ISO 27001 – The cost of ownership
A common question we get asked is ‘how much does it cost to achieve ISO 27001 certification?’. This is a legitimate question when considering the business case for implementing an ISO 27001 Information Security Management System. So let’s set the record straight – the cost is nominal in the scheme of things.
Yes, you may need internal and/or external resources to build your management system, and yes, there is a requirement to conduct independent internal audits of your system both in preparedness for the external audits and as an ongoing requirement to maintain your system, and yes, there are costs associated with the provision of external audit and certification services.
A study conducted by American Express in conjunction with the Centre for Economics and Business Research (2017) reported that micro-businesses that typically have one to nine employees, spend an average of £225,379 per year on buying goods and services for their companies (and firms at the larger end of the SME spectrum – those with 50 employees or more – spend an average of £3,029,033 each year).
Considering this, the costs associated with implementing and certifying an ISO 27001 Information Security Management System appear trivial at circa 5-10% of this for a micro-business, and this cost is not proportionately uplifted for larger organisations. This is of course caveated by the robustness of your existing security controls and the availability of suitably competent internal resources you can assign to an implementation project.