The cost of obtaining ISO 27001 certification can vary significantly based on several factors including the size of your organization, the complexity of your information security management system (ISMS), the geographical location, the consulting and audit services you choose, and whether you use internal resources or external consultants. Here's a general outline of the costs involved:
Audit Costs: Typically, the certification audit itself can range from $5,000 to $35,000. For smaller organizations, this might be on the lower end, with costs around $5,000 to $10,000 for three to six audit days at roughly $1,500 per day.
- Preparation Costs: Before the audit, companies need to prepare by setting up an ISMS, conducting risk assessments, gap analyses, and implementing necessary controls. This preparation can cost anywhere from $5,000 to $75,000 or more, especially for organizations new to ISO standards or those with complex systems. This includes:
o Consultant Fees: If you hire external consultants, you might expect costs around $30,000 or more, considering rates of $1,400 to $1,800 per day for consultancy services.
o Internal Resources: If handled internally, the time spent by employees on this process can equate to significant hidden costs when considering their salaries.
- Ongoing Costs:
o Surveillance Audits: Annual audits to maintain certification are usually less costly than the initial certification, often ranging from $5,000 to $10,000 per year.
o Recertification: Every three years, a full recertification audit is required, which might cost similar to the initial certification audit.
- Additional Costs:
o Documentation and Training: Costs for purchasing ISO standards documents, security training for employees, and possibly specialized software or tools for compliance management or security enhancements.
o Penetration Testing and Vulnerability Assessments: These can range from $2,000 for basic assessments to $5,000-$20,000 for more comprehensive penetration testing.
For a very small business or startup, the total cost might start at around $10,000, but for larger or more complex organizations, the costs can easily escalate into the six figures. Remember, these are ballpark figures, and actual costs can differ based on your specific situation and the approach you take towards certification (e.g., DIY, using software, or hiring consultants).