Last Updated on June 23, 2016
As ISO 27001 and related attestation standards have grown in importance and popularity, so too has the cost of becoming ISO 27001 certified. In July 2012, I penned a blog post in which I estimated the cost of ISO 27001 certification at that time at $48,000. In June of 2014, I posted a follow-up blog on the topic, where I estimated the costs had risen to approximately $80,000 based on supply and demand and larger/more complex scopes. In that post, I posited that I expected the costs to continue rising and suggested that you check back in with me in June of 2016.
So here we are… Prices continue to escalate and it’s more challenging to estimate an “average” certification cost because the disparity in ISO 27001 scope size and complexity has gotten much wider. There are two primary factors driving certification costs in 2016:
1) Continued Changes in Scope/Complexity
The use of ISO 27001 has changed quite a bit since I wrote that blog post in 2012. The vast majority of the early adopters were smaller firms (SMBs) with relatively simplistic scopes (e.g., a single product line operating at a single location). So quoting an average price was helpful. While we are still working with clients with simpler scopes of this nature, we are also seeing a shift of ISO 27001 into the SME and even Global 2000, resulting in projects where dozens of services are being certified across dozens of global locations. Needless to say, the costs here are significantly higher than our 2012 and 2014 estimates.
2) Rate Increases Driven by Salary Escalation
According to Robert Half International, security salaries have increased approximately 7-8% per year over the last four years. This has driven about a 30% increase in the rates that ISO 27001 consulting and ISO 27001 registrars charge.
Looking at the original scope/complexity that we estimated at $48,000 in 2012 and at $80,000 in 2014, I would estimate that it is approaching $100,000 in 2016, with most of that additional cost resulting from salary escalation. With larger more complex scopes becoming much more common, it’s not unusual to see total costs (often spread over a multi-year certification/surveillance cycle) notably higher.
3) The Melting of Privacy & Security
We are rapidly approaching a point where information security and privacy become indistinguishable. Moving forward, it may not be possible to be an information security professional without being a data privacy professional. That means talent will be increasingly more scarce… and we all know the laws of supply and demand.