What is ISO 27001 certification?
Increasing pressure from regulators, clients, and the public for better assurances about the way organizations manage confidential and sensitive data has resulted in rapid growth of certification to ISO 27001.
ISO 27001 is the international standard that lays out the specifications for implementing an ISMS (information security management system). An ISMS can be audited by an independent CB (certification body) as a way to assess whether it conforms to the requirements of the Standard.
Purchase your copy of the Standard today
How long does ISO 27001 certification last?
Once certification is granted, it is valid for three years, although the ISMS will need to be managed and maintained throughout that period. Auditors from the CB will continue to conduct surveillance visits every year while the certification is valid.
Your journey to success starts with us.
Backed by years of experience and a deep understanding of the ISO 27001 certification process, IT Governance USA will enable you to pursue certification with confidence. Speak with one of our experts today for more information.
The ISO 27001 certification process
Once you are ready for certification, you will need to engage the services of an independent, accreditedCB. These CBs have been assessed by the relevant national authority based on their competence, impartiality, and performance capability through a rigorous assessment process.
The certification process consists of two stages and is conducted by a qualified auditor:
The auditor will review your documentation to check that the ISMS has been developed in accordance with the Standard. You will be expected to present evidence of all key aspects of the ISMS, but how much depends on the CB’s requirements.
If you pass the first stage, the auditor will conduct a more thorough assessment. This will involve reviewing the activities that support the development of the ISMS. The auditor will analyze your policies and procedures in greater depth, and review how the ISMS works in practice, with an on-site investigation. The auditor will also interview key members of staff to verify that all activities are undertaken in accordance with the specifications of ISO 27001.
If you're considering tackling an ISO 27001 project, discover how to best go about it and the solutions to support your project with our implementation checklist
Can you get certified to ISO 27001 with IT Governance USA?
IT Governance USA is not a CB. Instead, we specialize in helping organizations like yours to fully prepare for certification. We do this by providing any combination of training, consultancy, tools, books, and advice, so that you are ready by the time you engage a CB.
We support the concept of independent, accredited certification, which means that we do not audit our own work. For the same reason, CBs are not permitted to provide consultancy and advice to their clients before conducting a certification audit.
Through our years of experience assisting hundreds of organizations with ISO 27001 implementation and certification projects, we know exactly what CBs expect. As a result, we can offer you unrivalled advice and expertise on how to achieve certification with a certification guarantee.
Estimated ISO 27001 CB certification costs
Based on our experience helping hundreds of organizations achieve ISO 27001 certification over the past 15 years, we suggest you use the table below as a guide when budgeting the cost of your chosen CB for your initial certification audit.*
(Note that there will be further audit costs over the three-year certification period.)
Factors that will affect the length of the audit, and therefore the fee, are listed below.
The table below shows the recommended ISMS audit time according to the organization's size, as stipulated in ISO/IEC 27006:2015/AMD 1:2020, which sets out the requirements for ISMS auditors and CBs.
No. of people working for the organization
No. of days** (Minimum audit time)
Estimated certification cost ***
1 - 10
$8,000 - $10,000
11 - 15
$9,600 - $12,000
16 - 25
$11,200 - $14,000
26 - 45
$13,600 - $17,000
46 - 65
$16,000 - $20,000
66 - 85
$17,600 - $22,000
86 - 125
$19,200 - $24,000
126 - 175
$20,800 - $26,000
176 - 275
$22,400 - $28,000
276 - 425
$24,000 - $30,000
* The information provided is for guidance purposes only and should not be taken as definitive. These costs are based on our experience and your chosen CB’s prices may differ. The above table does not include fees post the initial certification audit and is based on a positive recommendation at the Stage 2 audit.
** According to ISO 27006, the minimum audit duration may be 70% of the recommended time as prescribed by the Standard. Our figures are rounded to the nearest whole day.
*** The daily fees of an audit will vary between CBs. However, our estimate is a daily fee of $1,800 based on an average of $1,600 and $2,000.
Factors that might affect ISO 27001 training and certification costs
As the table above shows, the most significant factor determining the length of audit time is the number of people working for the organization.
Other variables that can affect it include:
- The complexity of your ISMS
- The type(s) of activities performed within the scope of the ISMS
- Previously demonstrated performance of the ISMS
- The extent and diversity of technology used in the various components of the ISMS (for instance, the number of different IT platforms and segregated networks)
- The extent of outsourcing and third-party arrangements within the scope of the ISMS
- The number of sites (and disaster recovery sites)
- (For surveillance or recertification audits) the extent of change to the ISMS since the previous audit/certification
Note that all the above affect audits only within the limitations set by ISO 27006.
Why you should only use accredited certification bodies
It is vital to ensure that the CB you use is accredited by a recognized national accreditation body that is a member of the IAF (International Accreditation Forum).
It is easy to identify whethera particular CB's ISMS scheme has been officially accredited. The IAF website offers a complete list of recognized national accreditation bodies by country.
If you can’t find an accreditation body on this list, you can safely assume that it is not officially recognized and that any ‘certificates’ issued by CBs it accredits are unlikely to be recognized as valid.
Read our blog 'List of US accredited certification bodies for ISO 27001' for more information
How your organization will benefit from ISO 27001 certification
Win new business and sharpen your competitive edge
Not only does ISO 27001 certification help you demonstrate good security practices, thereby improving working relationships and retaining existing clients, but it also gives you a proven marketing edge against your competitors, putting you alongside the likes of Google, Microsoft, and Amazon.
Avoid the financial penalties and losses associated with data breaches
The global average cost of a data breach has skyrocketed to $4.45 million (a 2% increase from 2022), with the average cost of a data breach highest in the US, according to Ponemon Institute.
As the accepted global benchmark for the effective management of information assets, ISO 27001 enables organizations to avoid the potentially devastating financial losses caused by data breaches.
Protect and enhance your reputation
Cyber attacks are increasing in volume and strength daily, and the financial and reputational damage caused by an ineffectual information security posture can be disastrous.
Implementing an ISO 27001-certified ISMS helps to protect your organization against such threats and demonstrates that you have taken the necessary steps to protect your business.
Improve structure and focus
When an organization grows rapidly, it doesn't take long before there is confusion about who is responsible for which information assets. The Standard helps organizations become more productive by clearly setting out information risk responsibilities.
Reduce the need for frequent audits
ISO 27001 certification provides a globally accepted indication of security effectiveness, negating the need for repeated customer audits, which reduces the number of external customer audit days.
Obtain an independent opinion about your security posture
Certification to ISO 27001 involves undertaking regular reviews and internal audits of the ISMS to ensure its continual improvement. In addition, an external auditor will review the ISMS at specific intervals to establish whether the controls are working as intended. This independent assessment provides an expert opinion of whether the ISMS is functioning properly and provides the level of security needed to protect the organization’s information.
Ready for ISO 27001 certification or have questions? Let’s get started
Having led the world’s first ISO 27001 certification project, we are the global pioneer of the Standard. Let us share our expertise and support you on your journey to ISO 27001 compliance.
How IT Governance USA can help you
- Our implementation methodology has been honed over 15 years
- We are known as the global authority on ISO 27001 – our management team led the world’s first ISO 27001 certification project (formerly known as BS 7799)
- We offer everything you need to implement an ISO 27001-compliant ISMS – you don’t need to go anywhere else
- You benefit from real-world practitioner expertise, not just academic knowledge
- We have trained more than 7,000 professionals on ISO 27001 implementation and audit worldwide
- We’ve helped hundreds of consultancy clients achieve certification to and compliance with ISO 27001
- We have a proven and pragmatic approach to assessing compliance with international standards, no matter the size or nature of your organization
- Our pricing and proposals are completely transparent, so you won’t get any surprises
- We can help small organizations prepare for ISO 27001 certification in three months