ISO 27001 Cost - Thoropass

What typically affects the cost of an ISO certification?

The cost of an ISO 27001 certification is variable. Unlike SOC 2, ISO 27001 is highly regulated and customized to the company. In order to get a proper estimate, your audit partner will need to know the following, among others:

How many employees do you have?
Where are offices and people located geographically?
What data does the application ingest?
Does your platform live on multiple cloud platforms?

A small business with 5 employees and 1 location might only require a few days of auditing, bringing the cost down. Whereas a larger, multi-site company could take up to 1 month of auditing. We recommend starting your compliance journey early, so your company can avoid the accrued costs associated with pushing off ISO 27001.

How much time does the ISO 27001 certification take?

The ISO 27001 audit process is broken down into two phases: an internal audit and an external formal certification audit. The internal audit, also known as a ‘mini audit,’ must be performed by an independent party or internal team. The formal audit can only be performed by an accredited ISO auditor. More on the audit process specifically here.

The mini-audit can take anywhere from 2 weeks to 1 month, given there is a remediation period between the mini-audit and formal audit. On the other hand, certification audits can take anywhere from 2 to 3 weeks to complete.

The certification audit is broken down into different stages; Stage 1 is normally a few days of presenting the policies and procedures to the auditor at a high level. Stage 2 occurs normally a few weeks after Stage 1 is completed where the auditor will dive into the detailed evidence to verify that the policies and procedures are being followed and comply with the ISO 27001 standard.

What are the costs associated with maintaining an ISO 27001 certification?

The pricing is dependent on each audit firm (there are only 21 audit firms in the United States!), but surveillance audits are required in year 2 and year 3 after the initial formal certification. Surveillance audits can determine whether or not the company is still operating as was originally represented in the initial certification year.