How much does an ISO 27001 audit cost?

Studies indicate that regulatory compliance and cyber security are the two main concerns of corporates today. This is the reason why a growing number of organisations are choosing to adopt the trusted security frame of ISO 27001. The ISO 27001 standard is a globally recognised certification that helps organisations develop an effective Information Security Management System (ISMS). In fact, from 2020-21, ISO 27001 saw an increase of 24.5% in certifications across the globe. The value of ISO 27001 cannot be underestimated. In this article, ISO consultants in Australia will help you calculate the costs involved in becoming ISO 27001-certified.

Breaking down the cost of ISO 27001

Implementing an ISMS based on the recommendations of ISO 27001 is a multi-phase process. Each stage requires organisations to invest a certain amount of time, effort and money, as the cost of ISO 27001 audit heavily depends upon how much time you have spent during the preparatory phases, as it allows you to achieve compliance in your first attempt.

Readiness stage

During this stage of the certification process, your company will need to do the heaviest of preparations. You will need to define the scope of your ISMS, identify where your sensitive information is kept, conduct a risk assessment and then implement the controls which mitigate those risks.

Additionally, you will have to prepare a Statement Of Applicability (SOA), which summarises the implemented controls and provides a statement of justification for why you chose these controls. Moreover, you will have to create a risk treatment plan that will outline how your organisation will respond to all risks identified in the risk assessment.

The cost varies a lot in this stage and can range from $10,000 to nearly $40,000 depending upon which route you choose.

The cost of ISO 27001 in different routes

Examples of the routes include:

Doing it yourself:

Sometimes, the most expensive method to complete the readiness stage can seem like the least expensive superficially. Usually, organisations take the DIY route to save money. However, if you factor in the cost of your internal team’s time, the real cost of implementing ISO 27001 without external help becomes clear. For more information, we suggest reading the ISO certification cost article.

ISMS templates:

Using a template to prepare for the external audit may seem like a cost-effective method to implement an ISMS, however, majority of its recommendations are generic. So, it becomes a matter of chance whether you achieve compliance and clear your audit. This method will ensure that you have not overlooked any mandatory requirements, but will not help you implement the best practises into your operations. Not improving your operational efficiency will be costly in the long run.

ISO consultancy services:

If you choose to work with an ISO consultancy service like The ISO Council, you can further reduce costs. ISO consultants deliver a clear value proposition, by helping you with evidence collection, streamlining workflows, and providing custom advice for best practice policies and procedures. ISO consultancy services reduce your workload significantly. In fact, if your technical heads, head of engineering or experienced managers are leading the readiness stage, the required time will be cut by more than 80%.

ISO 27001 audit cost

There are two main stages to the audit certification process, where, in the first stage, an audit of your documents is done. In the second stage, which is also known as the certification audit, your management system in addition to your documents is reviewed. The cost of securing an external auditor for these audits will run up to $14,000 to $15,000 for small-scale industries. We have already reviewed the cost of ISO certification for small businesses.

Which type of auditor to choose?

• When you are deciding which type of auditor to choose, consider the following key questions:
• Does the auditor have appropriate experience in your sector?
• Does the consultancy body have a good reputation?
• Will the consultancy body carry the weight of the certification process with your CEO? In other words, will they hold accountability?
• When your customers find out about the consultancy, will they trust the audit findings and your company’s commitment to information security?

It is critical to understand that an audit is imperative to your company’s success. If you choose a third-party certification body with a bad reputation, poor experience and lack of specialisation, your stakeholders and your customers will question the validity of your certification and the effectiveness of your management system. Hence, it is always better to choose a certification body that is well-reputed, experienced and specialises in the same sector as your industry.

ISO 27001 surveillance and recertification audit cost

Once your organisation passes the certification audit and is fully ISO 27001 certified, it is time to maintain your certification. To maintain the validity of your certificate, you must undergo a surveillance audit once a year and a re-certification audit once every three years. As surveillance audits are less intense than certification audits, they are likely to cost less and can range between $6000 to $7000 each. The re-certification audit is as detailed as the original certification audit and therefore, the cost can be around $15,000 for a small start-up.

Conclusion

The cost of ISO 27001 audit depends heavily upon the size and complexity of your organisation. Having said that, stage one and stage two audits cost approximately $14,000 to $15,000 for a small scale industry.