How Much Does ISO 27001 Certification Cost?

In our blog “How Much does ISO Certification Cost?” we discussed some of the factors that influence the cost of achieving ISO Certification, but with the very specific requirements of the standard for Information Security, how much does ISO 27001 Certification Cost?

Calculating Audit Time with ISO 27006

In 2017 UKAS adopted the revised ISO 27006 standard, which had one important change.

Annex B [of ISO 27006], which defines the number of audit days needed was changed from ‘informative’ to ‘normative’.

This meant that rather than acting as guidance, the length of certification audits is now mandated based on the number of staff in your organisation.

Previously, certification bodies had more flexibility to drill down in to the scope of your ISMS, and make decisions based on risk, locations and the number of staff carrying out the same activity.

The number of audit days directly affects the cost of your ISO 27001 certification.

Complexity of your ISMS

ISO 27001:2022 is a risk based standard which includes an annex of 93 Controls, which is unlike most other management system standards.

While ISO 27006 provides mandated number of days for certification audits, this can still be affected but the complexity of your information security management system.

For example, if you have excluded a number of controls, or limited the scope of certification to a smaller area of your business, the certification days may be affected.

Other Certification Costs

While the number of audit days is the biggest variable when calculating costs, there can be other fees to consider, depending on the certification body you work with.

Many apply a management or certificate fee on an annual basis, or charge travel in addition to their day rate.

Others can split split costs across the three year certification cycle, making it difficult to see the total cost.

Choosing the right Certification Body

There are many UKAS Accredited certification bodies in the marketplace, but their day rates can vary.

It’s important to consider the added value service you are getting, before immediately selecting the cheapest quote. Consider the other costs, such as travel fees, managed above.

However, it is a competitive market place, so clients are advised to seek comparative costs before making a selection.

For further information

Assent Risk Management operate impartially and do not favour any particular Certification Body. We can help you obtain comparative quotes from certification bodies and explain the differences between them. Contact our friendly office team for help with ISO 27001 Certification.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
CONSENT	16 years 3 months 23 days 8 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	These cookies are set via embedded youtube-videos.
yt-remote-device-id	never	These cookies are set via embedded youtube-videos.

Robert Clements