One of the (many) things I like about ISO 27001 is that the cost to maintain your ISO 27001 compliance (that is, your ISO 27001 certificate) is relatively inexpensive – especially when compared to other attestation schemes like SOC 2.
ISO 27001 Maintenance Audit Schedule
To maintain your ISO 27001 certificate you will need to have an audit conducted annually by your registrar. Your first audit is referred to as a certification audit. In years two and three your registrar will conduct a less rigorous audit, which is referred to as a “surveillance audit.” This has a positive side effect; the cost of a surveillance audit is generally around two-thirds the cost of the original certification audit.
Approximate Certification/Surveillance Audit Costs (50-person SaaS vendor with infrastructure co-located at a single data center)
ISO 27001 Compliance Costs
In practice, there are other costs that may come into play:
- Scope extension – It is not uncommon for an organization to “extend” their scope during surveillance audits to add other services or locations. Additional scope equals additional cost.
- Internal ISMS Audits – One of the ISO 27001 requirements is an annual internal ISMS audit. This can be done by internal staff or by a third-party. About two-thirds of our ISO 27001 clients ask us to conduct their internal ISMS audits at an average cost in the $7,500 range.
- Other Third-Party Testing – Many organizations use third parties to conduct vulnerability assessments and penetration tests. I generally don’t consider this as an “ISO cost” (as many companies are already doing this) but I have seen some clients do so – so I have included it here.
Once again, considering a fictitious client who asks Pivot Point Security to conduct their internal ISMS audits each year: their average yearly cost to maintain their ISO 27001 certificate (ISO 2701 compliance) is roughly $17,000. This compares favorably to the cost of a SOC 2 Audit. An approximate cost to conduct a SOC2 Type 2 audit for our fictitious client is in the $40,000 to $70,000 range (with the higher cost associated with the use of a “name brand” CPA firm). Where the difference gets more notable is that because of the “period of time” nature of the SOC 2 audit – the costs typically don’t vary much year over year.
I think the fact that it’s more comprehensive, more widely accepted internationally, and less than half the cost of SOC 2 explains why so many companies are turning to ISO 27001.