Typical ISO 27001 certification costs
It is important to budget for your ISO 27001 project and take into account the costs associated with both implementation and certification.
Having prepared hundreds of businesses for ISO 27001 certification over the past 15 years, we recommend considering the following costs for your initial ISO 27001 budget.
(NB: the actual fee charged will vary according to the certification body chosen and the risk associated with your ISMS (information security management system)).
Estimated certification costs
The table below displays the recommended ISMS audit time according to the size of the organisation, as stipulated in ISO/IEC 27006:2015.
The daily audit fee will vary between certification bodies, but we estimate an average daily spend of €400 - €1250.
Number of persons doing work under the organisation’s control
|
ISMS audit time for initial audit as prescribed by ISO 27006 (audit days)
|
Minimum audit time (audit days)
|
| 1–10 |
5 |
3.5 |
| 11–15 |
6 |
4.2 |
| 16–25 |
7 |
4.9 |
| 26–45 |
8.5 |
5.9 |
| 46–65 |
10 |
7 |
| 66–85 |
11 |
7.7 |
| 86–125 |
12 |
8.4 |
| 126–175 |
13 |
9.1 |
| 176–275 |
14 |
9.8 |
| 276–425 |
15 |
10.5 |
| 426–625 |
16.5 |
11.5 |
| 626–875 |
17.5 |
12.2 |
| 876–1,175 |
18.5 |
12.9 |
| 1,176–1,550 |
19.5 |
13.6 |
| 1,551–2,025 |
21 |
14.7 |
*Please note: the information provided is for guidance purposes only and should not be taken as definitive. These costs are based on our experience and your chosen CB’s costs may differ. The above table does not include fees post the initial certification audit and are based on a positive recommendation at the Stage 2 audit.
**According to ISO 27006, the minimum audit duration may be 70 % of the recommended time as prescribed by the standard. Our figures are rounded to the nearest whole day.
Why you should only use accredited certification bodies
Certifications are only valid when assessed by a legitimate national accreditation body that is a member of the IAF (International Accreditation Forum).
The IAF website provides a comprehensive list of recognised national accreditation bodies by country. If an accreditation body is not included, this means it is not officially recognised and its certificates will have no official standing.
The certification process
The certification process starts with a review of your documentation to ensure that you have appropriately implemented the relevant controls from Annex A of ISO 27001. An on-site audit is then performed to evaluate the procedures in practice. If the certification body is satisfied that this has been adequately completed, you will be issued with your certificate. The certification process typically takes a matter of days, but this may increase depending on the size and type of organisation.
How IT Governance can help
With fixed-price packages for implementing the Standard and guidance on typical certification costs, it is now easier to calculate your budget requirements and build a business case for achieving ISO 27001 certification.
Find out more information on our fixed-price implementation solutions >>
Get certification ready with out ISO 27001 solutions.
ISO 27001 solutions
Speak to an expert
Please contact our team for advice and guidance on our ISO 27001 products and services.