ISO 27001 – The cost of ownership
A common question we get asked is ‘how much does it cost to achieve ISO 27001 certification?’. This is a legitimate question when considering the business case for implementing an ISO 27001 Information Security Management System. So let’s set the record straight – the cost is nominal in the scheme of things.
Yes, you may need internal and/or external resources to build your management system, and yes, there is a requirement to conduct independent internal audits of your system both in preparedness for the external audits and as an ongoing requirement to maintain your system, and yes, there are costs associated with the provision of external audit and certification services.
A study conducted by American Express in conjunction with the Centre for Economics and Business Research (2017) reported that micro-businesses that typically have one to nine employees, spend an average of £225,379 per year on buying goods and services for their companies (and firms at the larger end of the SME spectrum – those with 50 employees or more – spend an average of £3,029,033 each year).
Considering this, the costs associated with implementing and certifying an ISO 27001 Information Security Management System appear trivial at circa 5-10% of this for a micro-business, and this cost is not proportionately uplifted for larger organisations. This is of course caveated by the robustness of your existing security controls and the availability of suitably competent internal resources you can assign to an implementation project.
ISO 27001 may also be the backbone of any security and resilience framework that is implemented in your organisation. Aligned with the ISO High-Level Structure ISO 27001 lends itself to partnering with ISO 27017 for Cloud Security, ISO 22301 for Business Continuity, ISO 37001 Anti-Bribery, and non-ISO frameworks such as NIST Cyber Security, NERC and PCI DSS. In addition, as the last twelve months have accelerated our adoption of all things digital, protecting your digital assets via the CryptoCurrency Security Standards from the C4 Consortium and the like is also best implemented off the back of an ISO 27001 foundation.
Operating a sustainable business may require ISO 27001 certification, but maintaining it for the certificate is not doing your business or the standard justice. The quickest way to a successful re-certification is to use your system, maintain interest and engagement with your system and continuously improve it. ISO 27001 is not just for Christmas, it is an enduring framework to sustain and enhance your security posture. It is there when you expand your offerings, engage with new suppliers, move through difficult times, and invest in the future.
And like any habit, once it’s embedded it becomes easier to follow. To borrow an idea from the Tao Te Ching (Lao Tzu, 6th century BC), you will reach a position [with ISO 27001] where you do nothing yet leave nothing undone.
Contact us now to arrange a pro bono (no obligation) consultation to discuss your information security requirements and obtain an appraisal for ISO 27001 certification cost.