USA
Select regional store:

Typical ISO 27001 Certification Costs

When budgeting for an ISO 27001 project, it’s important to take certification costs into account as well as the actual cost of implementing the Standard.

Having prepared hundreds of organizations for ISO 27001 certification over the last 15 years, IT Governance suggests you budget the following amounts to cover the cost of the initial certification audit – there will be further audit costs over the duration of the three-year certification period.

The actual fee charged will depend on the certification body (CB) you appoint and the risk it associates with your information security management system, but you could use the below table as a guide*.


Estimated ISO 27001 certification costs

The table below displays the recommended ISMS audit time according to the size of the organisation, as stipulated in ISO/IEC 27006:2015.

No. of people working for the organization

No. of days** (Minimum audit time)

Estimated certification cost ***

1 - 45

3 - 6

$3,500 - $7,000

46 - 125

7 - 8

$8,150 - $9,300

126-425

9 – 10

$10,500 - $11,600

426-625

11

$12,800

626-875

12

$13,900

876-1175

13

$15,100

1176-1550

14

$16,300

1551-2025

15

$17,500

*Please note: the information provided is for guidance purposes only and should not be taken as definitive. These costs are based on our experience and your chosen CB’s costs may differ. The above table does not include fees post the initial certification audit and are based on a positive recommendation at the Stage 2 audit.

**According to ISO 27006, the minimum audit duration may be 70 % of the recommended time as prescribed by the standard. Our figures are rounded to the nearest whole day.

*** The daily fees of an audit will vary between Certification Bodies, however our estimate is a daily fee of $1220, based on an average between $800 - $1600.


Why you should only use accredited certification bodies

It is vital to ensure that the certification body you use is properly accredited by a recognized national accreditation body that is a member of the IAF (International Accreditation Forum).

The IAF website carries a full list of recognized national accreditation bodies by country, from which it is easy to identify whether or not a particular certification body’s ISMS scheme has been officially accredited. If you can’t find an accreditation body on this list, you can safely assume that it is not officially recognized and that any ‘certificates’ issued by certification bodies it accredits are unlikely to be recognized as valid. 

Read our blog 'List of US accredited certification bodies for ISO 27001' for more information >>


The certification process

The certification body will first review your documentation (including the scope of the ISMS, risk assessment and treatment documents, and Statement of Applicability) and check that you have implemented appropriate controls from Annex A. It will then carry out a site audit to see the procedures in practice. If it is satisfied of successful implementation, the certification body will then issue your certificate. The time period for the certification process inevitably varies depending on the size and type of the organization, but typically takes days rather than weeks.

Ready for ISO 27001 certification? Let’s get started

Having led the world’s first ISO 27001 certification project, we are the global pioneer of the Standard. Let us share our expertise and support you on your journey to ISO 27001 compliance.

How IT Governance can help you

  • Our implementation methodology has been honed over 15 years.
  • We are known as the global authority on ISO 27001 – our management team led the world’s first ISO 27001 certification project (formerly known as BS 7799).
  • We offer everything you need to implement an ISO 27001-compliant ISMS – you don’t need to go anywhere else.
  • We guarantee certification (provided you follow our advice!).
  • You benefit from real-world practitioner expertise, not just academic knowledge.
  • We have trained more than 7,000 professionals on ISO 27001 implementations and audits worldwide.
  • We’ve helped more than 600 consultancy clients achieve certification to and compliance with ISO 27001.
  • We have a proven and pragmatic approach to assessing compliance with international standards, no matter the size or nature of your organization.
  • Our pricing and proposals are completely transparent, so you won’t get any surprises.
  • We can help small organizations prepare for ISO 27001 certification in three months.
This website uses cookies. View our cookie policy