What does ISO 27001 certification cost? That is typically one of the first questions we get from clients and it is of course a reasonable question to ask. The question is unfortunately not always that straight forward to answer. It all depends. Let me try to break it down into the various budget groups.

The foundation for ISO 27001 is your risk assessment and then your statement of applicability (SoA) and risk treatment plan. This is where you decide what controls you need to put in place. Depending on this there might be controls that are already in place (zero cost) and there might be controls that needs to be designed and implemented. There is a cost associated with this but until you have decided on the control and how to mitigate the risk you are not able to budget for the cost. For example it might be that all of your 25 employees need to receive awareness training on your information security policy at a cost of say £6000 in internal employee time or it might be that you want to buy a software solution that will help you manage and deploy security patches to your 1500 servers in your data centre at the cost of say £45000. You get the picture. This also hints at the quite natural cost variable that has to do with the size of the organisation, the complexity of the organisation, the geographical scope, the scope of the ISMS, the technology already used, etc.

To be successful with ISO 27001 design and implementation ISO 27001 should be treated as a project and hence there will be cost associated with this such as a project manager. Perhaps you have someone in the organisation that has ISO 27001 experience as well as project management experience or perhaps you are looking at getting external assistance. In whatever case there is a cost, either internal employee time or external consulting assistance (or both in many cases). ISO 27001 is however not just done by having a project manager and a consultant. Involvement of employees is also a must so this means cost in employee time doing training, risk assessment, writing documentation, reviewing documentation, etc.

Finally if you want external certification there is a cost associated with the certification body (CB). Again the cost here depends on the CB and the size of the organisation and scope of the ISMS but will probably be in the region of 5 - 20 man days.

So what does it all add up to? Well assuming a company with 25 employees, operating in the UK, using external consultant assistance, wanting external certification, for a one year ISO 27001 project the cost (including internal employee time) could be anywhere between £10000-£25000 in my experience.

BUT what does it cost if you don't implement ISO 27001? Well if you do ISO 27001 correctly it will be a management system that will give you a more efficient operation, it will give you an edge over the competitors who do not have ISO 27001 and it will enable you to participate in bids where ISO 27001 is required. Again if you design and implement a good management system it will both prevent incidents and should incidents happen it will help you get the business back on track. The Pwc 2014 Information Security Breaches Survey showed that the cost associated with breaches was on average £65k - £115k for a small business. 

Another study from Ponemon Institute’s 2013 Cost of Cyber Crime finds the average company experiences more than 100 successful cyber attacks each year at a cost of $11.6M. The study also shows that those employing good security governance practices reduced costs by an average of $1.5M. In my book that means ROI is less than one year.

Author bio:

Henrik Schouboe is the founder and CEO of JSC Consultant Solutions. Henrik has an extensive background within ISO design and implementation, process optimization and customer experience from companies such as Microsoft and Oracle. Henrik has a M. Sc. in engineering, a Diploma in Human Resource management and is a certified ISO 27001 lead implementer from the British Standards Institute. He can be contacted on via henriks@jscconsultant.co.uk or mobile 07966796789.

JSC Consultant Solutions Bio:

We are a network based consultancy helping organisations with the design and implementation of management systems such as ISO 27001, ISO 9001, ISAE 3402, SSAE 16 & ISO 20000. Our team consists of 16 associated consultants that help companies increase their revenue, lower their cost, establish a platform for growth or prepare for M&A. http://jscconsultant.co.uk/