ISO 27001 Certification Costs
The cost of certification varies and consists of several elements as outlined below;
- Implementation costs
This can include: research costs, implementation costs, time costs, measurement costs and improvement costs
- Certification costs
Costs for having your management system for information security certified and retaining your certification.
- Failure costs
Perhaps you made a mistake while setting up your ISMS and consequently your system does meet the requirements of the standard. This could lead to a second assessment with extra costs.
- Possible training and awareness costs
ISO 27001 Certification Process
After you have applied for an ISO 27001 certification the certification body will send an auditor to your company in order to assess if your ISMS meets the requirements of the standard. The audit consists of the following steps:
- ISO 27001 gap analysis
The auditor compares your ISMS with the requirements from ISO 27001 standard. The result of the gap analysis is a realistic overview of areas which need to be improved before the formal assessment. This is not a mandatory part of the assessment process.
- Formal assessment
Stage 1: The auditor will check …
… does your ISMS meet all the requirements?
… has your organisation created the Statement of Applicability?
… is the risk assessment correct?
… is the documentation correct and available?
Step 2: The auditor will assess whether all controls and procedures are accurate and implemented and provide appropriate evidence.
When your ISMS meets the requirements of the standard you will achieve certification and the ISO 27001 certificate.
ISO 27001 Certification Cycle
The certificate expires after three years and will need to be renewed. There are annual surveillance visits to ensure you continue to comply and drive improvement. The certification cycle is a three-year-cycle with the steps mentioned in the certification process above.