1. ISO 27001 implementation costs

In addition to time, how much does it cost to implement a ISO 27001 depends on a variety of factors. It starts with the current state of information security within your organization:
‍

• Do you already have a policy on how to handle information?
• Do you already have an information security management system?
• Have you already mapped out processes?

‍

Factors such as company size and complexity also play a role. This is determined by the number of employees, locations, products and services, and the diversity of your processes. Size isn't necessarily an indicator of complexity; a small company with multiple processes can be just as complex.

‍

Every organization is different, which is why we offer two types of implementation processes:

‍

Accompanying implementation process

In this process we offer coaching and advice on the implementation of the management system and associated policy documents.

‍

Workload

Within your organization, we expect approximately the following workload expressed in the number of hours per week. Please note: this is an estimate.

‍

Careful implementation process

In this process we fully take over the responsibility for a successful implementation from you. Our consultant takes care of your organization and takes you from A to Z through the process.

‍

Workload

Within your organization, we expect approximately the following workload expressed in the number of hours per week. Please note: this is an estimate.

‍

‍

a) Technical measures

To secure information, it is almost always necessary to implement technical measures, such as firewalls, antivirus software and access control systems. These measures involve costs, such as licensing, hardware and maintenance.

‍

b) Software

In addition to technical measures, organizations often have to purchase and integrate security software. It's not just about the visible costs of software licensing, but also about hidden costs, such as the time and resources needed to implement.

‍

c) Staff

The ISO 27001 also tests whether your employees are aware of the policy and safety controls. This requires training and that takes time. For both the participants and the trainer. Management must also be involved in the implementation process and free up time for policy development and compliance.

‍

2. ISO 27001 audit costs

Om ISO 27001 In order to become certified, the system must be audited. First through an internal audit, then with a external audit and then with control audits.

‍

This is done according to a 3-year cycle. In year 1, you have the internal audit, followed by audit audits in years 2 and 3, and then, in year 4, comes the recertification audit. The recertification audit works in the same way as the audit to obtain the certificate in the first instance.

‍

Internal Audit: Internal audits are necessary to obtain and maintain your ISO 27001 certification. This mandatory part of the standard involves costs such as your employees' time and the search for a suitable independent auditor.

‍

External Audit: If you implement ISO 27001, you can't avoid an external audit to achieve certification. Auditors will carefully check whether you meet the standard and will take at least several days. Exact costs vary but can be substantial.

‍

Control audit: The control audit is part of the audit cycle for ISO 27001 certification. This audit looks at compliance with the standard again, but unlike the external audit, the control audit is aimed at confirming that you are still compliant with ISO 27001 in the intervening years between recertification. These audits take place in years 2 and 3 of the 3-year cycle. The costs of these audit audits are lower than the external audit.

‍

The ISO describes how long an audit can take, without exceptions. However, there are lowering factors such as the age of the management system and the number of FTEs. When there are sufficient alleviating factors, a maximum of 30% discount on audit time may be given. We always aim for this 30%. Read more about this in our blog about partnerships with Certification Bodies.

3. Maintenance of the management system

ISO 27001 is not a one-off effort. The system must be continuously maintained and updated to remain relevant. This means ongoing costs for monitoring, reporting and evaluation. One Security Officer is busy with this maintenance from a few hours to one day a week. This also depends on the size and complexity of your organization.

‍

We notice that customers prefer to let us do this. That is why 98% of our customers also purchase a maintenance package from Fendix after implementation. Here we have several parcels for.

Comparison: do it yourself vs. consultant

When considering ISO 27001 implementation, you should evaluate the costs of doing it yourself versus hiring a consultant. Although doing it yourself can save direct costs, for most organizations, a consultant who has completed the full implementation process dozens of times is well worth the investment.

‍

A consultant can save your organization a lot of time and stress:

‍

• Templates
• Expertise and experience
• Independent assessment
• Network of experts

‍

If your organization has plenty of time and resources, you can take the initiative yourself. In practice, we see that this is often not the case. That is why we offer various implementation processes that meet the needs of your organization. When your organization is short on time and budget, our unburdening process the best choice. In doing so, we assume responsibility for implementing the standard. If your organization wants to be more involved and tackle certain aspects itself, close us accompanying process on.

Investment

To determine whether an ISO 27001 is worth the costs, you also need to see what it will bring to your organization in the long term. Our customers mention the following benefits of their ISO.

‍

• Better protection of sensitive data against threats and risks
• Increased trust and reputation among customers, partners and stakeholders
• Legal compliance such as the GDPR
• Improved internal processes

‍

If you want to know exactly what an ISO 27001 costs for your organization: ask a quote or plan a free introduction.

‍