Update: This post below contains valuable information and pricing guidelines accurate for the date that is was published, July 26, 2012. Since then, we have published another article with updated pricing.
How Much Does ISO-27001 cost?
I spend a good percentage of my time these days talking to organizations that process data on another party’s behalf regarding ISO 27001 and other forms of “attestation” (proof that they are handling their clients’ data in a reasonable and appropriate manner). With ISO 27001 being such a hot topic and Pivot Point Security being such a strong advocate of ISO 27001, invariably the prospective client will ask; “What is the estimated cost to obtain an ISO 27001 certificate?”
The challenge with providing a ballpark cost for a 27001 certificate is that there is so much potential variability. For example:
- The size of the company and physical/logical scope of the ISO-27001 certificate
- The current maturity level of the Information Security Management System (ISMS)
- The gap between the current state and the desired state of the control environment
- The in-house capability/capacity to develop the ISMS and close the identified gaps
- How quickly the certificate is required
Nevertheless, we eventually end up with an estimate for how much ISO 27001 may cost in their particular environment. While we spend a lot of time drilling down on the areas highlighted above, we also draw extensively on experiences over the last 3 or 4 years taking clients through the certification process.
Looking across these projects an “average” customer looks about like this:
- 75 employees
- Processes sensitive data subject to PII/PHI laws regulations
- Co-locate their services at two disparate data centers
- Provides software (SaaS) integral to their service offering
- Has a control environment that, while previously subject to external review, would still be best referred to as immature and non-fully documented; i.e., a Capability Maturity Model (CMM) of 2
- Has a “CSO” that is very technical but is not well versed in ISO 27001/ISO 27002 (i.e., a CISSP rather than a CISA or CISM)
- Is experiencing pressure from clients for third party attestation – often specifically asking for ISO 27001 certification
- Needs to achieve a certificate (without overly disrupting “business as usual”) in a 12-month time frame
- Require a fair degree of ISO-27001 consulting to prep for the certification audit
Assuming the above more or less holds true, the “external” costs to become ISO 27001 certified may look as follows:
- Precertification Phase I: $20,000 (e.g., Scope Definition, Risk Assessment, Risk Treatment Plan, Gap Assessment, Phase II Remediation Plan)
- Precertification Phase II: $18,000 (e.g., Gap closure (collaboratively), registrar selection, ISMS Artifact development, Risk Management Committee, Incident Response, Internal ISMS Audit, On-site Certification Audit Support)
- Certification Audit: $10,000
- Total cost for ISO 27001 certificate: $48,000
Once you have your certificate you will require a “surveillance” audit in years 2 and 3 to maintain your certificate. You will also need to conduct an Internal ISMS Audit each year – which the “average” company usually outsources to a third party. So figure your year 2 and year 3 costs are likely to be as follows:
- Surveillance Audit: $7,500
- Internal ISMS Audit: $7,000
A word of caution – your costs may vary notably. We have clients that have spent as little as $5,000 and as much as $70,000 on pre-certification consulting. As an FYI, I used $1,500 per man-day in my estimates, as I have seen rates anywhere between $1,400 and $1,800 for a “true” ISO-27001 consultant.
Read more about ISO 27001 cost in the article, The Rising Cost of ISO 27001 Certification.
This Guide is Free to Download
ISO 27001 is manageable and not out of reach for anyone! It’s a process made up of things you already know –
and things you may already be doing.
Hi John,
why – or does the number of employees really matters? I think the ISO 27001 certification is process and not company oriented, so why does the number of employees really matters for your calculation?
Best Teona
My guess is that the number of employees gives a general indication of how complex the organization is and so it’s a general guideline on how extensive the policies will need to be.
Number of employees often gives some idea of organizational complexity and the number of people that will need to be involved in the process of building the ISMS. The cost does not increase proportionally with the number of employees (e.g., a 750 person company does not cost 10X as much as a 75 person company – its likely more like 10 – 35% more).
Youu have made some decent points there. I checked on the internet too learn more about the issue and found ost individuals will go along wioth your views on this site.
Hi Arlie,
Appreciate the kind words and verification of our information.
It would be great to update the cost estimate to reflect 2018 costs or comment on the fact they reaming the same 🙂
Hi Ann Marie,
I think an updated blog post is a great idea! In the meantime I would estimate that the $80K tag in the 2014 blog is approaching $100K. That 25% rise is largely a function of the escalation in information security salaries over the last 3 or 4 years. Thanks for stopping by and appreciate the constructive feedback.
Hi! I could have sworn I’ve been to this blog
before butt after browsing through some of the posts I realized it’s new to me.
Nonetheless, I’m certainly happy I found it and I’ll be book-marking it and checking back often!
Glad you are finding our blog so valuable and thanks for the kind words!
Hello
What is The Current Price For One Person For ISO27001
Hi ahemd, are you looking to be an ISO 27001 Certified Lead Auditor or Implementer?