In the age of misinformation and talent shortages, the cost of ISO 27001 cybersecurity or privacy related “certifications” are on the rise. Unfortunately, there is no silver bullet, or one size fits all solution for the certification or attestation process. Costs typically are increased or decreased in pre-certification by risk appetite of the organization, and level of effort. If an organization is looking to perform most activities for certification by themselves, they will need a dedicated Information Security Manager (usually with a starting salary around $96,000 according to Glassdoor.) https://www.glassdoor.com/Salaries/information-security-manager-salary-SRCH_KO0,28.htm. Then leverage documentation sets, Internal auditing and Risk Assessments services and various consulting hours that can range in price from $14,000 to $60,000 dollars if performed individually. If an organization is looking to outsource most of their program buildout to a third-party, ISO 27001 readiness costs can average from $45,000 to upwards of $300,000 annually depending on what suite of services the organization prefers. Ultimately costs are determined by a few factors during the pre-certification process. Scope and complexity, salaries, consulting, tools, the number of locations and the people in scope.
Scope and Complexity
Most organizations started the ISO 27001:2013 certification with a very limited, or simple scope that typically revolved around their “Information Technologies” department. As a result, ANAB, ANSI and UKAS have implemented several changes that require all locations and people that are involved with the scope of the Information Security Management to be included, risks assessed, internally audited and have their associated risks assessed. Organizations have also had to become infinitely more specific as to the who and what is actually included in scope. This in effect prevents large entities from taking a 100,000-employee strong environment down to let’s say 4 people…. Then as an affect these changes increased the number of locations and/or people in scope as well.
Salaries, Consulting and Tools
When we look at the talent shortage for Cybersecurity, Compliance and Privacy, it is no secret that hourly rates and salaries have become exorbitant. On average, a full time Internal Compliance Auditor for your organization will cost around $65,000 annually. https://www.glassdoor.com/Salaries/compliance-auditor-salary-SRCH_KO0,18.htm. (In the United States, also according to Glassdoor) Most SMB’s do not employ full time auditors, or even have a legitimate compliance or legal team. As a whole we leverage what we can, tools, third party firms and attempt to place multiple hats on current employees. This has three separate and unique problems:
Salaries for full time employees across the United States range from $96,000 - $225,000 for full time auditors and assessors.
Third Parties provide “buckets” of consulting hours that range from $150 to $1,000 an hour.
Assigning multiple roles to individuals within an organization blur the line of your organization’s segregation of duties.
Number of People / locations in scope
The largest impact to cost is going to be locations and people in scope. Locations are determined by the Scope of Registration Statement. The Scope of Registration is then verified by your Certification Body, the rules that Certification bodies have to follow are found in ISO 19011, 17021 and 27006. (Check Annex C in 27006). This will also determine how many onsite days that ANAB, ANSI and/or UKAS will require that they be physically onsite auditing. Depending on locations and people in scope, your certification audit could be starting at a 2 ½ day audit to well over a month with travel costs and hourly rates increased accordingly.