ISO 27001 Certification Cost

There are clear differences in ISO 27001 certification for corporations compared to small companies. The time required to create the documentation is significantly less. Auditors also need far fewer days to check the information security management system and carry out the on-site audit. Such an Information Security Management System (ISMS) cannot simply be created in 2 hours. Where a corporation quickly burns through several million euros, an SME can carry out documentation and audits at significantly lower costs.

How much does ISO 27001 certification cost for small businesses?

Small companies usually do not have the time to create the ISO 27001 information security management system on their own. Consequently, an economical solution is needed here that still enables an individual version of the management system. Experienced auditors quickly recognize run-of-the-mill templates that have no real connection to the company being audited. This can be expensive if you have to go for the audit again.The following example shows what an SME with approx. 1-10 employees can expect:
  • Creation of management system documents (£4,000 – £12,000)
  • IT audit by our experts (£1,200 – £8,000)
  • Awareness training for employees (£100 – £500)
  • Audit of documents (£3,000 – £12,000)
  • On-site audit including travel costs (£1,500 – £3,500)
  • Issuance of the ISO 27001 certificate (£500 – £1,000)
As a result, SMEs can receive a customized management system (ISMS) and ISO/IEC 27001 certification from just £8,000. The more complex the IT landscape and the business model, the more at risk a company’s data is. By introducing an ISMS management system, these critical data should be better protected.

What is included in an ISO 27001 certification for SMEs?

In order for an SME to successfully implement ISO 27001:2022, it must go through the following steps:

  • Preliminary discussion of the ISO 27001 project
  • Creation of ISO 27001:2022 documentation
  • Identification of necessary improvement measures
  • Preparation of audit documents
  • Training of employees
  • Submission of the ISMS management concept to the auditor
  • Carrying out the on-site audit
  • Processing of any requests for improvement
  • Update of ISO 27001 documents

In a small company, these work steps can be designed very leanly. If you prepare well, you will usually receive few or no requests for improvement after the audit.

ISO 27001 Regelwerke können komplex oder schlank gestaltet werden

How can choosing a certification body add up?

Many companies believe that external auditors are being showered with gold by certifiers. In reality, the external auditors’ fees are only a fraction of the certification costs charged to the company. Well-known certification organizations pay their freelancers a small (sometimes unattractive) daily rate. However, this has consequences for the companies on the waiting list.

Especially in specific specialist areas, there are few specialists in certification organizations and on the market who can and are allowed to carry out an audit in accordance with standards. This leads to a bottleneck. Certification bodies try to use and expand limited human resources as best as possible. However, the appointment of an auditor is linked to a very long and complicated process chain. This means that new auditors need almost a year before they can independently become active as lead auditors. As a result, several certification bodies share their freelance auditors because not every one of their customers always needs to be audited at the same time.

However, the costs of certification can be increased if the intervals between audits and corrective measures become disproportionate. The accreditation bodies also play a significant role because not every accreditation body has the same requirements for certifiers. Some European acceditation bodies are a very strict and demanding. As a result, the certifiers (accredited by these European acceditation bodiesoften have to put in more effort, which ultimately increases costs for customers. Due to their insight into the operational practices of their customers, the certification bodies are very careful to act economically, efficiently and moderately.

Therefore, not every certification authority is comparable and can offer interesting advantages. Since this selection can be quite complex, we accompany our customers through the entire certification process.

Which government funding programs sponsor an ISMS project?

The UK government promotes the improvement of IT security in small to medium-sized companies with various programs. This means that, under certain circumstances, part of the eligible consulting costs can be reimbursed by the respective government program. We are continually compiling the latest information on these government initiatives for you. The following list will take you to our information page, where we have put together all the necessary application forms as well as information about the funding criteria and the funding application process: