ISO 27001 certification has no fixed price. The cost splits three ways: building and running the management system, the accredited certification body’s audit fees across a three year cycle, and ongoing maintenance. Audit time scales with the number of people in scope, not your revenue, so a small team pays far less than a large one.
Is there a set price for ISO 27001 certification?
No. Ask three providers what ISO 27001 costs and you will get three different answers, because the question is underspecified. There is no list price. The spend is set by what you are certifying and how ready you already are, then split between two parties who are not allowed to be the same one. An accredited certification body runs the audit and issues the certificate. Someone else, your own staff or a consultant, does the work to get you there. If you are not yet sure what the certificate actually covers, read what ISO 27001 certifies first. Most of the cost, and almost all of the variation, sits in the work to get ready. The audit is the smaller, more predictable line. Cybernion does not publish a fixed rate for the same reason: the number only means something once the scope is drawn.
What drives the cost of ISO 27001 certification?
Six things move the number, and most of them are decided before an auditor is ever booked. Scope is the largest. Everything inside the boundary has to be run, evidenced and audited, so the question of which systems, sites and business units you certify matters more than any day rate. The rest follow from how much of the management system already exists and how much has to be built.
| Cost driver | What pushes it up |
|---|---|
| Scope and boundary | More systems, locations and business units in scope means more to run and more to audit |
| People in scope | Audit time is set by the number of persons doing work within the ISMS, under ISO/IEC 27006-1 |
| Current maturity | Thin documentation and missing controls become remediation work and time |
| Annex A applicability | The controls you mark applicable in the Statement of Applicability shape the evidence load |
| Remediation needed | Gaps found in the gap analysis have to be closed before Stage 2 |
| Who does the work | Internal staff time, consultant support, or a mix of the two |
What does the certification body charge for?
This is the part with a published basis. An accredited certification body audits your management system in two stages: Stage 1 checks your documentation and readiness, Stage 2 checks that the system actually operates. The certificate then runs on a three year cycle, with surveillance audits in years one and two and a full recertification in year three. The auditor’s time is not set by your revenue or your ambition. It is set by the number of people doing work within the scope of your ISMS, under ISO/IEC 27006-1:2024. A five person SaaS and a five hundred person enterprise do not pay the same, because they do not draw the same number of audit days. One point that costs people later: the body must be accredited, in Australia by JAS-ANZ. An unaccredited certificate is cheaper and will not satisfy a serious tender.
What does getting ready cost?
The audit is rarely the expensive part. Getting ready is. Someone has to run the gap analysis against the standard, design the management system, write the Statement of Applicability, implement the controls that are missing, and run an internal audit and management review before the body arrives. On real engagements the gap analysis and design take around four to eight weeks; a full implementation to the point of certification runs six to twelve months, depending on how much is already in place. The cost most budgets miss is your own people’s time. And there is a rule worth knowing before you sign anything: whoever helps you implement the system cannot also be your certification auditor. Independence is not optional. Cybernion does the ISO 27001 readiness and stays alongside you through the external audit, but the certificate comes from a separate accredited body.
What are the ongoing costs after certification?
A certificate is not a one off purchase. It is a three year commitment. Surveillance audits in years one and two, recertification in year three, and between them the work of keeping the system alive: internal audits, management reviews, risk reassessment, and control upkeep as the business changes. Skip the maintenance and the certificate lapses, or the next surveillance audit raises findings you then pay to fix in a hurry. Budget for the cycle, not the first certificate.
How do you keep ISO 27001 costs down?
Draw the scope tightly. The single biggest lever on cost is what you put inside the boundary, so do not certify systems a customer never asked about. Get ready properly before the body arrives, because remediation found at Stage 2 is the most expensive place to find it. Be honest in the Statement of Applicability rather than marking every Annex A control applicable out of caution. Reuse what you already have from SOC 2 or the Essential Eight where the controls overlap. And choose an accredited body from the start. For a wider view of the standard and how the pieces fit, see the complete ISO 27001 guide. The cheapest certificate that no one recognises is the most expensive mistake.
Frequently asked questions
No. There is no list price. The cost depends on the scope, the number of people in the ISMS, how ready you already are, and how much remediation is needed. Anyone quoting a single figure before seeing your scope is guessing.
Because the certification body’s audit time is set by the number of people doing work within the scope of your ISMS, under ISO/IEC 27006-1:2024, not by your revenue. More people in scope means more audit days.
No. The certification body must be independent of the work it audits. A consultant can take you through readiness and support you during the audit, but the certificate is issued by a separate accredited body.
No. Certification runs on a three year cycle with surveillance audits in years one and two and recertification in year three, plus the ongoing cost of maintaining the management system.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Sources:
- ISO/IEC 27001:2022, Information security management systems, Requirements, 2022
- ISO/IEC 27006-1:2024, Requirements for bodies providing audit and certification of information security management systems, 2024
- ISO/IEC 27002:2022, Information security controls, 2022
Last updated: 21 June, 2026