How Much Does ISO-27001 cost?
I spend a good percentage of my time these days talking to organizations that process data on another party’s behalf regarding ISO 27001 and other forms of “attestation” (proof that they are handling their clients’ data in a reasonable and appropriate manner). With ISO 27001 being such a hot topic and Pivot Point Security being such a strong advocate of ISO 27001, invariably the prospective client will ask; “What is estimated cost to obtain an ISO 27001 certificate?”
The challenge with providing a ballpark cost for a 27001 certificate is that there is so much potential variability. For example:
- The size of the company and physical/logical scope of the ISO-27001 certificate
- The current maturity level of the Information Security Management System (ISMS)
- The gap between the current state and the desired state of the control environment
- The in-house capability/capacity to develop the ISMS and close the identified gaps
- How quickly the certificate is required
Nevertheless, we eventually end up with an estimate for how much ISO 27001 may cost in their particular environment. While we spend a lot of time drilling down on the areas highlighted above, we also draw extensively on experiences over the last 3 or 4 years taking clients through the certification process.
Looking across these projects an “average” customer looks about like this:
- 75 employees
- Processes sensitive data subject to PII/PHI laws regulations
- Co-locate their services at two disparate data centers
- Provides software (SaaS) integral to their service offering
- Has a control environment that, while previously subject to external review, would still be best referred to as immature and non-fully documented; i.e., a Capability Maturity Model (CMM) of 2
- Has a “CSO” that is very technical but is not well versed in ISO 27001/ISO 27002 (i.e., a CISSP rather than a CISA or CISM)
- Is experiencing pressure from clients for third party attestation – often specifically asking for ISO 27001 certification
- Needs to achieve a certificate (without overly disrupting “business as usual”) in a 12-month time frame
- Require a fair degree of ISO-27001 consulting to prep for the certification audit
Assuming the above more or less holds true, the “external” costs to become ISO 27001 certified may look as follows:
- Precertification Phase I: $20,000 (e.g., Scope Definition, Risk Assessment, Risk Treatment Plan, Gap Assessment, Phase II Remediation Plan)
- Precertification Phase II: $18,000 (e.g., Gap closure (collaboratively), registrar selection, ISMS Artifact development, Risk Management Committee, Incident Response, Internal ISMS Audit, On-site Certification Audit Support)
- Certification Audit: $10,000
- Total cost for ISO 27001 certificate: $48,000
Once you have your certificate you will require a “surveillance” audit in years 2 and 3 to maintain your certificate. You will also need to conduct an Internal ISMS Audit each year – which the “average” company usually outsources to a third party. So figure your year 2 and year 3 costs are likely to be as follows:
- Surveillance Audit: $7,500
- Internal ISMS Audit: $7,000
A word of caution – your costs may vary notably. We have clients that have spent as little as $5,000 and as much as $70,000 on pre-certification consulting. As an FYI, I used $1,500 per man-day in my estimates, as I have seen rates anywhere between $1,400 and $1,800 for a “true” ISO-27001 consultant.
JUL
A Best-Practices Guide to Information Security Attestation
Risky Business Blog
Techno Blog
In The News
RSS Feed
About the Author:
John Verry (CISA, 27001 Certified Lead Auditor, CCSE, CRISC) is Pivot Point's resident "Security Sherpa". He is lucky enough to spend most of his day helping clients develop a road map to address security, compliance, and attestation requirements.