The question of the cost of an ISO27001 certification project frequently comes up, and rightly so, since this certification is based on the most widely recognized international standard for information security management.

Photo by Ibrahim Rifath on Unsplash

Companies are increasingly being asked by their own customers, partners and suppliers to provide details of the security measures and controls in place, and it takes a lot of time for companies to respond to all these requests.

For some time now, insurance companies have also been asking many questions before even considering protecting their customers against cyber risks.

And finally, large institutions in Quebec and elsewhere are demanding these certifications more and more often. As they wish to manage their risks and reduce the effort required to validate the security measures and controls in place at their suppliers and partners, they greatly prefer to require certification such as ISO27001, which is far less energy-intensive and risky for them.

Breakdown of expenditure

Below, you’ll find the different types of expenses and a brief explanation of these, with an estimated effort for a typical organization with fewer than 75 employees.

Buying the standard

Becoming compliant with a standard you don’t have a copy of isn’t very coherent! How can we want to comply with a standard if we don’t know what it is?

The standard can be purchased directly from the ISO.ORG website at a cost of 118 CHF – Swiss Francs, or approximately 162CAD.

Please note that the standard is copyrighted and cannot be shared. You should purchase a license fee based on the number of people involved in its implementation.

Consultation efforts

It’s highly recommended that any company, regardless of size, work with a consulting firm or consultant with expertise in the field, to achieve its compliance objectives as quickly as possible, and with as few mistakes as possible. Despite the cost of external consultations, they could save you other costs or errors, since they know the pitfalls of the standard and where to put their efforts and where not to waste time.

To give you an idea of the scale of consulting costs, and by way of example, for companies with 50 employees, I have billed between 140 and 250 hours to assist with implementation.

Important details: the efforts made by the consulting firm or consultant depend very much on the availability and involvement of internal teams. The more quickly your team understands and takes on tasks, the lower the bill and the easier it will be to maintain the standard in the future.

Internal forces.

For an information security management system (ISMS) to function properly, there must be prime contractors responsible for each item or element of the standard.

Ideally, a champion should be appointed for the role of CISO (Chief Information Security Officer), who is accompanied and supported by the rest of the internal teams.

Who is your CISO?

The effort of in-house teams varies greatly from one company to another, but usually for a simple calculation, the effort will fluctuate from double to triple that of the consulting firm or external consultant. So if the external mandate is around 200 hours, you could expect in-house effort to fluctuate between 400 and 600 hours.

Change or new technologies

The good news is that the standard doesn’t require any particular technology, but some technologies are very useful in speeding up the compliance process.

For example:

  • A tool for updating systems;
  • A virus protection console (with dashboard)
  • A password manager;
  • An event log management and monitoring system
  • Training and awareness programs

The entire organization must be aware of its information security responsibilities. All employees must be trained to know how to react in the event of a security incident. Ongoing monitoring and awareness-raising are also essential.

Internal Audit

Each year, the organization must verify the status and performance of its ISMS. The first step is a self-audit. This must be carried out by a neutral, objective person with appropriate skills and knowledge of the standard.

As far as I’m concerned, in my first year, the audit is carried out by a colleague who also assesses whether I’ve done my job properly, which is in itself a good way of being well prepared for the external auditor.

External auditor certification fees

The external auditor, associated with a certification body, carries out an audit similar to the internal audit, but must provide an opinion on the “state of health” of the ISMS. Does it comply with the standard or not?

In short, here’s a summary of how much it costs to implement an ISO27001-certified information security program for a small business with 25 to 50 employees!

  • Purchase of the standard: $200
  • Support by an outside firm or consultant: $15,000 to $30,000
  • Internal efforts: $10,000 to $40,000
  • Implementation of new technological tools: $0 to $10,000
  • Training and awareness: $5,000
  • Internal audit: $0 to $5,000
  • Certification fees or external auditor $10,000

Estimated total: between $35,000 and $100,000

I hope this information helps you plan the implementation of your safety program.

I invite you to click on “Follow” to continue learning more about the field of information security.