You should budget carefully for your ISO 27001 certification. Building a complete ISMS (or information security management system) is no small feat. A lot of variables determine costs, including who will be running the ISMS program, the size of the organization, the number of locations and products in scope, and adherence with other IT security frameworks. You'll also want to plan on hidden costs that relate to the time and effort required by staff.

While we can't give definitive dollar amounts, we can let you know what to consider when setting aside a budget. Overall outlay can start at around $50,000 (not including staff salaries) and run into the six-digits.

Cost of an ISO 27001 internal audit

An internal audit is a required activity within an ISMS. Internal audits can be performed by an existing department or can be outsourced. When audits are performed in house, the cost is generally a built-in cost of the organization. If the internal audit is outsourced, the cost depends on the scope, and putting the word out through an RFP process is the best way to judge cost. For an initial audit, prior to certification, budget anywhere from $10,000 to $20,000. Budget $8,000 to $15,000 for topic-specific ISMS audits in future years. Other hidden costs will include the time it takes for the ISMS lead to field audit requests and address findings.

Cost of the initial external audit

An external audit of the ISMS will occur in stages. Stage 1 assesses the readiness of the ISMS and Stage 2 is an audit of the controls with the goal of an ISO certification. These audits are performed by an assessor or certification body. Asking for quotes is the best way to determine the cost, but budget for anywhere from $10,000 to $20,000. Hidden internal costs will include time to prepare and field questions, and requests from the auditor.

Cost of surveillance audits

Surveillance audits occur in years two and three after the initial certification. Auditors will assess whether the ISMS is still operating as it was in the certification year by testing a subset of processes. Budget between $8,000 and $15,000 for these audits. 

Factors that influence the costs of obtaining and maintaining an ISO 27001 certification

The initial certification cost, as well as maintaining a certification, can be influenced by a number of factors. This is why it can be difficult to nail down an overall price tag. Factors in this price tag include:

• Organization’s employee size (as this speaks somewhat to a level of maturity)
• Number of locations or sites in scope and where they are located geographically (although during the COVID pandemic, travel costs have been dramatically reduced)
• The activities and data that are in scope
• The maturity level of existing information security practices
• Third parties or outsourced activities that are in scope, such as cloud providers or outsourced network expertise
• Adherence to other frameworks

Is ISO 27001 certification worth it?

We think investing in an ISO 27001 certification makes sense in the following circumstances:

• You want to get a leg up on your competition. Being ISO 27001 certified can be a differentiator.
• You are operating outside of the United States. ISO is an internationally recognized certification.
• You want to instill a culture of security across the organization because you handle sensitive or confidential data.

How Strike Graph can help

We are passionate about making ISO 27001 available to organizations of all sizes. Our solution is specifically built to right-size your ISMS efforts and also comes with a library of policy templates and procedure guides to reduce compliance mystery.

We also offer:

• Evidence monitoring to let your process owners know when compliance activities may be falling behind

• Risk-assessment based gap analysis to identify what you already have in place that can be leveraged for your Annex A/ISO 27002 controls

• Partnerships with external assessors for a smooth audit experience