April 17, 2024

Last Updated on April 18, 2024

It is incredible how fast time flies when you are having fun. In 2012, I authored the first iteration of this blog post on the cost of getting certified to ISO 27001:2005. In 2014, we posted an update to reflect the rapidly rising certification cost.

A decade has passed, and we are long overdue for a fresh look at this topic.

Variables impacting your ISO 27001 certification cost

One thing hasn’t changed since 2012: Providing a ballpark cost for an ISO 27001 certificate is still challenging because there is so much potential variability. The predominant factors remain:

  • The company’s size and physical/logical scope of the ISO 27001 certificate.
  • The current maturity level of the information security management system (ISMS).
  • The gap between the current state and the desired state of the control environment
  • The in-house capability/capacity to develop the ISMS and close the identified gaps.
  • How quickly the certificate is required.

For 2024, I need to add one more bullet to that original list from 2012:

  • Other regulatory and contractual obligations.

Two progressing market factors have been expanding ISO 27001 scopes, making that new bullet necessary:

  1. In 2024, it is increasingly rare that a customer does not need to conform to multiple standards or regulations (e.g., CMMC, TISAX, GDPR/CCPA, ISO 27701 (privacy), ISO 42001 (AI)), which we often address as part of the same engagement.
  2. Vendor risk management due diligence has intensified, and client contractual obligations are increasingly more robust and prescriptive (e.g., OWASP ASVS testing, client data segregation, CIS Benchmark compliance, etc.)

 

The “average” ISO 27001 customer size is also changing

It’s helpful to posit an “average” business seeking ISO 27001 certification to help you guesstimate where you fall within a cost range.

In 2012, I defined the “average” CBIZ Pivot Point Security customer as:

  • 75 employees.
  • Processes sensitive data subject to PII/PHI laws and regulations.
  • Co-locate their services at two disparate data centers.
  • Provides software (SaaS) integral to their service offering.
  • Has a control environment that, while previously subject to external review, would still be best referred to as immature and not fully documented, i.e., a Capability Maturity Model (CMM) of 2 or lower.
  • Has a “Chief Security Officer” (CSO) who is very technical but is not well versed in ISO 27001/ISO 27002 (i.e., a CISSP rather than a CISA or CISM).
  • Is experiencing pressure from clients for third-party attestation, with many being specifically asked for ISO 27001 certification.
  • Needs to achieve a certificate (without overly disrupting “business as usual”) in a 12-month timeframe.
  • Requires a fair degree of ISO 27001 consulting to prepare for the certification audit.

Twelve years later, a few things have changed:

  • The average customer is closer to 300 employees. We still have many small ISO 27001 clients (e.g., 40 employees or less), but we now also have many clients with thousands of employees. Larger clients process more data, have more robust controls, have more committees and personnel in scope, and have more significant regulatory and contractual obligations. All these factors drive the average cost higher.
  • In 2012, co-location was a prevalent model. Many of our ISO 27001 clients are SaaS or technology platform providers. Further, most of our clients have moved to cloud-native applications and Agile-based development pipelines. Many are also integrating AI. This model shift has altered costs for many engagements.
  • Increasingly, organizations are being asked to include multiple locations in their ISMS audit scope, which increases the average cost.
  • Most customers now want to get ISO 2700 certified in a shorter timeframe.

 

More new ISO 27001 certification cost impacts

A few other things have changed since 2012 that impact the cost of getting certified:

  • There are many more ISO 27001 knowledgeable cyber professionals today than 12 years ago, which has helped reduce cost escalation.
  • A 2012 dollar is now $1.35. So, inflation alone accounts for 35% of any increase in average costs.
  • Cyber risk is about 77 times higher today than in 2012. (ChatGPT says the total cost of cybercrime has risen from $110 billion to $8.44 trillion in that time—and yes, I am aware of hallucination risk :>) A robust ISO 27001 cybersecurity program is therefore “worth more” today than in 2012, and companies are willing to pay a premium to ensure their program is built and operated optimally.
  • In 2012, there was a minimal cybersecurity talent shortage. In 2024, we are millions of professionals short, hindering about 67% of organizations. This dynamic has escalated cyber industry salaries beyond inflation. I could not find definitive statistics, but I estimate the increase to be around 50%. This and inflation significantly impact the average ISO 27001 certification cost.

 

ISO 27001 certification cost ranges for 2024

How does all the above net out?  Here is a 2024 breakdown of ISO 27001 certification costs based on these representative starting points:

  • Company A is a 100-employee logistics company that only needs ISO 27001 at a single location.
  • Company B is a 600-employee SaaS provider that needs ISO 27001 and ISO 27701 at a single location.
  • Company C is a 7,000-employee manufacturing firm that needs ISO 27001 at 12 locations and wants to use the engagement to prepare for eventual CMMC and TISAX certifications.

 

  Company A Company B Company C
Precertification Phase 1: (e.g., Scope Definition, Risk Assessment, Risk Treatment Plan, Gap Assessment, Phase II Remediation Plan) ~$30 – 40K ~$45 – 60K ~$50 – 70K
Precertification Phase II: (e.g., Gap closure (collaboratively), registrar selection, ISMS Artifact development, Risk Management Committee, Incident Response, Internal ISMS Audit, Onsite Certification Audit Support) ~$20 – 50K ~$30 – 65K ~$45K – 100K
Certification Audit by Registrar (Year 1) $20 – 30K ~$35 – 55K ~$30K – 50K
Total: $70 – 120K $110 – 180K $125K – 220K
Surveillance Audit (Year 2 & Year 3) $10 – 15K $17- 30K $15K – 30K

 

Comparing 2024 versus 2012 costs

Given the changes over the last 12 years outlined above, comparing ISO 27001 certification costs is virtually impossible. (To view the 2012 cost estimate data, click here.)

Looking at Customer A, for instance, the cost of ISO 27001 certification has increased by roughly 75%. Given that human resource costs are up 50%-plus, the price of the insurance and technology necessary to deliver the services is up 35%-plus, technical complexity is more significant, timelines are shorter, and regulatory/contractual obligations are higher, that number (unfortunately) makes sense.

A word of caution: Your costs may vary notably.  Chat with us and others before developing a budget. Roughly 75% of our projects fall in the above ranges. Some fall under the range, often because the security program is already mature, the company has an internal audit team, or they can do more remediation in-house. Some end up over the range, usually because the number of locations being certified is high, compliance/certification with multiple standards is required, or significant changes to the cybersecurity and privacy programs are needed.