The costs for an ISO 27001 certification are in two parts: consultancy costs, and certification costs. 

Consultancy costs are determined by your consultant based on the work and effort required.  Some factors that will impact the consultancy costs are the maturity of the organisation’s process/es, the level of documented information available already, and the level of information security and controls already in place prior to the ISO 27001 certification process.

Certification body costs are separate from consultancy costs, and are determined by the certification body, based on a number of factors including the scope of certification, size of company, number of sites/premises, risk attributed to scope of certification. In Europe, the day rate is in the region of €1000, and accredited certification bodies often base their calculation on the audit time chart as defined in ISO 27006:2015, among other factors that affect their pricing.

A handy guide to the initial certification body costs relating to ISO 27001 can be found below;

The duration to achieve ISO 27001 certification typically spans from a few months, usually a minimum of 3 months, up to 2 years. Our suggested timeframe, from experience, is between 6 and 9 months.

The duration is impacted by the organisation’s availability and commitment to the process, its maturity and also the level of documented information available already.

No specific software is needed to implement ISO 27001.

The standard is not specific in this respect and does not prescribe what tools should be used, so in order to implement or maintain an ISO 27001 certification there is no need to purchase any software and/or licence. If the organisation already uses software to manage its operations and infosec (such as an ERP or project management software) these can be used to implement and facilitate certain functions.

2013 was the previous of the standard; 2022 is the newer, latest version of ISO 27001, which made the controls of the standard easier to understand and implement.

Price is an important factor in your choice of certifying body for ISO 27001, but certainly not the only factor of importance; if you base your decision on price and nothing else, you may end up working with a certification body that has no experience in your field, or has a poor reputation, or is not even recognized by your potential customers. Obviously, non-accredited certification bodies shouldn’t even be considered.

We recommend that one considers a certification body that brings value to the relationship, and not just pure compliance recognition.

It is also worth considering the brand of the certification body – as a newly certified company you will announce to the world and advertise your new ISO 27001 certification by using the certification body’s logo. Make sure your brand and the certification body’s brand are in harmony.

Competence and experience in your niche and industry are also considerations to be made in your choice for the ideal certification body to certify your business for ISO 27001. For example, perhaps most of your competitors use the same certifying body, and this may be a pro or a con for your company.

Other things to consider include the local or international nature of the certification body and how this relates to the business being certified; e.g. a large multinational would be well advised to use a large multinational certification body and not a small regional certification body. 

The clients of the organisation or business seeking certification may also have their preference in terms of certification body, for example, your clients may require that their subcontractors use the same certification body as they use.  

Also to be considered is language; some certification bodies have Maltese speakers among their staff; others are English speaking or serve the Italian market.

The ISO 27001 certificate is valid for 3 years provided that a yearly surveillance audit is carried out by the same certifying body that certified the company.