Select regional store:

Typical ISO 27001 Certification Costs

When budgeting for an ISO 27001 project, it’s important to take certification costs into account as well as the actual cost of implementing the Standard.

Based on our experience helping more than 800 organizations achieve ISO 27001 certification over the past 15 years, we suggest you use the table below as a guide when budgeting for your initial certification audit.*

(Note that there will be further audit costs over the duration of the three-year certification period.)

Factors that will affect the length of the audit, and therefore the fee, are listed below.

Estimated ISO 27001 certification costs

The table below shows the recommended ISMS (information security management system) audit time according to the size of the organization, as stipulated in ISO/IEC 27006:2015/AMD 1:2020, which sets out the requirements for ISMS auditors and CBs (certification bodies).

No. of people working for the organization

No. of days** (Minimum audit time)

Estimated certification cost ***

1 - 45

3 - 6

$5,400 - $10,800

46 - 125

7 - 8

$12,600 - $14,400 


9 – 10

$16,200 - $18,000
















* The information provided is for guidance purposes only and should not be taken as definitive. These costs are based on our experience and your chosen CB’s costs may differ. The above table does not include fees post the initial certification audit and are based on a positive recommendation at the Stage 2 audit.

** According to ISO 27006, the minimum audit duration may be 70% of the recommended time as prescribed by the Standard. Our figures are rounded to the nearest whole day.

*** The daily fees of an audit will vary between CBs. However, our estimate is a daily fee of $1,200 based on an average between $800 and $1,600.

Factors that might affect ISO 27001 certification costs

As the table above shows, by far the biggest factor that determines the length of audit time is the number of people working for the organization.

Other variables that can affect it include:

  • The complexity of your ISMS
  • The type(s) of activities performed within the scope of the ISMS
  • Previously demonstrated performance of the ISMS
  • The extent and diversity of technology used in the various components of the ISMS (for instance, the number of different IT platforms and segregated networks)
  • The extent of outsourcing and third-party arrangements within the scope of the ISMS
  • The number of sites (and disaster recovery sites)
  • (For surveillance or recertification audits) the extent of change to the ISMS since the previous audit/certification

Note that all the above affect audits only within the limitations set by ISO 27006.

Why you should only use accredited certification bodies

It is vital to ensure that the CB you use is properly accredited by a recognized national accreditation body that is a member of the IAF (International Accreditation Forum).

The IAF website offers a full list of recognized national accreditation bodies by country, from which it is easy to identify whether or not a particular CB's ISMS scheme has been officially accredited. If you can’t find an accreditation body on this list, you can safely assume that it is not officially recognized and that any ‘certificates’ issued by CBs it accredits are unlikely to be recognized as valid. 

Read our blog 'List of US accredited certification bodies for ISO 27001' for more information

The certification process

The CB will first review your documentation (including the scope of the ISMS, risk assessment and treatment documents, and the Statement of Applicability) and check that you have implemented appropriate controls from Annex A. It will then carry out an on-site audit to see the procedures in practice. If it is satisfied of successful implementation, the CB will then issue your certificate. The time period for the certification process inevitably varies depending on the size and type of the organization, but typically takes days rather than weeks.

How IT Governance can help you

  • Our implementation methodology has been honed over 15 years
  • We are known as the global authority on ISO 27001 – our management team led the world’s first ISO 27001 certification project (formerly known as BS 7799)
  • We offer everything you need to implement an ISO 27001-compliant ISMS – you don’t need to go anywhere else
  • We guarantee certification (provided you follow our advice!)
  • You benefit from real-world practitioner expertise, not just academic knowledge
  • We have trained more than 7,000 professionals on ISO 27001 implementations and audits worldwide
  • We’ve helped more than 800 consultancy clients achieve compliance with and certification to ISO 27001
  • We have a proven and pragmatic approach to assessing compliance with international standards, no matter the size or nature of your organization
  • Our pricing and proposals are completely transparent, so you won’t get any surprises
  • We can help small organizations prepare for ISO 27001 certification in just three months
This website uses cookies. View our cookie policy