ISO 27001 costs: What does certification really cost your organisation?

This article sets out all the costs: the internal time investment, the external audit, tooling and ongoing maintenance. With realistic figures for small and medium-sized organisations, based on current market rates, so you can put together a budget that holds up and know where you can save without sacrificing quality.

The three cost components that together form the real picture

The total investment consists of three categories. The first is the preparation and implementation of your information security management system (ISMS): the risk analysis, policies, setting up controls and training employees. The second is the external certification audit. The third is ongoing maintenance to stay certified.

Each of those categories has direct costs (invoices from external parties) and indirect costs (the time of your own team). It's precisely those indirect costs that are most often underestimated, because no invoice arrives for them. Yet the internal time investment is the largest cost component for most organisations. Anyone who only budgets for the audit will get stuck halfway through.

What drives costs the most

Three factors determine the lion's share of the difference between organisations: scope, maturity and complexity. The number of employees plays a role, but less than people think.

Scope is the most important lever you can pull yourself. A certification body calculates the number of audit days based on the number of employees within scope, the number of locations and the complexity of your processes. The more sharply you define your scope, the fewer audit days, and audit days are a direct cost factor. Keeping the scope artificially small doesn't work, because an auditor checks whether your definition is credible.

Maturity determines how much work you still need to do. If you already have MFA enabled everywhere, test your backups and review access rights periodically, you mainly need to formalise those controls. Organisations with a mature security programme report 30 to 50 per cent lower total costs than organisations starting from scratch. Complexity works the other way: a hybrid environment with custom-built applications requires more controls, more evidence and more audit attention than a straightforward cloud environment.

Internal costs: the largest and most underestimated item

The time your team spends on the process is almost always the largest cost item. For a medium-sized organisation, it quickly adds up to 200 to 400 hours, spread over several months, for the risk analysis, policies, setting up controls, gathering evidence and audit preparation. Do the maths: a senior employee with a rate of 75 euros per hour spending 200 hours costs 15,000 euros in internal time. A phased approach over quarters makes the burden more manageable and the quality higher.

A second internal item is documentation. ISO 27001 requires mandatory documents from the organisation, including the information security policy, the risk assessment, the Statement of Applicability and the internal audit report. Writing these from scratch takes an average of 40 to 80 hours. Using proven templates significantly shortens that time, and prevents rework when a self-written document is missing an essential element during the audit.

External costs: audit, guidance and tooling

Audit costs are the most predictable because they follow IAF guidelines. For the full 3-year cycle, including the initial certification and annual surveillance audits, a small organisation (up to 25 employees) typically pays 3,500 to 4,500 euros for the initial audit. Medium-sized organisations (25 to 100 employees) and larger ones increase depending on FTE. The initial audit consists of stage 1 (document review) and stage 2 (implementation review). Annual surveillance audits cost approximately one third of the initial audit, and recertification after three years is comparable in scope to the first. Plan those ongoing costs into your multi-year budget from the start.

Guidance is optional and varies considerably. Figures between 5,000 and 40,000 euros are common in the market. Full outsourcing shortens the timeline but is guaranteed to be more expensive, and carries the risk that after the consultant leaves you have a system you can't maintain yourself. The best ratio of cost to quality usually comes from combining tooling with targeted guidance where it's really needed, while remaining just as affordable as hiring a consultant alone.

Tooling is of course not mandatory, but in practice it saves so much time that it pays for itself quickly. More important than the licence price is how many internal hours the platform saves, typically the largest item. Also invest only in additional security tools that address a specific risk identified in your analysis.

Three persistent misconceptions about costs

"The audit invoice is the cost price." The most common mistake. The external audit is often the smallest part of the investment. Preparation, setting up your ISMS and training employees typically costs several times the audit itself. Anyone who only budgets for the audit will face a choice halfway through: postpone, compromise on quality or find additional budget at short notice.

"Cost per employee is the right measure." Misleading, because costs don't scale linearly with the number of employees. An organisation with twenty people and a complex environment can end up paying more than one with fifty people and a simple cloud setup. The real cost drivers are scope, complexity and maturity.

"An expensive consultant guarantees quality." Not automatically. A consultant adds value where you lack expertise, but building your entire ISMS without knowledge transfer delivers a system you can't maintain after they leave. The best results come from a balance between external expertise and internal ownership, so your ISMS stays alive after the first certification.

How to keep costs manageable

The most effective saving is a sharp scope definition. Don't certify your entire organisation if that isn't necessary; focus on the services your customers expect and the systems and processes that support them. Every control that falls outside scope is a direct saving. Keep the scope credible though, because a definition that doesn't reflect reality raises suspicion with auditors and customers. If you're unsure about this, a consultant can give good advice.

The second saving lies in templates and automation. Proven templates reduce the risk of findings, and a nonconformity you have to resolve after the audit means rework and another audit round.

The third saving is structural: embed the improvement cycle into your regular work processes. Treating compliance as an ongoing part of work rather than an annual project prevents the peak load before every surveillance audit. And if you're also pursuing SOC 2, NIS2 or the GDPR alongside ISO 27001, you share a large part of the work: a second framework therefore costs considerably less than a standalone project.

Example: small and medium-sized organisation

A SaaS startup with 10 to 25 employees, fully cloud-based, with some basic controls already in place but no formal documentation. Expect 100 to 200 hours of internal time over three to four months, 3,500 to 4,500 euros in audit costs for the first initial external audit, and a platform from a few hundred euros per month. With optional targeted guidance, the total investment in year 1 is typically between 8,000 and 20,000 euros. In subsequent years that drops to 5,000 to 10,000 euros per year.

How Tidal Control reduces costs

Tidal Control centralises your ISMS in one place: policies, risks, controls, tasks and evidence. The pre-built controls and more than thirty policy templates shorten the start-up phase, and evidence is automatically collected via integrations with Microsoft Azure, AWS, Google Cloud, GitHub, GitLab and Jira, with more than 300 automated tests that continuously check whether controls are working. That removes the annual peak load before the surveillance audit.

On the cost side, Tidal makes the trade-off transparent. The platform costs around 6,000 euros per year, a trade-off between direct costs and the internal time you save. For implementation guidance we charge around 5,000 euros. In combination with the platform we offer a discount on this, because the consultant also works more efficiently.

This puts you on a solid, accredited path without the overpricing that regularly occurs in this market, with a certification guarantee as the finishing touch. The result: an ISMS your team understands and maintains itself, built on a platform that keeps collecting evidence long after the first audit is completed.

Want to know where your organisation stands?

A reliable cost estimate starts with knowing where you stand right now. Which controls do you already have implicitly, and where are the gaps? Take the free Quickscan and get a first picture of your position and the logical next steps in five minutes. No sales call, no obligations.

Take the free Quickscan →

Frequently asked questions about ISO 27001 costs

What do the costs of ISO 27001 certification consist of?

ISO 27001 is the international standard for information security that certifies organisations on their management system (ISMS). The costs consist of three categories: internal costs (the time of your team for risk analysis, documentation, implementation and training), external costs (the audit by the certification body, any guidance and tooling) and ongoing costs (annual surveillance audits, maintenance and recertification after three years). The internal time investment is often the largest item, but is most often overlooked because no invoice arrives for it.

What does ISO 27001 cost for a small or medium-sized organisation?

For a small organisation (10 to 25 employees), the total investment in year 1 is typically between 8,000 and 20,000 euros, including internal hours, audit costs and tooling. For a medium-sized organisation (25 to 100 employees) and larger, costs increase with FTE and complexity.

Which costs are most often underestimated?

Three items: the internal time investment (200 to 400 hours for a medium-sized organisation), the ongoing maintenance after the first certification, and the cost of rework when a control or document doesn't meet requirements at the audit. That last one is avoidable by using proven templates and a thorough internal audit in advance.

How do you structurally reduce costs?

Three approaches work best: a sharp but credible scope definition, the use of templates and automation to minimise manual work, and embedding the improvement cycle into your daily work processes so you don't create an annual peak load. Anyone also pursuing a second framework saves significantly by setting up overlapping controls just once.