Update: This post below contains valuable information and pricing guidelines accurate for the date that is was published, July 26, 2012. Since then, we have published another article with updated pricing.

How Much Does ISO-27001 cost?

I spend a good percentage of my time these days talking to organizations that process data on another party’s behalf regarding ISO 27001 and other forms of “attestation” (proof that they are handling their clients’ data in a reasonable and appropriate manner).   With ISO 27001 being such a hot topic and Pivot Point Security being such a strong advocate of ISO 27001, invariably the prospective client will ask; “What is the estimated cost to obtain an ISO 27001 certificate?”

The challenge with providing a ballpark cost for a 27001 certificate is that there is so much potential variability. For example:

• The size of the company and physical/logical scope of the ISO-27001 certificate
• The current maturity level of the Information Security Management System (ISMS)
• The gap between the current state and the desired state of the control environment
• The in-house capability/capacity to develop the ISMS and close the identified gaps
• How quickly the certificate is required

Nevertheless, we eventually end up with an estimate for how much ISO 27001 may cost in their particular environment.  While we spend a lot of time drilling down on the areas highlighted above, we also draw extensively on experiences over the last 3 or 4 years taking clients through the certification process.

Looking across these projects an “average” customer looks about like this:

• 75 employees
• Processes sensitive data subject to PII/PHI laws regulations
• Co-locate their services at two disparate data centers
• Provides software (SaaS) integral to their service offering
• Has a control environment that, while previously subject to external review, would still be best referred to as immature and non-fully documented; i.e., a Capability Maturity Model (CMM) of 2
• Has a “CSO” that is very technical but is not well versed in ISO 27001/ISO 27002 (i.e., a CISSP rather than a CISA or CISM)
• Is experiencing pressure from clients for third party attestation – often specifically asking for ISO 27001 certification
• Needs to achieve a certificate (without overly disrupting “business as usual”) in a 12-month time frame
• Require a fair degree of ISO-27001 consulting to prep for the certification audit

Assuming the above more or less holds true, the “external” costs to become ISO 27001 certified may look as follows:

• Precertification Phase I: $20,000 (e.g., Scope Definition, Risk Assessment, Risk Treatment Plan, Gap Assessment, Phase II Remediation Plan)
• Precertification Phase II: $18,000 (e.g., Gap closure (collaboratively), registrar selection, ISMS Artifact development, Risk Management Committee, Incident Response, Internal ISMS Audit, On-site Certification Audit Support)
• Certification Audit: $10,000
• Total cost for ISO 27001 certificate: $48,000

Once you have your certificate you will require a “surveillance” audit in years 2 and 3 to maintain your certificate.  You will also need to conduct an Internal ISMS Audit each year – which the “average” company usually outsources to a third party. So figure your year 2 and year 3 costs are likely to be as follows:

• Surveillance Audit: $7,500
• Internal ISMS Audit: $7,000

A word of caution – your costs may vary notably.  We have clients that have spent as little as $5,000 and as much as $70,000 on pre-certification consulting.  As an FYI, I used $1,500 per man-day in my estimates, as I have seen rates anywhere between $1,400 and $1,800 for a “true” ISO-27001 consultant.

Read more about ISO 27001 cost in the article, The Rising Cost of ISO 27001 Certification.