Open in app

Sign in

Write

Sign in

What Does It Cost To Maintain ISO 27001 Compliance?

Pivot Point Security
2 min readOct 31, 2019

One of the (many) things I like about ISO 27001 is that the cost to maintain your ISO 27001 compliance (that is, your ISO 27001 certificate) is relatively inexpensive — especially when compared to other attestation schemes like SOC 2.

ISO 27001 Maintenance Audit Schedule

ISO 27001 Audit Cycle infographic

An example schedule for an ISO 27001 certification, re-certification, and surveillance audits cycle over many years. (Click image to view full-size.)

To maintain your ISO 27001 certificate you will need to have an audit conducted annually by your registrar. Your first audit is referred to as a certification audit. In years two and three your registrar will conduct a less rigorous audit, which is referred to as a “surveillance audit.” This has a positive side effect; the cost of a surveillance audit is generally around two-thirds the cost of the original certification audit.
Approximate Certification/Surveillance Audit Costs (50-person SaaS vendor with infrastructure co-located at a single data center)

ISO 27001 Compliance Costs

Year
Audit Type
Cost
1
Certification
$12,000
2
Surveillance
$7,500
3
Surveillance
$7,500
4
Certification
$12,000
5
Surveillance
$7,500
6
Surveillance
$7,500

In practice, there are other costs that may come into play:
Scope extension — It is not uncommon for an organization to “extend” their scope during surveillance audits to add other services or locations. Additional scope equals additional cost.
Internal ISMS Audits — One of the ISO 27001 requirements is an annual internal ISMS audit. This can be done by internal staff or by a third-party. About two-thirds of our ISO 27001 clients ask us to conduct their internal ISMS audits at an average cost in the $7,500 range.
Other Third-Party Testing — Many organizations use third parties to conduct vulnerability assessments and penetration tests. I generally don’t consider this as an “ISO cost” (as many companies are already doing this) but I have seen some clients do so — so I have included it here.
Once again, considering a fictitious client who asks Pivot Point Security to conduct their internal ISMS audits each year: their average yearly cost to maintain their ISO 27001 certificate (ISO 2701 compliance) is roughly $17,000. This compares favorably to the cost of a SOC 2 Audit. An approximate cost to conduct a SOC2 Type 2 audit for our fictitious client is in the $40,000 to $70,000 range (with the higher cost associated with the use of a “name brand” CPA firm). Where the difference gets more notable is that because of the “period of time” nature of the SOC 2 audit — the costs typically don’t vary much year over year.
I think the fact that it’s more comprehensive, more widely accepted internationally, and less than half the cost of SOC 2 explains why so many companies are turning to ISO 27001.

Sign up to discover human stories that deepen your understanding of the world.

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Iso27001
Pivot Point Security
Pivot Point Security

Written by Pivot Point Security

22 Followers
1 Following

We are a trusted source of simple, practical, and actionable information security guidance.

No responses yet

Write a response

What are your thoughts?

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams