This is the most commonly-searched query about ISO/IEC 27001 (also written as ISO 27001), so you're not alone in asking!
Recent Gartner research shows 88% of company boards now view cybersecurity as a business risk, leading to huge demand for information security certification. In 2021, as many as 58,687 ISO 27001 certificates were issued globally – but there’s still the perception that it can be expensive and time consuming.
We have set out the many benefits of obtaining ISO 27001:
- Competitive advantage through tenders
- Strategic business growth and funding
- Reducing risk
- Building a cyber reputation, culture and posture
So how much does ISO 27001 certification cost? Depending on the route you take and the technology you use, the cost can range from as little as £21k to as much as £84k.
The ISO 27001 Certification Process
ISO 27001 is at least a 10-stage process, and each stage includes a different set of costs.
Routes to certification
There are four routes you can take to certification. Using a 25-employee business as an example, the options and costs are as follows (all options assume external consistent audit costs by an independent auditor):
Route 1: 100% in-house staff, using Hicomply software platform
Investing in a GRC software platform like Hicomply will reduce employee time by 75%. Automate evidence collection, streamline asset registers & risk assessments, deliver pre-written templates for policies and procedures, and manage tasks within the platform. Our integrations features allow you to maintain compliance while you work.
An approved Hicomply Partner auditor can also audit you remotely at a reduced cost. The total first year cost would be around £21,000.
Route 2: Hybrid option. In-house staff supported by consultant, using Hicomply software platform
This option a hybrid of in-house, consultants and technology, is the second-lowest cost at around £30,000.
Route 3: 100% outsourced consultant, using Microsoft templates
Hiring a consultant who uses their own content will be the second most expensive option at around £60k in total Consultant fees are generally £30,000-£50,000. Using a consultant means your staff can focus on their day jobs, although there is still some staff time required throughout the process.
Route 4: 100% in house staff, using Microsoft templates
In theory, this may seem like the cheapest route. However when you add in the full cost of your employees’ time, it can actually be the most expensive route. Factoring external audit costs and a cost of £300 per day (£78k/year for a skilled information security analyst) you’re looking at £84,000 to obtain certification.
The ISO 27001 External Audit Costs
The stages of an external audit are as follows:
- Initial certification audit – Stage 1 and 2 Audits, £3k – £17k
- Stage 1 is the documentation audit, and stage 2 is the certification audit
- Periodic surveillance audits - at 12-month intervals £1K – £6k
- Re-certification audits conducted every 3 years.
Since mid 2020, the IAF has permitted remote audits which allows platforms such as Hicomply to be audit friendly.
Cost Breakdown Of The Different Routes
External audits are in all cases by 3rd party consultant
Consultant - Content
Consultant - Internal Audit
External Audit (Year 1)
Tools / Templates / Software Platform
Year 1 Cost
Route 1: 100% in-house staff | using Hicomply software platform
0.5 days per week
Reduced Hicomply partner fee
Route 2: Hybrid option | in-house staff supported by consultant | using Hicomply software platform
0.5 days per week
Route 3: 100% outsourced consultant | using Microsoft templates
1 day per week
Route 4 : 100% in-house staff | using Microsoft templates
What Will ISO 27001 Cost Your Company?
Team Hicomply has helped hundreds of companies in on the journey to compliance.