One question that is often asked is “how much does ISO 27001 certification cost”? This is likely to enable senior management to perform a cost/benefit analysis or to calculate their return on investment (ROI).
If the decision to obtain ISO 27001 certification is as a direct result of a tender or customer request, then the ROI can be a simple calculation of the cost of the contract versus the initial and on-going costs to become compliant. But how much does ISO 27001 certification cost? And is this a one off cost or on-going costs? And finally, how can a business case be built?
Firstly, it is important to understand that the “how much does ISO 27001 certification cost” question is not easily answered. Costs can be estimated based on the size and complexity of the organisation, current maturity of security controls and available resources – but this estimate can become difficult when you start to consider on-going costs and any external support required. There are additional costs for the audits themselves for which the certifying body will charge. So, what sort of budget are we typically looking at?
Smaller organisations with less than 500 members of staff and a handful of physical locations are likely looking between £5,000 – £15,000 to implement an ISO 27001 compliant information security management system.
This rough estimate assumes the organisation is in a relatively mature security state, and that there are sufficient, competent resources available to run and manage the information security management system. If either of these assumptions cannot be met, then the cost for ISO 27001 would increase significantly and may require supplementing from external consultants which will likely increase the cost.
Larger organisations that are geographically dispersed, with many offices and a large amount of employees are likely looking at over £20,000 to implement and maintain an ISO 27001 compliant information security management system. The increased costs reflect the need for all locations to be managed by the system, additional risks, increase in numbers of staff requiring training and the overall increase in complexity. The on-going costs should not be underestimated as once the system has been implemented and certified, maintaining certification is often the most costly aspect.
As previously stated, the above estimations are for guidance only and can vary greatly. Consultants used for the initial gap analysis may increase costs but will also provide invaluable guidance on what the certifying body expects to see. Additionally, the lack of a competent, trained internal resource will also increase costs significantly as management of the system can be a full time job for many organisations. So, with so many considerations how can an accurate estimation of ISO 27001 certification costs be made? And why can’t certification in a box services be used at a fraction of these estimates?
To accurately answer the “how much does ISO 27001 certification cost?” question, the organisation must firstly understand exactly where their gaps in compliance currently reside. A gap analysis should be undertaken to assess the organisation against ISO 27001 requirements, and a remediation plan compiled.
This will give an indication as to how much effort would be required to fill gaps and become compliant. Each gap in compliance should be assigned a realistic timescale to re-mediate and associated costs. For example, if a new system, process or policy is required a cost should be associated with this along with timescales. Once this process is complete, an overall view of how much ISO 27001 certification will cost will be obtained.