Cost of ISO 27001 in Australia

cost of iso 27001 Edara System
Blog

It is often believed that the cost of implementing the ISO 27001:2013 standard is out of reach for most small and medium-sized enterprises (SMEs). This wrongful assumption is what is still holding back late adopters from the inevitable. Sooner than later, they will have to follow suit when International Organization for Standardisation (ISO) standards become mandatory for all central government and commercial tenders. There is no actual standard cost for ISO 27001:2013 certification. The final certification cost dramatically varies based on numerous factors specific to your organisation and the resources you intend to deploy to bring this project to fruition. 

Four main steps of obtaining ISO 27001:2013 certification

The process of obtaining and maintaining ISO 27001:2013 certification consists of 4 main steps, each of which is attainable through different approaches with varying resource requirements. In this article, we attempt to clarify the different cost elements involved, the considerations that impact them, and the cost implications of each approach. 

cost of ISO 27001:2013 certification

Design and implementation of ISO 27001

The complexity level of an information security management system (ISMS) ‘s design depends significantly on the organisation’s information security needs and the nature of the information assets they are trying to protect. It is important to note that the design and implementation phase constitutes the foundational legwork that will determine the course of the remaining phases. It is therefore advised to ensure it is completed thoroughly. There are two different routes organisations can opt for when it comes to the design and implementation of an ISMS:

Using internal resources 

If your organisation can afford to pull staff members from their regular duties to tackle this project, you may choose to do so. You will need to create a task force in charge of the laborious task of learning the fundamental concepts of the ISO 27001:2013 standard until they have a clear understanding of the requirements and how they apply to your organisation specifically.

HOW MUCH DOES ISO 27001 COST

If you choose to go this route, this phase will only cost your organisation productivity. Typically, this can be managed when the organisation is already running a tight ship.

Cost in $ = 0

Cost in productivity = High

Using external resources

Most SMEs, who typically operate on just enough staff to keep things going, cannot afford to go for the first option because their employees already have their plates complete with their daily dealings. This is why it is more common for organisations to hire an ISO certification consultant such as Edara Systems. Again, when using a consultant, there is no standard fee that is charged across the board. Consultants will bill you based on the volume of work involved in designing and implementing your ISMS and various other factors such as:

  1. The extent of existing documentation
  2. Amount and intricacy of organisational processes 
  3. Amount of time required for implementation

 

The average $ ranges for design and implementation: 

Consultant fees in $ = 1,000–90,000

Cost in productivity = Low

ISO 27001 Assessment Cost

Risk assessment and internal audit

After properly assessing risk, the next step is to conduct an independent internal audit to determine if you are ready for the external audit. It is just like having someone check your level of preparedness before a big exam. Again here, there are two options to choose from:

Using internal resources

At this point, larger organisations may assign an impartial staff member from a different department to perform the audit. In this case, this process will only cost your organisation in terms of the slack generated by that employee’s absence from their duties. 

Cost in $ = 0

Cost in productivity = High

Using external resources 

As previously stated, most organisations do not possess enough human resources to go with the last option. That is why it is more common for organisations to hire an outside firm to handle this step. Opting for a consulting firm offers the benefit of receiving an expert, unbiased assessment from an industry professional who is well versed in the likes and dislikes of the certification body. The associated cost is typically charged by the hour and will significantly depend on the size and scope of your ISMS. 

The average $ range for risk assessment and internal audit: 

Consultant fees in $ = 2,000–75,000

Cost in productivity = Low

External audit and certification

The certification process is handled by an auditor appointed by the certification body and starts with a review of your documentation to ensure that you have correctly implemented the appropriate controls from ISO 27001:2013’s Annex A Controls. Next, the auditor will conduct an on-site audit to evaluate the procedures in practice.

Understanding The Cost To Maintain ISO 27001 Compliance

If the auditor deems that your organisation satisfies the requirements of the ISO 27001:2013 standard, they will recommend the certification body to issue you with your certificate. Please note, specific consultants such as Edara Systems offering A to Z service will have a certification expert sit with you throughout this phase to ensure a smooth process. 

The average $ ranges for audit and certification: 

Consultant fees in $ = 5,000–90,000

Certification Body fees in $ = 5,000-120,000

Surveillance audits

Contrary to what one might think, obtaining your certification is not the end of the process. Unfortunately, the quest for the perfect information security posture is a never-ending quest given the ever-evolving cyber security threat landscape. To maintain its certification, your organisation must undergo two surveillance audits, one in year one and one in year 2 (post-certification), before undergoing the recertification audit in year 3. 

The average $ ranges for surveillance audits: 

Consultant fees in $ = 5,000–75,000

Certification Body fees in $ = 5,000-120,000

As you can see, the cost can vary significantly based on your organisation’s particulars. So do not let the vastness of the price ranges confuse you. Instead, request a complimentary obligation-free quote from your Edara Systems expert consultants.