Press Release
Last Updated on May 30, 2013
One of the (many) things I like about ISO 27001 is that the cost to maintain your ISO 27001 compliance (that is, your ISO 27001 certificate) is relatively inexpensive – especially when compared to other attestation schemes like SOC 2.
ISO 27001 Maintenance Audit Schedule
An example schedule for an ISO 27001 certification, re-certification, and surveillance audits cycle over many years. (Click image to view full-size.)
To maintain your ISO 27001 certificate you will need to have an audit conducted annually by your registrar. Your first audit is referred to as a certification audit. In years two and three your registrar will conduct a less rigorous audit, which is referred to as a “surveillance audit.” This has a positive side effect; the cost of a surveillance audit is generally around two-thirds the cost of the original certification audit.
Approximate Certification/Surveillance Audit Costs (50-person SaaS vendor with infrastructure co-located at a single data center)
ISO 27001 Compliance Costs
| Year | Audit Type | Cost |
| 1 | Certification | $12,000 |
| 2 | Surveillance | $7,500 |
| 3 | Surveillance | $7,500 |
| 4 | Certification | $12,000 |
| 5 | Surveillance | $7,500 |
| 6 | Surveillance | $7,500 |
| … |
In practice, there are other costs that may come into play:
- Scope extension – It is not uncommon for an organization to “extend” their scope during surveillance audits to add other services or locations. Additional scope equals additional cost.
- Internal ISMS Audits – One of the ISO 27001 requirements is an annual internal ISMS audit. This can be done by internal staff or by a third-party. About two-thirds of our ISO 27001 clients ask us to conduct their internal ISMS audits at an average cost in the $7,500 range.
- Other Third-Party Testing – Many organizations use third parties to conduct vulnerability assessments and penetration tests. I generally don’t consider this as an “ISO cost” (as many companies are already doing this) but I have seen some clients do so – so I have included it here.
Once again, considering a fictitious client who asks Pivot Point Security to conduct their internal ISMS audits each year: their average yearly cost to maintain their ISO 27001 certificate (ISO 2701 compliance) is roughly $17,000. This compares favorably to the cost of a SOC 2 Audit. An approximate cost to conduct a SOC2 Type 2 audit for our fictitious client is in the $40,000 to $70,000 range (with the higher cost associated with the use of a “name brand” CPA firm). Where the difference gets more notable is that because of the “period of time” nature of the SOC 2 audit – the costs typically don’t vary much year over year.
I think the fact that it’s more comprehensive, more widely accepted internationally, and less than half the cost of SOC 2 explains why so many companies are turning to ISO 27001.
