Home  »  ISO 27001 Cost

ISO 27001 – The cost of ownership

A common question we get asked is ‘how much does it cost to achieve ISO 27001 certification?’. This is a legitimate question when considering the business case for implementing an ISO 27001 Information Security Management System. So let’s set the record straight – the cost is nominal in the scheme of things.

Yes, you may need internal and/or external resources to build your management system, and yes, there is a requirement to conduct independent internal audits of your system both in preparedness for the external audits and as an ongoing requirement to maintain your system, and yes, there are costs associated with the provision of external audit and certification services.

A study conducted by American Express in conjunction with the Centre for Economics and Business Research (2017) reported that micro-businesses that typically have one to nine employees, spend an average of £225,379 per year on buying goods and services for their companies (and firms at the larger end of the SME spectrum – those with 50 employees or more – spend an average of £3,029,033 each year).

Considering this, the costs associated with implementing and certifying an ISO 27001 Information Security Management System appear trivial at circa 5-10% of this for a micro-business, and this cost is not proportionately uplifted for larger organisations. This is of course caveated by the robustness of your existing security controls and the availability of suitably competent internal resources you can assign to an implementation project.

Cost and benefits are a consideration for any business activity
iso 27001 cost

Nonetheless moving beyond the costs one must consider the return on investment. First and foremost ISO 27001 is the pre-eminent Information Security Management System Standard globally. This is why certifying to this standard is more than an expectation, it is the norm in regulated sectors, and typically seen as a requirement in procurement processes across multiple sectors.

ISO 27001 invokes trust in your supply chain partners and customers. It sends a message that you are coordinated in your approach to information security, that you value your assets and you are taking a risk-based approach to ensure they are protected against the myriad of threats that exist.

We do argue however that this is one of many bonuses of achieving this information security baseline. At the heart of things, like the other core ISO standards, implementing ISO 27001 provides a framework for operating within that protects your business and enhances shareholder value. The Standard require you to take a view of your critical assets, to catalogue them and classify them. It requires that you apportion appropriate controls to protect your assets, their confidentiality, integrity and availability. It provides a framework for engaging with your people and your interested parties to further this cause, and it considers what happens when things go wrong. But most of all, it is about the cycle of improvement, a cycle which mandates Management involvement and demonstrable and accountable improvement. This should be at the crux of any organisations’ objectives as we turn the corner and embrace an interconnected digital age.

information security management

“ISO 27001 provides a framework for operating within that protects your business and enhances shareholder value. ” 

ISO 27001 may also be the backbone of any security and resilience framework that is implemented in your organisation. Aligned with the ISO High-Level Structure ISO 27001 lends itself to partnering with ISO 27017 for Cloud Security, ISO 22301 for Business Continuity, ISO 37001 Anti-Bribery, and non-ISO frameworks such as NIST Cyber Security, NERC and PCI DSS. In addition, as the last twelve months have accelerated our adoption of all things digital, protecting your digital assets via the CryptoCurrency Security Standards from the C4 Consortium and the like is also best implemented off the back of an ISO 27001 foundation.

Operating a sustainable business may require ISO 27001 certification, but maintaining it for the certificate is not doing your business or the standard justice. The quickest way to a successful re-certification is to use your system, maintain interest and engagement with your system and continuously improve it. ISO 27001 is not just for Christmas, it is an enduring framework to sustain and enhance your security posture. It is there when you expand your offerings, engage with new suppliers, move through difficult times, and invest in the future.

And like any habit, once it’s embedded it becomes easier to follow. To borrow an idea from the Tao Te Ching (Lao Tzu, 6th century BC), you will reach a position [with ISO 27001] where you do nothing yet leave nothing undone.

Contact us now to arrange a pro bono (no obligation) consultation to discuss your information security requirements.

Your contact for ISO 27001 information:

Dan Breger
Principal Consultant
Mobile: +44 (0) 797 167 8039
dan.breger@hvassallo.com