May 30, 2013

Last Updated on May 30, 2013

View our free ISO 27001 downloadable resources »

One of the (many) things I like about ISO 27001 is that the cost to maintain your ISO 27001 compliance (that is, your ISO 27001 certificate) is relatively inexpensive – especially when compared to other attestation schemes like SOC 2.

ISO 27001 Maintenance Audit Schedule

ISO 27001 Audit Cycle infographic

An example schedule for an ISO 27001 certification, re-certification, and surveillance audits cycle over many years. (Click image to view full-size.)

To maintain your ISO 27001 certificate you will need to have an audit conducted annually by your registrar. Your first audit is referred to as a certification audit. In years two and three your registrar will conduct a less rigorous audit, which is referred to as a “surveillance audit.” This has a positive side effect; the cost of a surveillance audit is generally around two-thirds the cost of the original certification audit.
Approximate Certification/Surveillance Audit Costs (50-person SaaS vendor with infrastructure co-located at a single data center)

ISO 27001 Compliance Costs

Year Audit Type Cost
1 Certification $12,000
2 Surveillance $7,500
3 Surveillance $7,500
4 Certification $12,000
5 Surveillance $7,500
6 Surveillance $7,500

In practice, there are other costs that may come into play:

  • Scope extension – It is not uncommon for an organization to “extend” their scope during surveillance audits to add other services or locations. Additional scope equals additional cost.
  • Internal ISMS Audits – One of the ISO 27001 requirements is an annual internal ISMS audit. This can be done by internal staff or by a third-party. About two-thirds of our ISO 27001 clients ask us to conduct their internal ISMS audits at an average cost in the $7,500 range.
  • Other Third-Party Testing – Many organizations use third parties to conduct vulnerability assessments and penetration tests. I generally don’t consider this as an “ISO cost” (as many companies are already doing this) but I have seen some clients do so – so I have included it here.

Once again, considering a fictitious client who asks Pivot Point Security to conduct their internal ISMS audits each year: their average yearly cost to maintain their ISO 27001 certificate (ISO 2701 compliance) is roughly $17,000. This compares favorably to the cost of a SOC 2 Audit. An approximate cost to conduct a SOC2 Type 2 audit for our fictitious client is in the $40,000 to $70,000 range (with the higher cost associated with the use of a “name brand” CPA firm). Where the difference gets more notable is that because of the “period of time” nature of the SOC 2 audit – the costs typically don’t vary much year over year.
I think the fact that it’s more comprehensive, more widely accepted internationally, and less than half the cost of SOC 2 explains why so many companies are turning to ISO 27001.

Need answers regarding ISO 27001 certification requirements?

Learn about the audits you will face to achieve and maintain certification, what's involved, and the cost you can expect to pay to achieve and maintain certification.
Download our NEW ISO Certification and Cost Guide now!