ISO-27001 Cost Factors
The cost of developing and certifying an ISO 27001 Information Security Management System (ISMS) depends upon four key factors: ISMS scope, ISMS Gap, your organizational capacity to close that gap, and your “desired certification timeframe” (how quickly you need to be certified). These factors influence all three cost elements of an ISO 27001 certification effort: organizational resource costs (e.g., time), consulting costs (e.g., outside support needed to be ready for certification), and certification audit cost (e.g., the cost for the registrar to conduct the audit and issue the certificate).
An ISO 27001 certificate covers a defined “scope,” which for most ISO 27001 certified companies is a subset of the entire organization that processes high-risk data. Scope is generally defined in terms of the organization, the assets being protected, and the technology being used (e.g., networks, servers, applications). However, this often yields some confusion because the way you arrive at these “definitions” is not by selection, but rather by understanding the risks and required controls to mitigate those risks for the information assets being protected.
For example, one of our clients is a Software-as-a-Service (SaaS) application vendor that also supports an enterprise (on-premise) deployment model. They chose to restrict the initial ISMS scope to the SaaS offering to reduce the initial complexity/cost to achieve certification. Including the on-premise model incorporated a number of risks (e.g., controlling/monitoring the VPN connection required to support clients, encryption of customer service laptops used onsite, rollback procedures for failed upgrades) that they did not yet have good controls in place for. The larger the scope the greater the internal and consulting cost for prepare for the certification audit, and the greater the cost to conduct it.
There are two additional “hidden” elements of scope that can increase cost: organizational size, and risk/risk tolerance. We find that even with equivalent scope, the increased segregation of function in a larger organization increases the number of touch points and complexity. Similarly, high risk (or risk intolerant) organizations require greater levels of controls to ensure that risks are reduced to an acceptable level.
Guidance: Make the scope as small as possible during your initial certification audit, while still making it broad enough to satisfy the stakeholders receiving the certificate.
ISO 27001 is essentially an Information Security Risk Management Framework. Once the preliminary scope is established, you conduct a Risk Assessment to understand risk and develop a corresponding Risk Treatment Plan that, if fully implemented, reduces identified risks to a level deemed acceptable by senior management. The ISMS Gap is the delta between “what should be” (the Risk Treatment Plan) and “what is” (your current ISMS). Generally, that delta is measured via a Gap Assessment that produces a “Gap Remediation Plan,” which is a detailed list of things that need to be done in order to be ready for certification. The larger the gap, the more work needs to be done, and the greater the internal and consulting costs for prepare for the certification audit.
Guidance: ISMS scoping and Gap Assessment are ideally done in an iterative manner. If you use a Secure Data Flow Diagramming style approach to scope determination, you become aware of risks early enough in the process to provide scoping input.
There are two elements that impact your organizational capacity to close gaps: resource skill set and resource capacity. Resource capacity is your team’s availability to do what needs to be done in the required timeframe while still addressing business as usual. Resource skill set is your team’s knowledge in the subject areas critical to developing an ISMS (e.g., Risk Assessment, Policy/Procedures/Standards development, Security Metrics, Internal Auditing). The larger the gap between your team’s knowledge and availability and the skills/time required to develop your ISMS in the desired timeframe, the greater the internal and consulting cost to prepare for the certification audit.
Guidance: Failing to account for key individuals’ “business as usual” commitments is the single largest cause of ISO 27001 projects being over budget and/or behind schedule.
Scope, gap, and resource availability are all linked to schedule. The faster you need to become certified, the more the process will disrupt your business and/or the more reliant you will be on your ISO 27001 consulting firm. Much like software development, the “good, fast, cheap” iron triangle holds true. If possible, extending the project schedule to a timeframe that gives your team the ability to be integral to the development of the ISMS will reduce cost and improve quality while reducing the risk to business as usual.
Guidance: If you are considering a short ISO 27001 timeframe (e.g., 9 months or less), ensure that the business risk associated with failing to get certified in that timeframe is greater than the risks associated with the compressed timeframe (e.g., negative impact on operations/personnel, increase cost, reduced quality).