As ISO 27001 and related attestation standards have grown in importance and popularity, so too has the cost of getting ISO 27001 certified. In July 2012, I penned a blog post in which I estimated the cost of ISO 27001 certification at that time at $48,000. Based on a quick review of the ISO 27001 projects that Pivot Point Security has done over the last year, the average is now in the $80,000 range. That is a remarkable change in a very short period of time.
Why has the cost of ISO 27001 certification gone up by about 60% in less than two years? As I see it, there are two primary reasons:
Supply and Demand. The demand for ISO 27001 and other attestations (e.g., SOC 1, SOC 2, FedRAMP) has risen dramatically with the advent of rapidly improving vendor risk management practices, combined with the escalating use of cloud-based services. And while the supply of ISO 27001 certificates is unlimited, the number of consulting companies that have the expertise to prepare you for certification and the number of registrars who can certify you is not.
This problem is further exacerbated by a shortage of qualified professionals for the consulting and certification companies to hire. Salaries for well-qualified resources have risen notably in the last few years. In fact, I would estimate that close to half of that 60% increase in consulting and certification costs in the last two years relates mostly to increased personnel costs.
Larger and more complex project scopes. ISO 27001 early adopters tended to be smaller companies driven to certification by the requirements of the larger firms they serve, and/or that recognized that an ISO 27001 certificate could be used to level the playing field against larger competitors. In our first four years of offering ISO 27001 consulting services, Pivot Point got only one firm certified that had more than 2,500 employees. We currently have five or more active projects with multi-national firms that are at least that large. I would estimate that one out of every five projects we’re now doing is notably larger than we have done over the previous five years, with some of those being as much as double the cost and scope of our typical projects.
Given that both of the above trends are continuing to build, I think the situation is going to get worse—and perhaps much worse—before it gets better. (Check back with me in June 2016 and let’s see if my crystal ball was accurate…)