Select regional store:

Typical ISO 27001 Certification Costs

When budgeting for an ISO 27001 project, it’s essential to take certification costs into account as well as the actual cost of implementing the Standard.

ISO 27001 and ISO 27002 2022 updates

ISO/IEC 27001:2022 – the newest version of ISO 27001 – was published in October 2022.

Organisations that are certified to ISO/IEC 27001:2013 have a three-year transition period to make the necessary changes to their ISMS (information security management system).

For more information about ISO 27001:2022 and its companion standard, ISO 27002:2022, and what they mean for your organisation, please visit ISO 27001 and ISO 27002: 2022 updates

Download your copy of ISO 27001:2022 here

Download your copy of ISO 27002:2022 here

Based on our experience helping more than 800 organizations achieve ISO 27001 certification over the past 15 years, we suggest you use the table below as a guide when budgeting for your initial certification audit.*

(Note that there will be further audit costs over the duration of the three-year certification period.)

Factors that will affect the length of the audit, and therefore the fee, are listed below.

Estimated ISO 27001 certification costs

The table below shows the recommended ISMS (information security management system) audit time according to the organization's size, as stipulated in ISO/IEC 27006:2015/AMD 1:2020, which sets out the requirements for ISMS auditors and CBs (certification bodies).

No. of people working for the organization

No. of days** (Minimum audit time)

Estimated certification cost ***

1 - 10


$8,000 - $10,000

11 - 15


$9,600 - $12,000

16 - 25


$11,200 - $14,000

26 - 45


$13,600 - $17,000

46 - 65


$16,000 - $20,000

66 - 85


$17,600 - $22,000

86 - 125


$19,200 - $24,000

126 - 175


$20,800 - $26,000

176 - 275


$22,400 - $28,000

276 - 425


$24,000 - $30,000

* The information provided is for guidance purposes only and should not be taken as definitive. These costs are based on our experience and your chosen CB’s prices may differ. The above table does not include fees post the initial certification audit and is based on a positive recommendation at the Stage 2 audit.

** According to ISO 27006, the minimum audit duration may be 70% of the recommended time as prescribed by the Standard. Our figures are rounded to the nearest whole day.

*** The daily fees of an audit will vary between CBs. However, our estimate is a daily fee of $1,800 based on an average of $1,600 and $2,000.

Factors that might affect ISO 27001 certification costs

As the table above shows, the most significant factor determining the length of audit time is the number of people working for the organization.

Other variables that can affect it include:

  • The complexity of your ISMS
  • The type(s) of activities performed within the scope of the ISMS
  • Previously demonstrated performance of the ISMS
  • The extent and diversity of technology used in the various components of the ISMS (for instance, the number of different IT platforms and segregated networks)
  • The extent of outsourcing and third-party arrangements within the scope of the ISMS
  • The number of sites (and disaster recovery sites)
  • (For surveillance or recertification audits) the extent of change to the ISMS since the previous audit/certification

Note that all the above affect audits only within the limitations set by ISO 27006.

Why you should only use accredited certification bodies

It is vital to ensure that the CB you use is accredited by a recognized national accreditation body that is a member of the IAF (International Accreditation Forum).

It is easy to identify whether or not a particular CB's ISMS scheme has been officially accredited. The IAF website offers a complete list of recognized national accreditation bodies by country. 

If you can’t find an accreditation body on this list, you can safely assume that it is not officially recognized and that any ‘certificates’ issued by CBs it accredits are unlikely to be recognized as valid. 

Read our blog 'List of US accredited certification bodies for ISO 27001' for more information

The certification process

The CB will first review your documentation (including the scope of the ISMS, risk assessment and treatment documents, and the Statement of Applicability) and check that you have implemented appropriate controls from Annex A. It will then carry out an on-site audit to see the procedures in practice.

If it is satisfied with successful implementation, the CB will then issue your certificate. The time period for the certification process inevitably varies depending on the size and type of the organization, but typically takes days rather than weeks.

How IT Governance can help you get ISO 27001 certified

  • Our implementation methodology has been honed over 15 years
  • We are known as the global authority on ISO 27001 – our management team led the world’s first ISO 27001 certification project (formerly known as BS 7799)
  • We offer everything you need to implement an ISO 27001-compliant ISMS – you don’t need to go anywhere else
  • We guarantee certification (provided you follow our advice!)
  • You benefit from real-world practitioner expertise, not just academic knowledge
  • We have trained more than 7,000 professionals on ISO 27001 implementations and audits worldwide
  • We’ve helped more than 800 consultancy clients achieve compliance with and certification to ISO 27001
  • We have a proven and pragmatic approach to assessing compliance with international standards, no matter the size or nature of your organization
  • Our pricing and proposals are completely transparent, so you won’t get any surprises
  • We can help small organizations prepare for ISO 27001 certification in just three months
This website uses cookies. View our cookie policy
GET 24/7