One of the (many) things I like about ISO 27001 is that the cost to maintain your ISO 27001 compliance (that is, your ISO 27001 certificate) is relatively inexpensive — especially when compared to other attestation schemes like SOC 2.
ISO 27001 Maintenance Audit Schedule
An example schedule for an ISO 27001 certification, re-certification, and surveillance audits cycle over many years. (Click image to view full-size.)
To maintain your ISO 27001 certificate you will need to have an audit conducted annually by your registrar. Your first audit is referred to as a certification audit. In years two and three your registrar will conduct a less rigorous audit, which is referred to as a “surveillance audit.” This has a positive side effect; the cost of a surveillance audit is generally around two-thirds the cost of the original certification audit.
Approximate Certification/Surveillance Audit Costs (50-person SaaS vendor with infrastructure co-located at a single data center)
ISO 27001 Compliance Costs
In practice, there are other costs that may come into play:
Scope extension — It is not uncommon for an organization to “extend” their scope during surveillance audits to add other services or locations. Additional scope equals additional cost.
Internal ISMS Audits — One of the ISO 27001 requirements is an annual internal ISMS audit. This can be done by internal staff or by a third-party. About two-thirds of our ISO 27001 clients ask us to conduct their internal ISMS audits at an average cost in the $7,500 range.
Other Third-Party Testing — Many organizations use third parties to conduct vulnerability assessments and penetration tests. I generally don’t consider this as an “ISO cost” (as many companies are already doing this) but I have seen some clients do so — so I have included it here.
Once again, considering a fictitious client who asks Pivot Point Security to conduct their internal ISMS audits each year: their average yearly cost to maintain their ISO 27001 certificate (ISO 2701 compliance) is roughly $17,000. This compares favorably to the cost of a SOC 2 Audit. An approximate cost to conduct a SOC2 Type 2 audit for our fictitious client is in the $40,000 to $70,000 range (with the higher cost associated with the use of a “name brand” CPA firm). Where the difference gets more notable is that because of the “period of time” nature of the SOC 2 audit — the costs typically don’t vary much year over year.
I think the fact that it’s more comprehensive, more widely accepted internationally, and less than half the cost of SOC 2 explains why so many companies are turning to ISO 27001.