ISO 27001 and ISO 27002 2022 updates
ISO/IEC 27001:2022 – the newest version of ISO 27001 – was published in October 2022.
Organisations that are certified to ISO/IEC 27001:2013 have a three-year transition period to make the necessary changes to their ISMS (information security management system).
For more information about ISO 27001:2022 and its companion standard, ISO 27002:2022, and what they mean for your organisation, please visit ISO 27001 and ISO 27002: 2022 updates
Download your copy of ISO 27001:2022 here
Download your copy of ISO 27002:2022 here
The cost of ISO 27001 certification can vary depending on a number of factors, such as the size and complexity of your organisation, the number of locations, and the number of employees.
Having prepared hundreds of organisations for ISO 27001 certification over the past 15 years, IT Governance suggests budgeting the following amounts to cover the cost of the initial certification audit. There will be further audit costs throughout the three-year certification period.
The actual fee charged will depend on the certification body you appoint and the risk it associates with your ISMS (information security management system), but you can use the below table as a guide.
Speak to an ISO 27001 expert
Speak to one of our specialists for more information on ISO 27001 budgeting and avoid any unexpected costs when it comes to implementation and certification. Call our expert team on +44 (0)1474 55 66 85 or request a call back using the form below.
Contact us
Estimated ISO 27001 certification costs
The table below displays the recommended ISMS audit time according to the size of the organisation, as stipulated in ISO/IEC 27006:2015, and the estimated certification cost.*
Number of employees
|
Number of audit days**
(Stage 1 and Stage 2)
|
Estimated certification cost ***
|
1
|
5
|
£6,250
|
11
|
6
|
£7,500
|
16
|
7
|
£8,750
|
26
|
9
|
£11,250
|
46
|
10
|
£12,500
|
66
|
11
|
£13,750
|
86
|
12
|
£15,000
|
126
|
13
|
£16,250
|
426
|
17
|
£20,625
|
626
|
18
|
£21,875
|
876
|
19
|
£23,125
|
1176
|
20
|
£24,375
|
1551
|
21
|
£26,250
|
2026
|
22
|
£27,500
|
2676
|
23
|
£28,750
|
3451
|
24
|
£30,000
|
4351
|
25
|
£31,250
|
5451
|
26
|
£32,500
|
6801
|
27
|
£33,750
|
*Please note: this information is for guidance purposes only and should not be taken as definitive. These costs are based on our experience. Your chosen certification body’s costs may differ. The above table does not include fees following the initial certification audit and is based on a positive recommendation at the Stage 2 audit.
**According to ISO 27006, the minimum audit duration may be 70% of the recommended time as prescribed by the Standard. Our figures are rounded to the nearest whole day.
***The daily fee for an audit will vary between certification bodies. Our estimate is a daily fee of £1250, based on an average between £1000 and £1500.
Is ISO 27001 certification worth it?
ISO 27001 certification can be highly beneficial to organisations of all sizes. Not only does it provide a rigorous framework for implementing an ISMS but it also offers a range of other benefits, including:
- Improved security posture: By implementing an ISMS in line with ISO 27001, organisations can improve their security posture and better protect their information assets.
- Enhanced reputation and credibility: Certification to ISO 27001 can help improve an organisation’s reputation and credibility with customers and other stakeholders.
- Increased competitive advantage: In today’s competitive marketplace, ISO 27001 certification can give organisations a real competitive advantage.
- Improved risk management: ISO 27001 can help organisations identify, assess and manage information security risks more effectively.
- Enhanced customer satisfaction: By implementing an ISMS in line with ISO 27001, organisations can improve customer satisfaction by providing them with greater assurances about the security of their information.
Overall, ISO 27001 certification offers a range of benefits to organisations of all sizes. If you are implementing an ISMS, then certification to ISO 27001 is well worth considering.
Why you should only use accredited certification bodies
It is vital to ensure that the certification body you use is properly accredited by a recognised national accreditation body that is a member of the IAF (International Accreditation Forum), such as UKAS (United Kingdom Accreditation Service).
The IAF website has a full list of recognised national accreditation bodies by country, from which it is easy to identify whether a particular certification body’s ISMS scheme has been officially accredited. If you can’t find an accreditation body on this list, you can safely assume that it is not officially recognised and that any ‘certificates’ issued by certification bodies it accredits are unlikely to be recognised as valid.
The certification process
The certification body will first review your documentation (including the scope of the ISMS, risk assessment and treatment documents, and Statement of Applicability) and check that you have implemented appropriate controls from Annex A of ISO 27001.
It will then carry out a site audit to see the procedures in practice. If it is satisfied of successful implementation, the certification body will issue your certificate.
The period for the certification process inevitably varies depending on the size and type of the organisation, but typically takes days rather than weeks.
Ready to simplify your security? Let’s get started
Having led the world’s first ISO 27001 certification project, we are the global pioneer of the Standard. Let us share our expertise and support you on your journey to ISO 27001 compliance.
Speak to an expert
Please contact our team for advice and guidance on our ISO 27001 products and services.