How much does ISO27001 REALLY cost?

Googling “how much does ISO 27001 cost?” reveals a host of contradictory articles. Every compliance platform will tell you their solution is the best, the quickest, and the cheapest. But very few will give you an actual price. So, what is the reality? How much does it REALLY cost to become ISO 27001 compliant?

Do you really need ISO 27001?

Before we dive into the true cost of ISO 27001 there’s an important question to ask. Do you actually need to get this certification? As so often, the answer here is “it depends”. Here’s a quick checklist to show if its right for your company at present.

1. What stage are you at? This is the first thing to consider. In many (most) cases, very early stage startups probably shouldn’t be spending their time, money, and resources on ISO 27001. But there are exceptions (see below).
2. What is your target market? Are you marketing your product to hospitals or insurers? If so, ISO 27001 may be a requirement they impose. And at the least, it can help open doors.
3. Are you aiming to get certified as a DTx? If the answer is yes, then you should definitely consider doing ISO 27001 alongside your other key certifications like ISO 13485.
4. Do you process sensitive data? If you are dealing with health data or other sensitive data, you may well need to get ISO 27001. However, it depends on exactly what you are doing. So you probably should seek advice.

‍

What are the up-front costs of ISO 27001?

Undertaking ISO 27001 can represent a considerable investment. There are 2 ways it is going to cost you.

1. The costs needed to get ready for your audit
2. The certification body fees for the audit itself

Preparation costs for ISO 27001.

Preparing for an ISO 27001 audit is quite a long and complex. In almost all cases, you will need to employ a cybersecurity consultant to help you with the process. Their expertise will be invaluable when working out what aspects to focus on. They will also be able to recommend the most suitable certification body for you. Expect to pay anything from €50-250 an hour depending on experience, location, and length of contract.

On top of that, you will also need to pay for a compliance platform.  ISO 27001 is a documentation-heavy standard. Achieving it requires you to collect a significant body of evidence relating to your systems, processes and policies. Most companies find it is far easier to handle all this paperwork with a purpose-built compliance platform (although we have seen others using tools like Confluence to achieve the same thing). Platform costs vary greatly, but some well known ones will charge you around €5k for each standard or regulation you are trying to achieve. These full service platforms include evidence collection, templates, and checklists. But notably, they don’t give you any guarantee as to whether you will achieve compliance.

Certification and audit costs for ISO 27001

ISO 27001 is an international standard that can be awarded by any certification body that achieves the required accreditation. Even within the EU market, there are dozens of certification bodies. As ISO is a standard, all these should be holding you to the same requirements. However, there are differences in approach that affect both the price and time it will take to achieve the certification. Going through an ISO 27001 audit costs anywhere from a couple of thousand Euros up to €20,000 or more.

The exact costs will usually depend on how large your company is, what cybersecurity risks you have to deal with, and which market you are trying to sell to. For instance, a small company who only handles non-sensitive data and sells DTC in Italy will face much lower costs than a mid-size B2B health tech company selling to German hospitals.

What are the hidden costs for ISO 27001?

There are a number of hidden costs involved in pursuing any compliance certification and ISO 27001 is no exception.

Indirect costs

Getting a certification like ISO 27001 requires a significant time investment from your team, especially your devs. They will need to commit to working with your consultant to provide all the documentation and evidence needed for the process. They will also need to be on-hand during the audit to provide any additional supporting evidence.

Maintenance costs

There are ongoing costs with ISO 27001 which you need to factor in. Mostly, these relate to the cost of any compliance platform plus the cost of keeping all your evidence up to date. But bear in mind that ISO 27001 is seldom done in isolation. Almost certainly there will be other standards or regulations you need to comply with. A good consultant will be able to help you amortise the maintenance costs across all these.

Opportunity costs

The timeline to achieve ISO 27001 can vary enormously depending on how you tackle it. As a result, there can be opportunity costs if your certification takes longer than you expected. This is especially true if you are working in a vertical where ISO 27001 is compulsory. You need to pin your consultant down to a timeline for delivery and plan accordingly. In our experience, most companies should be able to achieve the required standard within 6 months. But you might still be stuck in a queue waiting for your certification body to complete your audit. This is where a good consultant can help by steering you towards a certification body they know can complete the work in a timely manner.

Other FAQs for ISO 27001

Only rarely is ISO 27001 the first compliance task you need to tackle. And it is never tackled in isolation.

What order should I tackle compliance tasks?

Our experience shows that is is often best to work on ISO 27001 after you complete your initial GDPR compliance tasks. A key advantage here is that it prevents compliance tasks from overwhelming your team. There’s no point chasing compliance if the process prevents you from building your actual products! Also, for many businesses, GDPR compliance is required long before you tackle ISO 27001.

Do platforms really help with compliance?

Standards such as ISO 27001 require you to collect a wide variety of evidence. They also have a very structured set of requirements. This means a platform such as CHECKSME can really help you achieve compliance faster. Companies that try to do it without a platform just end up replicating that same functionality in something like Confluence.

Can I do ISO 27001 without an external consultant?

It’s perfectly possible to achieve any certification by yourself without an external consultant. Many companies have in-house expertise that enables this. However, even then there are definite advantages to having a dedicated consultant:

• Deep expertise: They likely helped hundreds of companies and they know all the pitfalls and shortcuts.
• Advice on choice of notified body: There are dozens of different notified body doing ISO 27001. Choosing the right one will make your certification go much faster and smoother.
• Avoiding unnecessary work. As a rule, standards consist of core requirements everyone must complete along with a number of optional elements that depend on your business case. A good consultant will make sure you only do those elements that are necessary.

‍