ISO 27001 Certification

The Rising Cost of ISO 27001 Certification

Reading Time: 2 minutes

Last Updated on June 23, 2016

As ISO 27001 and related attestation standards have grown in importance and popularity, so too has the cost of becoming ISO 27001 certified. In July 2012, I penned a blog post in which I estimated the cost of ISO 27001 certification at that time at $48,000. In June of 2014, I posted a follow-up blog on the topic, where I estimated the costs had risen to approximately $80,000 based on supply and demand and larger/more complex scopes. In that post, I posited that I expected the costs to continue rising and suggested that you check back in with me in June of 2016.
So here we are… Prices continue to escalate and it’s more challenging to estimate an “average” certification cost because the disparity in ISO 27001 scope size and complexity has gotten much wider. There are two primary factors driving certification costs in 2016:
1) Continued Changes in Scope/Complexity
The use of ISO 27001 has changed quite a bit since I wrote that blog post in 2012. The vast majority of the early adopters were smaller firms (SMBs) with relatively simplistic scopes (e.g., a single product line operating at a single location). So quoting an average price was helpful. While we are still working with clients with simpler scopes of this nature, we are also seeing a shift of ISO 27001 into the SME and even Global 2000, resulting in projects where dozens of services are being certified across dozens of global locations. Needless to say, the costs here are significantly higher than our 2012 and 2014 estimates.
2) Rate Increases Driven by Salary Escalation
According to Robert Half International, security salaries have increased approximately 7-8% per year over the last four years. This has driven about a 30% increase in the rates that ISO 27001 consulting and ISO 27001 registrars charge.
Looking at the original scope/complexity that we estimated at $48,000 in 2012 and at $80,000 in 2014, I would estimate that it is approaching $100,000 in 2016, with most of that additional cost resulting from salary escalation. With larger more complex scopes becoming much more common, it’s not unusual to see total costs (often spread over a multi-year certification/surveillance cycle) notably higher.
3) The Melting of Privacy & Security
We are rapidly approaching a point where information security and privacy become indistinguishable. Moving forward, it may not be possible to be an information security professional without being a data privacy professional. That means talent will be increasingly more scarce… and we all know the laws of supply and demand.

ISO 27001 Audits and Costs Guide ThumbnailNeed answers regarding ISO 27001 certification requirements?

Learn about the audits you will face to achieve and maintain certification, what's involved, and the cost you can expect to pay to achieve and maintain certification

Download our ISO 27001 Cost Guide now!

Back to list

Related Posts

6 thoughts on “The Rising Cost of ISO 27001 Certification

  1. Terry says:

    I’d be curious to see how many 3rd party vendors are willing to pay for the certification if they have access to or store company confidential data. It seems that most companies are looking for vendors with ISO certification instead of sending out self assessment questionnaires of their own.

    1. Jeremy Sporn says:

      It depends on the data they are processing, the size of their clients, and the maturity of the clients Vendor Risk Management program. If you are a SAAS selling trading software into major financials, you really don’t have much of a choice. If you’re a law firm that deals mostly with individuals and small businesses you are not likely going to get a return on your investment based on the cost of implementing ISO-27001.

  2. Dee Chanda says:

    Hello, I have two questions:
    1) For a smaller organization that does not have the capital to pay for such high costs in getting certified? What would be the alternative solution?
    2) Would a consultant decrease the costs if the complexity of the organization was minimal, in this case, a small company tends very minimal complexity.
    Much appreciated.

    1. Jeremy Sporn says:

      The high costs are a function of the sheer amount of work that needs to be done. Unfortunately the amount of work does not scale linearly with the size of the organization. We have helped organizations as small as 1 person and as large as 20K+ people get certified. The larger organization probably only costs 30% more to get prepared for certification. The only way to meaningfully reduce your costs is to do more of the work yourself. This can be a catch-22 if you are not really familiar with ISO-27001, as you need guidance in order to be able to do the work.
      We recently changed our “Guide” project modality to provide a lower cost, guidance focused approach. With our guide approach you end up paying for guidance and validation necessary so that you can be assured your “work” of producing the key 27001 artifacts (e.g., SOA, Risk Methodology, ISMS Manual, Policies/Standards/Procedures, etc.) will be successful.
      In this manner you can notably reduce your hard costs to become certified. Feel free to reply to this thread or email me directly with any follow-up questions. [email protected]

      1. Dee says:

        Thank you very much for your response and your advice.

  3. Hello Dude! Thank you so much for sharing the Informative Blog, It is really helpful for readers. Keep it up.

Leave a Reply

Your email address will not be published. Required fields are marked *