How Much Does ISO 27001 Certification Cost?

In our blog “How Much does ISO Certification Cost?” we discussed some of the factors that influence the cost of achieving ISO Certification, but with the very specific requirements of the standard for Information Security, how much does ISO 27001 Certification Cost?

Calculating Audit Time with ISO 27006

In 2017 UKAS adopted the revised ISO 27006 standard, which had one important change.

Annex B [of ISO 27006], which defines the number of audit days needed was changed from ‘informative’ to ‘normative’.

This meant that rather than acting as guidance, the length of certification audits is now mandated based on the number of staff in your organisation.

Previously, certification bodies had more flexibility to drill down in to the scope of your ISMS, and make decisions based on risk, locations and the number of staff carrying out the same activity.  

The number of audit days directly affects the cost of your ISO 27001 certification.

Read more here:

Complexity of your ISMS

ISO 27001:2022 is a risk based standard which includes an annex of 93 Controls, which is unlike most other management system standards.  

While ISO 27006 provides mandated number of days for certification audits, this can still be affected but the complexity of your information security management system.

For example, if you have excluded a number of controls, or limited the scope of certification to a smaller area of your business, the certification days may be affected.

Other Certification Costs

While the number of audit days is the biggest variable when calculating costs, there can be other fees to consider, depending on the certification body you work with.  

Many apply a management or certificate fee on an annual basis, or charge travel in addition to their day rate.  

Others can split split costs across the three year certification cycle, making it difficult to see the total cost.

Choosing the right Certification Body

There are many UKAS Accredited certification bodies in the marketplace, but their day rates can vary.

It’s important to consider the added value service you are getting, before immediately selecting the cheapest quote.  Consider the other costs, such as travel fees, managed above.

However, it is a competitive market place, so clients are advised to seek comparative costs before making a selection.

For further information

Assent Risk Management operate impartially and do not favour any particular Certification Body.  We can help you obtain comparative quotes from certification bodies and explain the differences between them. Contact our friendly office team for help with ISO 27001 Certification.

Robert Clements
Robert Clements
Articles: 290