The costs of: ISO 27001 Certification

¨Are you sure that you want to go for the ISO270001 certification?
That will cost you a fortune!¨

This is just one example of a comment you can expect when telling people that you want to be certified to ISO27001. Don’t get us wrong. The moment that you decide to go for the ISO27001 certification is, indeed, the moment that you decide to start investing your money and time. So what is the cost of ISO 27001? More importantly, though, this is also the moment that you start to invest in the credibility and future of your business. It’s time to focus on the prize instead of the price. See what we did there?  

The good things in life take time. The good things in life cost money. The ISO27001 certification is a good thing. The end.  

Just kidding. In this article, we’ll tell you why investing in the IS027001 certification is worth it, and we’ll elaborate on the costs you’ll face throughout the process so you can gain an even better understanding of the price tag. 

Work it, it’s worth it  

“ISO certified” means that an organisation has developed, maintains and continuously improves its business processes. So, getting ISO27001 certified means getting acknowledgment for and evidence that you performed the right measures against security and privacy risks. Your business partners, clients, and potentials will embrace and appreciate that. What is the cost of ISO 27001? And is a prize worth working for? For sure!   

Everything’s got a price. The cost of ISO 27001.

Let’s start simple. It’s important to budget your ISO27001 project and to take into account the costs that are associated with both implementation and certification.  Is the cost of ISO 27001 gonna worth it?

Compleye’s DIY roadmap guides you through the general steps towards certification. Here’s a quick overview of what you can expect: 

DIY Roadmap & Wiki 

Step 1: Setup Operations.  

What? A supporting tool for your operational information.  

Costs? It’s a job for the CEO and COO. They are your (internal) costs. 

Step 2: Define Scope 

What? Upgrading your subscription to the DIY Package and using the free X-ray session.  

Costs? The DIY Package is a subscription of 250 euros per month. 

Step 3 & 4: Assessments and control 

What? Organizing regular security meetings, reading and following the DIY Roadmap, instructing/dividing tasks among the ISMS team and keeping control of the progress. 

Costs? You need at least a Security Officer (SO) and a Privacy Officer and/or Compliance Officer (PO and/or CO). They are your costs. Additionally, Compleye can support you with compliance sessions (training, security meetings, deep dives, ask-me-anything-sessions) for 125 euros per session. 

Step 5: Prep for certification 

What? The CO prepares for certification and a new role will need to be assigned: Internal Auditor. Compleye performs internal audits, which are the best preparation for the external audit. The platform can guide you through mandatory paperwork. 

Costs? An internal audit by Compleye, including a report and two meetings with the ISMS team, is 1500 euros. Our Real Time Audit Feature is on its way – yay. 

Certification, Maintenance and Additional Frameworks 

When you are steady and ready to go for the ISO27001, the CO will organise the external certification process and the external audit. The costs depend on the scope and the size of your organisation. You can use this link (https://compleye.wiki/diy-roadmap/) if you would like more information. On average a startup pays between 8-12K for a 3 year audit contract. 

The certification process takes 3 years, so you must maintain your security framework. This means you will need to repeat what you have done every year and show continuous improvements and a maturity level of your framework. Extra costs should be budgeted during this maintenance phase, e.g. for PEN testing, vulnerability scans and more. 

Depending on your business and stakeholders, additional frameworks need to be adopted (e.g. SOC-2) and these additional activities bring costs with them.  

Extras  

Besides offering the free X-ray session,  DIY platform monthly subscription, the optional support of compliance sessions and the performance of the internal audit, Compleye can provide you with online compliance officers in case you do not have the time or resources in-house. Please reach out for our special service packages.   

To conclude, the eventual price tag of the entire process will always vary per organisation based on your budget, available resources and planning. You are very welcome to talk to one of our compliance officers or advisors about the journey ahead of you and the costs that the journey will bring.  

One thing is certain, keeping your eye on the prize and your mind off the price while working towards getting your ISO27001 certification will make it all worthwhile.  

Table of Contents