ISO 27001 Certification Cost
There are clear differences in ISO 27001 certification for corporations compared to small companies. The time required to create the documentation is significantly less. Auditors also need far fewer days to check the information security management system and carry out the on-site audit. Such an Information Security Management System (ISMS) cannot simply be created in 2 hours. Where a corporation quickly burns through several million euros, an SME can carry out documentation and audits at significantly lower costs.
How much does ISO 27001 certification cost for small businesses?
- Creation of management system documents (£4,000 – £12,000)
- IT audit by our experts (£1,200 – £8,000)
- Awareness training for employees (£100 – £500)
- Audit of documents (£3,000 – £12,000)
- On-site audit including travel costs (£1,500 – £3,500)
- Issuance of the ISO 27001 certificate (£500 – £1,000)
What is included in an ISO 27001 certification for SMEs?
In order for an SME to successfully implement ISO 27001:2022, it must go through the following steps:
- Preliminary discussion of the ISO 27001 project
- Creation of ISO 27001:2022 documentation
- Identification of necessary improvement measures
- Preparation of audit documents
- Training of employees
- Submission of the ISMS management concept to the auditor
- Carrying out the on-site audit
- Processing of any requests for improvement
- Update of ISO 27001 documents
In a small company, these work steps can be designed very leanly. If you prepare well, you will usually receive few or no requests for improvement after the audit.
How can choosing a certification body add up?
Many companies believe that external auditors are being showered with gold by certifiers. In reality, the external auditors’ fees are only a fraction of the certification costs charged to the company. Well-known certification organizations pay their freelancers a small (sometimes unattractive) daily rate. However, this has consequences for the companies on the waiting list.
Especially in specific specialist areas, there are few specialists in certification organizations and on the market who can and are allowed to carry out an audit in accordance with standards. This leads to a bottleneck. Certification bodies try to use and expand limited human resources as best as possible. However, the appointment of an auditor is linked to a very long and complicated process chain. This means that new auditors need almost a year before they can independently become active as lead auditors. As a result, several certification bodies share their freelance auditors because not every one of their customers always needs to be audited at the same time.
However, the costs of certification can be increased if the intervals between audits and corrective measures become disproportionate. The accreditation bodies also play a significant role because not every accreditation body has the same requirements for certifiers. Some European acceditation bodies are a very strict and demanding. As a result, the certifiers (accredited by these European acceditation bodies) often have to put in more effort, which ultimately increases costs for customers. Due to their insight into the operational practices of their customers, the certification bodies are very careful to act economically, efficiently and moderately.
Therefore, not every certification authority is comparable and can offer interesting advantages. Since this selection can be quite complex, we accompany our customers through the entire certification process.
Which government funding programs sponsor an ISMS project?
The UK government promotes the improvement of IT security in small to medium-sized companies with various programs. This means that, under certain circumstances, part of the eligible consulting costs can be reimbursed by the respective government program. We are continually compiling the latest information on these government initiatives for you. The following list will take you to our information page, where we have put together all the necessary application forms as well as information about the funding criteria and the funding application process: