Save 25% on foundation training courses. Start learning today

Typical ISO 27001 Certification Costs

When budgeting for an ISO 27001 project, it’s important to take certification costs into account as well as the actual cost of implementing the Standard.

The cost of ISO 27001 certification varies depending on factors such as the size and complexity of your organisation, the number of locations, and the technology used..

Having prepared hundreds of organisations for ISO 27001 certification over the past 20 years, we suggest budgeting the following amounts to cover the cost of the initial certification audit. There will be further audit costs throughout the three-year certification period.

Certification fees vary depending on which certification body you appoint and the risk it associates with your ISMS (information security management system). Use the below table as a guide.

Estimated ISO 27001 certification costs

The table below displays the recommended ISMS audit time according to the size of the organisation, as stipulated in ISO/IEC 27006:2015, and the estimated certification cost.*

Number of employees

Number of audit days**
(Stage 1 and Stage 2)

Estimated certification cost ***

1

5

£6,250

11

6

£7,500

16

7

£8,750

26

9

£11,250

46

10

£12,500

66

11

£13,750

86

12

£15,000

126

13

£16,250

426

17

£20,625

626

18

£21,875

876

19

£23,125

1176

20

£24,375

1551

21

£26,250

2026

22

£27,500

2676

23

£28,750

3451

24

£30,000

4351

25

£31,250

5451

26

£32,500

6801

27

£33,750

*Please note: this information is for guidance purposes only. Your chosen certification body’s costs may differ. The above table does not include fees following the initial certification audit and is based on a positive recommendation at the Stage 2 audit.

**According to ISO 27006, the minimum audit duration may be 70% of the recommended time as prescribed by the Standard. Our figures are rounded to the nearest whole day.

***The daily fee for an audit will vary between certification bodies. Our estimate is a daily fee of £1250.

Speak to an ISO 27001 expert

Speak to one of our specialists about budgeting and ways to avoid unexpected costs during implementation and certification. Call our expert team on +44 (0)1474 55 66 85 or request a call back using the form below.

Get a precise quote for your organisation

Why organisations choose ISO 27001

ISO 27001 certification can be highly beneficial to organisations of all sizes. Not only does it provide a rigorous framework for implementing an ISMS but it also offers a range of other benefits, including:

  • Improved security posture: By implementing an ISMS in line with ISO 27001, organisations can improve their security posture and better protect their information assets.
  • Enhanced reputation and credibility: Certification to ISO 27001 can help improve an organisation’s reputation and credibility with customers and other stakeholders.
  • Increased competitive advantage: In today’s competitive marketplace, ISO 27001 certification can give organisations a real competitive advantage.
  • Improved risk management: ISO 27001 can help organisations identify, assess and manage information security risks more effectively.
  • Enhanced customer satisfaction: By implementing an ISMS in line with ISO 27001, organisations can improve customer satisfaction by providing them with greater assurances about the security of their information.

Useful advice when choosing your certification body and the certification process

Use only accredited certification bodies

It is vital to ensure that the certification body you use is properly accredited by a recognised national accreditation body that is a member of the IAF (International Accreditation Forum), such as UKAS (the United Kingdom Accreditation Service).

A full list of recognised national accreditation bodies by country can be found on the IAF website. Here you can see whether a particular certification body’s ISMS scheme has been officially accredited. If you can’t find an accreditation body on this list, you can safely assume that it is not officially recognised and that ‘certificates’ it issues are unlikely to be recognised as valid. 

The certification process

The certification body will:

  1. Review your documentation (including the scope of the ISMS, risk assessment and treatment documents, and Statement of Applicability)
  2. Check that you have implemented appropriate controls from Annex A of ISO 27001,
  3. Carry out a site audit to see the procedures in practice.

If it is satisfied with your implementation, the certification body will issue your certificate.

The certification process typically takes days rather than weeks, depending on the size of your organisation.

Save 25% on
foundation
training