One question we are often asked is the cost of ISO 27001 certification, and it is something that companies should bear in mind when considering whether to invest in the information security certification journey.
ISO 27001 – Information Security, cybersecurity and privacy protection
Let us first understand a little about the standard. The most recent iteration of the standard was released in October 2022, and ‘specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system’. Certification to this standard demonstrates that an organisation is taking steps to implement and maintain an effective information security regime.
It should be noted, however, that certification does not mean that everything is safe and secure, and that information security breaches and incidents will not occur. It means that the organisation is doing what it can to cover what it has identified as risks, having done some form of cost-benefit analysis in deciding what risk mitigation to implement. The organisation will also have put in place a method for dealing with information security incidents, both in terms or reporting and investigating the root causes!
ISO 27001 – Auditing Cost for Certification
The first costs to consider are the accreditation costs. These will be fully dependent on the size of your organisation and the number of sites that you have. There will be little ‘wiggle room’ or negotiating power for the quoted number of days, as the number of days required are established in ISO 27006. All your sites that are in scope will need to be seen, adding additional cost. However, if you have an integrated management system, you may be able to combine audits for other standards, thus reducing auditor time.
It is worth noting that any quote will include report-writing time, so it may not be just time that the auditor is on site that you are paying for!
This certificate lasts for 3 years. However, audits happen yearly! Each year, you will need a new audit. These surveillance audits will generally be shorter as the areas to be audited will be spread over a 3 year period to ensure all aspects of the management system as well as all areas of the business have been audited at least once over that time.
Where you have multiple sites, the on-going audit load will be spread so that the sites are visited in turn over a three year period.
To give an example, a small organisation of a dozen staff working for a small tech-start-up, could well need 2-3 days for the initial audit, and then an annual requirement of another day a year. If there are any issues at one of the audits, there may be a suggestion of increasing auditing frequency to 6-monthly.
Just to add in additional cost, the auditing body will also charge for the travel costs for their auditor, may charge a regular ‘management fee’ and will usually only charge for full days. Oh, and if there are any non-conformities that require additional visits, these will also be charged.
It is worth pointing out here that these comments are based on the use of accredited certification bodies, such as those approved by UKAS for UK based auditors. There are others that may be cheaper, but we would always recommend the use of accredited certification bodies.
However, any organisation that is contemplating ISO 27001 certification must be aware of the substantial cost, particularly for time, but also for other resources. This will include:
- Time to develop the management system and related documentation
- Resources to implement the information security risk treatments that have been identified
- Time and resources to ensure that improvement actions are investigated and implemented
- Time for monitoring and maintaining the management system
- Time and resources for monitoring the performance measures
- Time, particularly from management, for issues such as Management Review
- Time and resources for staff training and awareness
- Time and resources to enable the competency requirements for those required to manage the ISMS
- Time and resources for internal audit; smaller organisations will often have to consider external resource for this to ensure objectivity and independence
This is not an exhaustive list, but is intended to provide some idea of the level of commitment that an organisation must make before commencing on the journey to ISO 27001 certification. Given that Clause 5 of ISO 27001 requires that top management shall ensure that ‘the resources needed for the information security management system are available’, it is hoped that this short blog gives an idea as to what that may entail.