One of the major obstacles for an organisation to achieve ISO 27001 Certification can be with fitting it within their budget. It can seem like a daunting task to gather all the variables that are needed to estimate an ISO 27001 certification cost.
So how can you get a ballpark estimate for certification when there is so much potential variability? And how can you be assured the quote provided by the service suppliers is accurate? The answer is: do some homework!
Items you will need to consider are:
- The size of your organisation and the physical locations involved: Start by looking at the bigger picture.
- Define the scope of the ISO 27001 certification: If it is just one business function that requires for ISO 27001 then consider limiting the initial scope. Other functions and/or locations can be added later.
- Define the controls you wish to implement within the framework for the defined scope: The beauty of ISO 27001 is that it is flexible but be prepared to define why the control is not required. You may have to justify this decision to an auditor!
- The current maturity level of your Information Security Management System (ISMS): Identify the gap between the current state and the desired state of the control environment.
That last point is important, and it is where an ISO 27001 Gap Analysis exercise can help. The objective of the activity is to identify the gaps in your current ISMS (assuming you have one) and what is required by ISO 27001. The exercise will look at your existing documentation, security procedures and the available skill sets.
Once you have an idea of what resources are currently available to you and what you need to do to achieve ISO 27001 certification, then you can start to estimate costs and timescales. It’s usually at this point that organisations make a commercial go/no-go decision on seeking certification.
Some companies decide to adopt ISO 27001 but not to go for certification, which I think is a mistake. Going for certification has to have top management buy-in and sponsorship. This provides the required authority to implement ISO 27001 and may require changes to current working practices and the adoption of new policies. I have seen companies who have opted for implementation but not certification struggle to implement ISO 27001 due to a lack of management buy-in and authority.
With certification — consider the cost of the external audit
In addition to the costs of the ISO 27001 gap analysis exercise plus the costs of plugging the gaps to achieve ISO 27001 readiness, there is also the cost of the external audit. This is normally split into a Stage 1 Audit that addresses your ISMS documentation and its maturity. If it is deemed to meet the requirements of ISO 27001 then it is followed by a Stage 2 Audit that reviews the ISMS implementation. This 2nd stage may also involve visits to some of the company’s other offices, which are within the defined ISO 27001 scope.
How long will the external audit take?
This is a perfectly reasonable question to ask but the answer may surprise you! The time required for the audit is directly proportional to the number of employees in the defined ISO 27001 scope. Small companies may only require a 2- or 3-day audit while large company audits may take weeks. I should also point out that the invoice from the audit company will reflect the man hours required!
To shorten the elapsed time required for the audit it is not unusual for the audit company to deploy a team of auditors. This is worth knowing as the auditors will want to speak to management and employees during the audit so they will need to be available. If your policy is to escort visitors while they are on-site, then you may need several people to act as escorts.
Be prepared. Understand the Top 3 Areas Many Fail in an ISO 27001 Audit to ensure you aren’t missing items that will eat up the audit time.
So how much will it cost?
Unfortunately, there are just too many variables involved to be able to provide estimates. Here’s a rundown of what they are:
- The scope of the ISO 27001 certificate: This identifies the number of employees involved.
- The gap between the current ISMS and what is required by ISO 27001: You may need a company such as Risk Crew to deliver an ISO 27001 Gap Analysis exercise but will provide an accurate analysis of what is required to be ready for ISO 27001 certification.
- The fees charged by the certification audit companies: As I mentioned earlier, this is dependent on the headcount within the scope of the ISO 27001 certification exercise. The exact terms used by the audit company is commercially sensitive and not publicly available.
That last point does irk somewhat. The cost isn’t a reflection on the complexity of what your organisation does or the sensitivity of the information you deal with. It’s all about how many people you have doing it.
Need help with estimating your costs?
Risk Crew ISO 27001 experts can guide you through the estimate process to develop a quote. We’ve helped many organisations from small to large achieve and successfully maintain certification.
Our ISO 27001 compliance services are delivered by certified and seasoned ISO 27001 Practitioners and Auditors who possess a host of industry-recognised information security governance, risk and compliance certifications. They consider and address all your business objectives throughout the compliance cycle.
Risk Crew offers a variety of consultancy options to help you gain and maintain ISO 27001 compliance. Find out more here or instantly download our service overview.