Menu
What is the cost of ISO 27001 and what are the differences between compliance and certification.
This article will examine the cost of obtaining ISO 27001 certification and the finer differences between compliance and certification. We will look at the different recognised bodies certifying for ISO 27001 and the options available.
In this article we will cover:
If you’d like to find out your estimated costs of achieving ISO 27001 quickly, try out our free cost calculator.
ISO 27001, as explained in our ‘What is ISO 27001’ article, is a widely-recognised standard created by the International Organisation for Standardisation (ISO) that deals with information security management and the handling of data and information security risks.
Organisations implementing ISO 27001 commonly learn a great deal about their business and their information-handling procedures whilst improving their processes and enhancing their reputation with partners and customers.
The process of ISO 27001 implementation can help your organisation to formally organise their information security procedures and improve overall confidentiality, integrity and availability from top to bottom. In the long run, ISO 27001 certification can save you time and money and help you to gain new business leads.
When initially enquiring and learning about ISO 27001, you may notice the words ‘compliance’ and ‘certification’ consistently pop up in different scenarios describing the standard. At first glance, you may think the two terms describe the same action, but this is not true. In the paragraph below, you can understand what compliance and certification mean in the context of ISO 27001 individually and the differences between them.
Firstly, organisations always achieve compliance before they are formally certified with ISO 27001. Compliance means that your organisation meets the requirements of ISO 27001 from a purely organisational perspective. It does not mean you are certified, however, as you have not been audited by an external – you have just self-assessed. To be certified for ISO 27001, you must have been audited by a certification body recognised by the International Accreditation Forum (IAF), such as the UKAS body, based in the United Kingdom.
As briefly mentioned above, to certify for ISO 27001, you must be audited by a certification body recognised by the IAF, the worldwide association of accreditation bodies in charge of 94 global accreditation bodies. In the United Kingdom, for example, the only certification body accredited is the UKAS which is in charge of auditing a small handful of certification bodies. The UKAS is the national accreditation body appointed by the UK government. Therefore, it is the only body able to deliver accreditation to smaller certification bodies to assess and issue compliance certificates for ISO 27001.
You may have seen other certification bodies that are accredited by other private accreditation bodies not recognised or appointed by any government or IAF member. These private organisations do not adequately certify you for ISO 27001, and their certifications are not globally recognised. Obtaining certification from these private organisations can lead to problems down the line. It may lead to a loss of business, time, and money.
The process of ISO 27001 involves a great deal of time spent defining information security management processes and different audit stages to assess the processes being implemented and their ability to meet the requirements of ISO 27001.
There are two different stages of audits, stage 1 and stage 2. The steps ahead of the stage 1 audit involve identifying your information assets and applying them to a risk management framework to determine their information security requirements. In the run-up to the stage 1 audit, you will undertake a great deal of documentation based on the identified information assets and their risks. Shortly before the audit, you will build your bespoke information security management system (ISMS)
Following the success of a stage 1 audit, you will go on to perform internal audits and begin operating your ISMS in the real world. You will start to store evidence of compliance with the standard and your ISMS implementation. This will lead you into your stage 2 audit, ultimately determining if you meet the requirements of ISO 27001 and can be officially certified.
The ISO 27001 standard has over 200 different requirements. The requirements are outlined in the Annex A document and are all indicated by the word ‘shall.’ Any sentence starting with ‘shall’ contains a process your organisation must have in place for certification to be achieved. An example of this is section 6.1.2 a) of ISO 27001:
There are four different requirements discussed in the above extract that are:
Looking at the cost of ISO 27001 certification can initially be quite daunting. Several unknowns and many things about the certification you may not understand make it harder to gauge the cost. Actually, there are only a few different costs to consider when starting the journey to certification.
If you’re still struggling to understand the different costs of ISO 27001 certification, you may want to use our unique ISO 27001 Cost Calculator. Visit the link and fill out a few short questions, and we will give you an estimate of the total cost as well as a full cost breakdown sent to your email.
If you’d like to find out your estimated costs of achieving ISO 27001 quickly, try out our free cost calculator.
Elisabeth is an Associate Consultant of the British Standards Institute (BSI), a BSI qualified ISO 27001 Lead Auditor and member of the Standard Committee responsible for the publication of the BS 10008 Standard.
Elisabeth can help you decide if ISO 27001 is for you and support you through its implementation, all the way to certification.