How Much Does an ISO 27001 Audit Cost?
ISO 27001 certification typically costs between $15,000 and $80,000 for small to mid-size organisations, depending on company size, scope, location count, and ISMS maturity. Use the calculator below to estimate your Stage 1 audit, Stage 2 audit, and total certification investment.
ISO 27001 Audit Cost Calculator
Enter your organisation details to estimate total certification cost.
ISO 27001 Audit Phases Explained
Stage 1 - Documentation Review
1-2 audit daysThe auditor reviews your ISMS documentation off-site. They check that your policies, risk assessments, Statement of Applicability, and procedures meet the ISO 27001 standard. Stage 1 typically takes 1 to 2 audit days and costs $1,800 to $4,500.
Stage 2 - On-site Certification Audit
2-5 audit daysThe auditor visits your site (or connects remotely) to verify that controls described in your documentation are actually implemented and effective. They interview staff, review evidence, and test processes. Stage 2 is the main audit and is typically 2 to 5 days.
Surveillance Audit (Year 1 + 2)
Annual, 1-2 audit daysAfter certification, you must maintain it with annual surveillance audits. These are lighter than the full certification audit, covering only a subset of controls. Typically 1 to 2 days per year, costing $2,000 to $6,000 annually.
Recertification Audit (Year 3)
Every 3 yearsISO 27001 certificates are valid for 3 years. At the end of the cycle, a full recertification audit is required. This is similar in scope to the original Stage 2 audit, though slightly shorter if surveillance has been clean. Costs are similar to initial certification.
Frequently Asked Questions
How much does an ISO 27001 audit cost?
An ISO 27001 certification audit typically costs between $15,000 and $80,000 for small to mid-size organisations. This includes Stage 1 (documentation review) at $1,800 to $6,000, Stage 2 (on-site audit) at $5,000 to $20,000, certification body registration fees of $2,000 to $5,000, and internal preparation costs. Larger enterprises with multiple locations can pay significantly more.
What is the difference between Stage 1 and Stage 2 audits?
The Stage 1 audit is a documentation review conducted off-site. The auditor checks that your ISMS policies, risk assessment, Statement of Applicability, and procedures are complete and appropriate. Stage 2 is the main on-site certification audit where the auditor verifies that documented controls are actually implemented and operating effectively. Stage 2 results in the certification decision.
How long does ISO 27001 certification take?
For an organisation starting from scratch, ISO 27001 certification typically takes 9 to 18 months. This includes ISMS design (2 to 4 months), implementation (3 to 8 months), internal audit and management review (1 to 2 months), and the external certification audit process. Organisations with existing security programmes can move faster.
How often must the ISO 27001 audit be repeated?
ISO 27001 certificates are valid for 3 years. During years 1 and 2, annual surveillance audits are required to maintain the certificate. These are shorter than the initial audit (typically 1 to 2 days) and cover a subset of controls. In year 3, a full recertification audit is required to renew the certificate for another 3-year cycle.
What factors affect ISO 27001 audit cost most?
The biggest cost drivers are: (1) organisation size and number of in-scope employees, (2) ISMS maturity at the start of the process, (3) number of physical locations, (4) complexity and sensitivity of information assets, (5) choice of certification body and their day rates, and (6) whether you use external consultants for preparation.
Can you self-certify for ISO 27001?
No. ISO 27001 certification requires an independent assessment by an accredited certification body such as BSI, SGS, Bureau Veritas, LRQA, or similar. Self-declaration is not accepted as ISO 27001 certification. The certification body must be accredited by a national accreditation body (e.g. UKAS in the UK or ANAB in the US).