The audits and associated costs needed to gain and maintain ISO 27001 certification
Once certified, an ISO 27001 certified Information Security Management System (ISMS) must be audited annually to maintain certification. Internal Audits must be done each year by a third party, like ISO27001 Solutions, or internal personnel with an appropriate level of expertise who has not been instrumental in building or running the ISMS. Objectivity is the key here.
ISO 27001 certified organizations are also required to be on a three-year cycle of Surveillance and Recertification Audits by their certification body (the company that handed you your certificate). As an example, if you were certified in 2018 your audit schedule with your certification body would look something like this:
It’s the first audit performed by the certification body or registrar and is exactly what the name suggests. If passed, you will receive your ISO 27001 certificate.
Performed once (the first time you receive your certificate)
€15,000 to €30,000
Often companies need help preparing for a Certification Audit (from a company like ISO 27001 Solutions) and costs associated with certification preparation from a third party range from €35,000 to €70,000
It’s a requirement of the standard for a certified organization to review its ISMS at planned intervals (most often annually). The focus is to ensure each area of the ISMS is reviewed within the three-year period. This audit demonstrates top management’s commitment to ensuring the effectiveness of the ISMS, which positions a certified organization for a successful audit by the certification body.
Independent party with sufficient expertise (internal or external resource)
Performed once every year
€9,000 to €20,000 for external resource
It’s held in years one and two after initial certification, and also in years one & two following each recertification. The certification body will focus on clauses 4-10 of ISO 27001 and take a risk-based approach to Annex A controls. However, typically all applicable controls are reviewed during a Surveillance Audit to ensure effectiveness of each control.
Performed in years one and two after certification
(or recertification) audit
65% to 75% of your Certification Audit cost (€9,750 – €22,500)
It’s held every three years with a signiFicant level of detail, artifacts, and evidence required to be provided by the certiFied organization. The goal is to continue to demonstrate management’s commitment and improvement of the ISMS to ensure its effectiveness.
Performed once every three years
€15,000 – €30,000
If you’re going to use an external resource (like ISO 27001 Solutions) to prepare for your Certification Audit and subsequent Internal Audits, here is a year-by-year breakdown of the cost ranges you can expect to achieve and maintain certification: