The first and most important question for any organization facing ISO 27001 certification is that of cost:
How much does an ISO 27001 certification cost?
Let's have a closer look, shall we?
The costs for ISO 27001 certification can be divided into the following three blocks:
1. costs for your own personnel.
Time
The first factor we need to talk about is time: please assume a duration of about 6 to 24 months, which you will minimally need for your project. The more the ISO 27001 project is added "on top" of your daily work, the longer the project duration will be. The more structured your work is and the more rules for collaboration are already written down and "lived", the shorter it will be.
Project manager or project leader
Please plan for a project manager position. Your project manager will be responsible for approximately 50% of the work in your ISO 27001 project. The more departments involved and the larger the number of employees in it, the more likely the project manager will need to work full time on the project.
As a rule of thumb: if you have three departments or more on your project, you will need the project manager fully. The less those departments are used to working together, the more this is true.
So, in purely mathematical terms, you will need your project manager between about 60 PD (person days) and 180 PD
Project team
For each "department" (i.e. autonomous operating unit with its own area of responsibility), please plan one person who will be involved with ISO 27001 certification on a full-time basis, at least in certain phases of the project. Full-time primarily because this one person must also work as a multiplier within his department and will need to consult others in the department a lot. In addition, they will need additional resources within each department to provide support.
This adds up to about 100 PD for one department and 300 PD for two "departments" respectively.
Personnel costs thus add up to roughly 160 PD to 500 PD.
2. costs for consulting
In many cases, external consultants are used to help with ISO 27001 certification. Typically, they spend about 20 PT to 50 PT at the customer's site. For larger companies or application areas with more than about 50 people, two full-time consultants are also common. Daily rates are roughly between $1.000 (junior consultant) and $2.000 EUR (senior consultant, lead auditor). The extent to which the consultants are employed also depends on how much of the "work" you want to do yourself vs. how much you want to "outsource".
Consulting costs therefore roughly range from about $20.000 to about $200.000.
3. costs of the ISO 27001 certification itself
Finally, the actual certification also costs money, of course. How much depends on the number of sites and the number of employees working in the scoped part of your company. You need to calculate upwards from $15.000 for one site with few customers (think: early stage start-up).