Assuming you are starting from scratch, you should budget carefully for your ISO 27001 certification. You will need to build a complete ISMS (or information security management system) and this is no small feat. There will be a lot of variables involved in how much to set aside, from who will be running the ISMS program, the size of the organization, the number of locations and products in scope, to adherence with other IT security frameworks. Also plan on hidden costs that relate to the time and effort required by staff (or the known cost of hiring a consultant to guide your efforts). While we can't give definitive dollar amounts, we can let you know what to consider when setting aside a budget. Overall outlay can start at around $50,000 (not including staff salaries) and run into the six-digits.
Internal Audit is a required activity within an ISMS. Internal audits can be performed by an existing department or can be outsourced. When audits are performed in-house, the cost is generally a built-in cost of the organization. If the internal audit is outsourced, the cost depends on the scope, and putting the word out through an RFP process is the best way to judge cost. For an initial audit, prior to certification, budget anywhere from $10,000 to $20,000. Budget $8,000 to $15,000 for topic-specific ISMS audits in future years. Other hidden costs will include the time it takes for the ISMS Lead to field audit requests and address findings.
An external audit of the ISMS will occur in stages. Stage 1 assesses the readiness of the ISMS and Stage 2 is an audit of the controls with the goal of an ISO certification. These audits are performed by an assessor or certification body. Asking for quotes is the best way to determine the cost, but budget for anywhere from $10,000 to $20,000. Hidden internal costs will include time to prepare and field questions, and requests from the auditor.
Surveillance audits occur in years 2 and 3 after the initial certification. Auditors will assess whether the ISMS is still operating as it was in the certification year by testing a subset of processes. Budget between $8,000 and $15,000 for these audits.
The initial certification cost, as well as maintaining a certification, can be influenced by a number of factors. This is why it can be difficult to nail down an overall price tag. Factors in this price tag include:
We think investing in an ISO 27001 Certification makes sense if you:
We are passionate about making ISO 27001 available to organizations of all sizes. Our solution is specifically built to not only right size your ISMS efforts, but also comes with a library of policy templates and procedure guides to reduce compliance mystery. We also offer:
Evidence monitoring to let your process owners know when compliance activities may be falling behind.
Risk Assessment based gap analysis to identify what you already have in place that can be leveraged for your Annex A/ISO 27002 controls.
Partnerships with external Assessors for a smooth audit experience.