ISO 27001 Certification: Understanding the Process and Costs
Organizations face immense pressure from regulators, the public, and clients to ensure they have the appropriate management standards, control and protocols to manage their data. As a consequence, a growing number of businesses are exploring the ISO 27001 certification. In particular, organizations considering embarking on an ISO 27001 implementation are wishing better to understand the ISO 27001 certification process and associated costs.
Most organizations understand that ISO 27001 is an international standard supporting organizations to adopt a comprehensive and robust Information Security Management System (ISMS). However, if you are new to ISO 27001, you can learn more about the ISO 27001 standard in our article, What is ISO 27001?
Here, we’ll explain the ISO 27001 certification process and the typical costs associated with an ISO 27001 implementation.
ISO 27001 Certification Process
It is essential to ensure that the robustness of the Information Security Management System (ISMS) being deployed provides appropriate protection and can achieve your organizational objectives.
The ISO 27001 audit, or review, which leads to ISO 27001 certification, is a two-stage process. However, the overall path to ISO 27001 certification can be more complex.
For simplification, it is suggested organizations follow a five-phase ISO 27001 certification methodology, namely, initiation, definition, assessment, development, and readiness:
- Phase 1: Initiation – The purpose of this phase is to prepare your organization for adopting and ISMS. During this phase, you would identify the resources needed to support the ISO 27001 implementation. You will also determine which department or areas need to be involved and which existing processes can be adapted to fulfil ISO 27001 requirements.
- Phase 2: Definition – Most businesses conduct a gap analysis to establish a roadmap from their current state to meet ISO 27001 standards. This effort may include amending existing business processes and creating new workflows, procedures, and documentation to align your business with ISO 27001.
- Phase 3: Assessment – During this phase, you will identify information assets and conduct a risk assessment. In this phase, business also typically identify their security baseline, and complete a Statement of Applicability.
- Phase 4: Development – Here the purpose is to apply your risk treatement plan, along with ISO 27001 controls and monitor how effective it is. Adopting the “Plan-Do-Check-Act” (PDCA) cycle to monitor, evaluate, and review your ISMS.
- Phase 5: Readiness – To achieve your ISO27001 certification, you will need to engage an external assessment body to conduct a formal review. The review is a two-stage process, with the two visits usually taking place six weeks apart. Successful completion of this two-stage review will result in a certificate being awarded.
ISO 27001 Consultants and Certification Bodies (CB)
Many businesses may not have the knowledge, time or resources to prepare and implement an ISMS within their organizations. Consequently, many choose to engage and employ external specialists (Certification Bodies) to advise how best to deploy ISO 27001.
The main benefit is that a Certification Body can act as the consultant to implement the ISMS into your company and certify your business once compliant with the ISO 27001 standard.
Additionally, most CBs offer on-going support and guidance to ensure you maintain certification, and more importantly, use the ISMS to its full benefit.
When it comes to certification, an accredited Certification Body must perform the assessment/audit functions. The assessment/audit body cannot have any involvement in the implementation of ISO 27001.
Consequently, most organizations employ a Certification Body, independent ISO 27001 consultant, or both, for Phases One, Two and Four, and an accredited Certification Body to certify it to the standard (as part of Phase Three).
While non-accreditation does not necessarily mean a certification body is not reputable, not all certification bodies operate to the same level.
You can find the national accredited certification body in your country by visiting International Accreditation Forum.
ISO 27001 Certification Costs
Cost of ISO 27001 Certification
Certification is achieved through a two-stage Audit conducted by an external assessment body (Accredited Certification Body), performed approximately six weeks apart. As such, ISO 27001 certification costs are determined by the time required to audit and take into account:
- Complexity and risk
- Number of sites
- Staff numbers
The sector, and organizational complexity, may mean only some Auditors have the suitable level of experience, knowledge, and qualifications to audit. In such an example, it is typical for external assessment bodies to charge between €700 (£600) – €1.000 (£900) per day.
A small business with a single location operating in the service industry may only need a couple of days of auditing to become certified. In contrast, a large multi-site manufacturing site could take weeks to audit.
ISO 27001 Implementation Costs
Most SMEs can deploy and attain ISO 27001 certification without any external support, thereby keeping costs low. However, forecasting accurate costs for implementing ISO 27001 in your organization can be challenging due to several factors.
Predominately, achieving the ISO 27001 certification is a resource-intensive activity. It often requires resources from several areas of the organization to deliver. Additional resourcing costs will be in the form of external consultants or CBs.
It is, therefore, crucial to assess the impact of the resources required, ideally conducting a cost-benefit analysis. A cost-benefit assessment will allow a comparison to be made against other potential investments your business could be making.
The costs associated with using a consultant are typically based on the same principles as auditing. Day rates for external consultants typically range from €450 (£400) – €1.100 (£1000) a day.
If engaging with an external consultant to help implement ISO 27001 in your organization, it is essential to balance the level of support required with the value such an engagement will deliver.
Beware of hidden costs
Many Certification Bodies will provide quotes based on a package cost, including Stage 1 and Stage 2 audits and the administration and compliance aspects. Despite this, it’s still crucial your check for any hidden costs.
You may find many quotes that exclude Management and travel fees. While 3 years is typical for a contract’s length, it is also worth checking the contract’s duration since a lower fee could be indicative of a lengthy agreement.
Frequently Asked Questions: ISO 27001 Certification Process
What are the main benefits of ISO 27001 Certification?
By implementing a robust and systematic approach to managing your information, ISO 27001 can help protect your organization and reduce risk. ISO 27001 certified organizations can demonstrate clearly to customers, employees, and other stakeholders that they take information security seriously.
In this way, ISO 27001 helps protect your organizational reputation, achieve compliance, improve efficiencies through effective processes, and reduce risks.
Also read: What are the Benefits of ISO 27001?
How much will it cost to achieve ISO 27001 Certification?
The certification cost depends on the firm’s size and the number of employees in the organization. ISO 27001 pricing can be segmented into two areas, implementation and auditing.
Costs for both areas will be dependent on multiple factors such as industry, organizational complexity, number of staff, and so forth. Costs can increase if external consultancy is required for either or both of the areas.
How quickly can my organization achieve ISO 27001 Certification?
Similar to costs, how long it will take for your organization to become ISO 27001 certified will depend on multiple factors.
Whether the certification scope is for just part of your business or the whole business, resource availability to undertake document production, risk assessments, internal audits, and so forth. Such factors should be taken into account when forecasting how soon you can achieve ISO 27001 certification. Your organization’s size and complexity, business maturity are also vital considerations.
However, dependent on the questions above, it is possible for a small to medium organization to achieve ISO27001 information security certification between 6 and 12 months.
How long is the ISO 27001 certification valid for?
From the date of certification, your ISO 27001 certificate remains valid for three years. During this period, undoubtedly, your business will be influenced by internal and external factors. As part of the ISO 27001 framework, organizations are expected to monitor, amend and revise their processes to ensure they meet the ISO 27001 standard.
Most businesses achieved this by adopting a “Plan-Do-Check-Act” cycle (PDCA). PDCA ensures that the organization maintains the 27001 ISMS and derives maximum value from the intial investment, and ensures that their ISMS is always current and ready for re-certification.