Typical ISO 27001 certification costs

When budgeting for an ISO 27001 project, it’s important to consider certification costs as well as the actual cost of implementing the Standard.

Having prepared hundreds of organisations for ISO 27001 certification over the past 15 years, IT Governance suggests you budget the following amounts to cover the cost of the initial certification audit – there will be further audit costs over the three-year certification period.

The actual fee charged will depend on the certification body (CB) you appoint and the risk it associates with your information security management system (ISMS), but you can use the following table as a guide*:

Estimated ISO 27001 certification costs

The table below displays the recommended ISMS audit time according to the size of the organisation, as stipulated in ISO/IEC 27006:2015.

The daily fees of an audit will vary between CBs, but we estimate an average daily fee of €750–€1,400.

Number of persons doing work under the organisation’s control

ISMS audit time for initial audit as prescribed by ISO 27006 (audit days)

Minimum audit time (audit days)

1–10 5 3.5
11–15 6 4.2
16–25 7 4.9
26–45 8.5 5.9
46–65 10 7
66–85 11 7.7
86–125 12 8.4
126–175 13 9.1
176–275 14 9.8
276–425 15 10.5
426–625 16.5 11.5
626–875 17.5 12.2
876–1,175 18.5 12.9
1,176–1,550 19.5 13.6
1,551–2,025 21 14.7

*Please note: the information provided is for guidance purposes only and should not be taken as definitive. These costs are based on our experience and your chosen CB’s costs may differ. The above table does not include fees post the initial certification audit and are based on a positive recommendation at the Stage 2 audit.

**According to ISO 27006, the minimum audit duration may be 70 % of the recommended time as prescribed by the standard. Our figures are rounded to the nearest whole day.

Why you should only use accredited certification bodies

It is vital that the certification body you use is properly accredited by a recognised national accreditation body that is a member of the International Accreditation Forum (IAF).

The IAF website carries a full list of recognised national accreditation bodies by country, from which it is easy to identify whether or not a particular organisation has been officially accredited. If you can’t find an accreditation organisation on this list, you can safely assume that it is not an officially recognised accreditation body and that any ‘certificates’ issued under its aegis will have no official standing in any country in the world.

The certification process

The certification body will first review your documentation (including the scope of the ISMS, risk assessment and treatment documents, and Statement of Applicability (SoA)) and check that you have implemented appropriate controls from Annex A. It will then carry out a site audit to see the procedures in practice. If it is satisfied of successful implementation, the certification body will then issue your certificate. The time period for the certification process inevitably varies depending on the size and type of the organisation, but typically takes days rather than weeks.

How IT Governance can help

With fixed-price packages for implementing the Standard and guidance on typical certification costs, it is now easier to calculate your budget requirements and build a business case for achieving ISO 27001 certification.

Find out more information on our fixed-price implementation solutions >>

Get certification ready

ISO 27001 solutions

Speak to an expert

Please contact our team for advice and guidance on our ISO 27001 products and services.