ISO 9001 certification costs: what does it really cost?
14 min read

ISO 9001 certification costs: what does it really cost?

Written By

You've received a quote from a certification body. Or you've received three different quotes and they're far apart. Now you're trying to understand what that price actually covers, what you haven't factored in yet, and whether you'll be facing surprises down the line.

This article gives you a realistic picture of what ISO 9001 certification costs for an SME -- broken down by cost component, by year, and by the choices you make. Including the factors that determine the bill and the smart ways to keep costs under control without putting the quality of the process at risk.

What does ISO 9001 certification cost?

Costs in the first year

For an SME with up to 25 employees, costs in the first year range between €3,000 and €30,000. That's a wide range, and intentionally so: what you pay depends heavily on the choices you make. Below you can see how those costs break down.

Certification body (Stage 1 + Stage 2 audit)

Audits at an accredited certification body typically cost a small SME €2,000 to €5,000. Stage 1 is a documentation review -- the auditor assesses whether your quality management system meets the standard on paper. Stage 2 is the on-site audit day, where the auditor also interviews employees and tests real-world practice.

External consultant or implementation partner

This is the most variable cost component. Hiring an external party is not mandatory, but it speeds up the process and reduces the risk of a failed Stage 2. Costs range from €3,000 to €15,000, depending on what you're buying: review and advice only, or full support including writing documentation and preparing the internal audit.

Software (QMS tool or GRC platform)

Tools range from €1,000 to €10,000 per year. This is not a mandatory cost, but you'll notice the difference: those who manage everything in spreadsheets pay for it in consultant hours and audit preparation time. A cheap tool often causes more headaches than time savings, but it's usually not worth spending €10,000 or more on a tool just for ISO 9001 in a relatively small organisation. More on this in the "Software versus spreadsheets" section below.

Internal time

This is the cost component most often underestimated. Plan for 0.5 to 1 FTE during the implementation phase for 3 to 6 months. That's the time of a project lead who defines the scope, carries out the risk analysis, writes policies and procedures, prepares the internal audit, and acts as the point of contact for the external auditor.

In practice, for an SME this means someone with another role temporarily giving up a large part of their schedule. As an example: at a gross annual salary of €50,000, 0.5 FTE for three months equals approximately €6,000, and 1 FTE for six months equals approximately €25,000 in hidden salary costs. This makes internal time the heaviest cost component of the entire process for most SMEs.

Costs per component summary (year 1, SME up to 25 FTE):

Cost componentRange
Audit (Stage 1 + Stage 2, accredited body)€2,000 - €5,000
External consultant/implementation partner (optional)€3,000 - €15,000
Software/QMS tool€1,000 - €10,000
Internal time (0.5-1 FTE, 3-6 months)€6,000 - €25,000 (see explanation)
Total first year (indicative, excluding internal time)€3,000 - €30,000

The lower bound of €3,000 applies to organisations that have everything in order and only purchase the audit. The upper bound of €30,000 is realistic if you're starting from scratch and doing everything yourself, without a tool or advisor.

Costs in year 2 and 3

After the initial certification, 2 annual surveillance audits follow -- in year 2 and year 3. These cost €1,500 to €2,500 per year, depending on the size of your organisation and the certification body.

In year 3, the certificate lapses if you don't complete a recertification audit. That audit is similar in effort to the initial Stage 2: the auditor checks whether your QMS has functioned over the past three years and whether you've systematically implemented improvements. In terms of costs at the certification body, you're again looking at €2,000 to €4,000, depending on scope and body.

Over the full three-year period -- initial certification, two surveillance audits, and recertification -- you're looking at €6,000 to €35,000. The lower end of that range applies to organisations that can handle a lot internally and have a limited scope. The upper end is realistic for companies with multiple locations, a broad scope, or structural external support.

What determines the level of costs?

Size and scope

The audit price of a certification body is based on the number of so-called effective auditor man-days. That's a formula that takes into account the number of employees, the number of locations, and the complexity of the scope. More employees and more locations means more audit time, and therefore a higher invoice.

Actively limiting your scope is the most direct way to reduce audit costs. An SME that limits its certification to core processes -- and leaves services or departments with little external customer interaction out of scope -- pays considerably less than a company that includes everything. Start narrow, certify what you can demonstrate, and expand later.

Internal versus external support

An external consultant speeds up the process and reduces the risk of rejections at the Stage 2 audit. But external support comes at a price, and that price varies significantly.

The alternative is investing in internal knowledge. Training one employee as an internal auditor is a one-off investment that pays for itself on every subsequent audit cycle. You pay less in consultant fees and are less dependent on external parties to ensure the continuity of your QMS. For the initial certification, some external guidance is rarely wasted money; for the years that follow, it's better to be able to handle as much as possible internally.

Software versus spreadsheets

Many SMEs start with Word documents and Excel sheets. That works up to a point. The problem is the management burden: keeping track of versions, collecting evidence, following up on non-conformities, and maintaining audit trails costs a disproportionate amount of time in spreadsheets.

A QMS tool or GRC platform like Tidal centralises that work. Procedures, policies, and supporting documentation are in one place, with version history and approval workflows. Tidal's controls management module lets you record the corresponding measures per ISO 9001 clause and link evidence, which significantly reduces preparation time for Stage 1 and Stage 2. The €3,000 per year this tool costs pays for itself in fewer consultant hours and shorter audit preparation time.

Combining ISO 9001 with ISO 27001

If your organisation is pursuing both ISO 9001 and ISO 27001 certification, the order and planning of those processes is a direct cost variable.

Both standards use the High Level Structure (HLS): the same basic framework for clauses such as context of the organisation, leadership, planning, support, and improvement. This means that with a combined approach, the internal audit, management review, quality and information security policy, and a large part of the risk analysis only need to be set up once. The shared structure reduces the marginal cost of the second standard by roughly 30-50% compared to two fully separate processes.

The practical proof: Nedscaper achieved both ISO 27001 and ISO 9001 simultaneously in 12 weeks. Nedscaper, a Dutch IT service provider, faced a hard client deadline with an expired ISO 27001 certificate and no ISO 9001. With Tidal and consulting partner Fendix, they rebuilt their entire QMS and ISMS from scratch and obtained both certificates in twelve weeks. Project lead Maurits Broers: "The structured guidance from Tidal and Fendix, combined with the templates and workflows of the tool, made it possible to succeed."

The combined approach was not only faster -- it was also cheaper per certificate than if the two processes had been started separately.

How to keep costs low

Start earlier. Working under time pressure creates the need for more consultant hours. An implementation that can be done in six months without external pressure costs double if you try to force it through in eight weeks. Plan the process well before the deadline that applies to you -- a tender, a client requirement, a contract date.

Limit the scope deliberately. Decide which processes, departments, and locations you include in the first certification and which you don't. A narrower scope means less audit time, less documentation work, and less chance of findings at Stage 2.

Build internal audit capacity. Train one employee as an internal auditor. That investment pays for itself on every subsequent audit cycle. You pay less externally and you monitor the quality of your own QMS without being dependent on consultants.

Use software instead of spreadsheets. The management burden of version control, evidence collection, and audit preparation is considerably lower in a tool than in separate documents. That time saving translates directly into fewer consultant hours and shorter audit lead times.

Combine with ISO 27001 if you need both. The shared structure of both standards makes combined implementation considerably more cost-efficient than two separate processes. If you know you need both, start simultaneously.

About the ISO 9001:2026 revision

Expected in Q3 2026 (status as of June 2026). The changes are evolutionary: attention to quality culture, sustainability and climate context, better alignment with digitalisation, and a new clause for change management. The basic structure of the standard remains intact.

After publication, a transition period of approximately three years follows. Existing 2015 certificates do not immediately become invalid. If you start now with the 2015 version, you build a working QMS, obtain your certificate, and later adapt to the 2026 requirements during the transition period. Waiting for the new version costs you at least an extra year and solves no practical problem.

Want to see how Tidal manages the ISO 9001 process?

From gap analysis to audit preparation: Tidal gives you the structure to implement and maintain ISO 9001 efficiently, without spreadsheet chaos.

See how Tidal manages the ISO 9001 process

Frequently asked questions about ISO 9001 certification costs

What does ISO 9001 certification cost for an SME?

For an SME with up to 25 employees, costs in the first year range between €3,000 and €7,000. That covers the audit costs at an accredited certification body (€2,000-€5,000), plus any software and external guidance. Over the three-year period, including annual surveillance audits of €1,500 to €2,500 per year, you're looking at €12,000 to €35,000, depending on scope and the level of external support.

What are the surveillance audit costs in year 2 and 3?

Surveillance audits typically cost €1,500 to €2,500 per year. They are shorter than the initial Stage 2 audit and focus on the functioning of your QMS over the past period and the follow-up of earlier findings. In year 3, a recertification audit follows that is similar in scope to the initial Stage 2 and again costs €2,000 to €4,000 at the certification body.

How can I reduce the costs of ISO 9001 certification?

The most effective ways: start early so you're not working under time pressure, limit the scope for the first certification, build internal audit capacity, use software instead of spreadsheets, and combine with ISO 27001 if you need both. Companies that combine one or more of these approaches consistently land at the lower end of the cost ranges.

Is an external consultant required for ISO 9001?

No. External support is not mandatory. Organisations with structured processes and someone who can dedicate sufficient time to the project can achieve ISO 9001 without a consultant. In practice, external support reduces the chance of findings during Stage 2 and speeds up implementation. For a first certification, some support is rarely unnecessary -- Tidal Control offers consulting services for exactly this phase -- request a free Quickscan. In the years that follow, building internal capacity to manage the QMS independently is the better investment.

What does it cost if I pursue ISO 9001 and ISO 27001 at the same time?

The total costs are higher than for a single certification, but the marginal costs for the second standard are considerably lower than if you were to start two fully separate processes. The shared HLS structure means you only need to set up the internal audit, management review, policies, and a large part of the risk analysis once. In practice, that saves 30-50% on the additional costs of the second standard. Nedscaper obtained both certificates in twelve weeks through a combined process.

Subscribe now for monthly updates: what's new at Tidal, framework news, and compliance resources.

By submitting your email you agree to our Privacy Policy.