its requirements.

ISO 27001 Toolkit Business Edition

ISO 27001 Toolkit | Beginner Friendly | Free Support | 5 Day Build

ISO 27001:2022 requirements

ISO 27001:2022 Annex A 5 - Organisational Controls

ISO 27001 Annex A 5.1 Policies for information security

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3 Segregation of duties

ISO 27001 Annex A 5.4 Management responsibilities

ISO 27001 Annex A 5.5 Contact with authorities

ISO 27001 Annex A 5.6 Contact with special interest groups

ISO 27001 Annex A 5.7 Threat intelligence – new

ISO 27001 Annex A 5.8 Information security in project management

ISO 27001 Annex A 5.9 Inventory of information and other associated assets – change

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets – change

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.13 Labelling of information

ISO 27001 Annex A 5.14 Information transfer

ISO 27001 Annex A 5.15 Access control

ISO 27001 Annex A 5.16 Identity management

ISO 27001 Annex A 5.17 Authentication information – new

ISO 27001 Annex A 5.18 Access rights – change

ISO 27001 Annex A 5.19 Information security in supplier relationships

ISO 27001 Annex A 5.20 Addressing information security within supplier agreements

ISO 27001 Annex A 5.21 Managing information security in the ICT supply chain – new

ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services – change

ISO 27001 Annex A 5.23 Information security for use of cloud services – new

ISO 27001 Annex A 5.24 Information security incident management planning and preparation – change

ISO 27001 Annex A 5.25 Assessment and decision on information security events 

ISO 27001 Annex A 5.26 Response to information security incidents

ISO 27001 Annex A 5.27 Learning from information security incidents

ISO 27001 Annex A 5.28 Collection of evidence

ISO 27001 Annex A 5.29 Information security during disruption – change

ISO 27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32 Intellectual property rights

ISO 27001 Annex A 5.33 Protection of records

ISO 27001 Annex A 5.34 Privacy and protection of PII

ISO 27001 Annex A 5.35 Independent review of information security

ISO 27001 Annex A 5.36 Compliance with policies and standards for information security

ISO 27001 Annex A 5.37 Documented operating procedures 

ISO 27001:2022 Annex A 8 - Technology Controls

ISO 27001 Annex A 8.1 User Endpoint Devices

ISO 27001 Annex A 8.2 Privileged Access Rights

ISO 27001 Annex A 8.3 Information Access Restriction

ISO 27001 Annex A 8.4 Access To Source Code

ISO 27001 Annex A 8.5 Secure Authentication

ISO 27001 Annex A 8.6 Capacity Management

ISO 27001 Annex A 8.7 Protection Against Malware

ISO 27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO 27001 Annex A 8.9 Configuration Management 

ISO 27001 Annex A 8.10 Information Deletion

ISO 27001 Annex A 8.11 Data Masking

ISO 27001 Annex A 8.12 Data Leakage Prevention

ISO 27001 Annex A 8.13 Information Backup

ISO 27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO 27001 Annex A 8.15 Logging

ISO 27001 Annex A 8.16 Monitoring Activities

ISO 27001 Annex A 8.17 Clock Synchronisation

ISO 27001 Annex A 8.18 Use of Privileged Utility Programs

ISO 27001 Annex A 8.19 Installation of Software on Operational Systems

ISO 27001 Annex A 8.20 Network Security

ISO 27001 Annex A 8.21 Security of Network Services

ISO 27001 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 8.23 Web Filtering

ISO 27001 Annex A 8.24 Use of CryptographyISO27001 Annex A 8.25 Secure Development Life Cycle

ISO 27001 Annex A 8.26 Application Security Requirements

ISO 27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO 27001 Annex A 8.28 Secure Coding

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO 27001 Annex A 8.30 Outsourced Development

ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO 27001 Annex A 8.32 Change Management

ISO 27001 Annex A 8.33 Test Information

ISO 27001 Annex A 8.34 Protection of information systems during audit testing