Search "ISO 27001 certification cost" and you will find articles that give you ranges like "€5,000 to €100,000 depending on your organisation." That is technically true and practically useless. The reason those articles stay vague is that the answer depends on decisions you have not yet made — who does the implementation work, how wide you draw your scope, and which certification body you choose. This guide gives you the actual numbers for each cost bucket so you can build a real budget.
Typical total cost by company size
Using template-led approach. Traditional consultant adds 2–3× to the implementation bucket.
The 4 Real Cost Buckets
ISO 27001 implementation has four distinct places where money goes. Conflating them is why most estimates are meaningless. Treat each one separately.
1. Certification Body Fees
The certification body (also called a registrar or CB) is the accredited organisation that audits you and issues the certificate. Their fees cover two audit stages: Stage 1, which is a documentation review, and Stage 2, which is the on-site or remote evidence audit. For a 10-to-30-person company with a focused scope, expect to pay €3,000 to €6,000 for initial certification. For a 50-to-150-person company with a broader scope, that range moves to €8,000 to €15,000.
Well-known certification bodies operating in Europe and internationally include Bureau Veritas, BSI Group, DNV, TUV SUD, and Schellman. Their prices vary by auditor day rates, which typically run €1,000 to €1,800 per auditor day. The number of audit days is calculated based on your employee headcount within scope and the complexity of your processes. Requesting quotes from at least three bodies is worth the effort — price differences of 30% for equivalent scope are common.
One number people frequently miss: after certification, surveillance audits are required annually (years 1 and 2), and a full recertification audit happens in year 3. Budget roughly 60-70% of your initial Stage 2 cost for each surveillance audit, and close to the original cost for recertification. These are not optional — skipping them results in certificate withdrawal.
2. Implementation Work: Consultant or Internal Resource
This is typically the largest cost variable and the one with the widest range. There are three approaches:
- Traditional ISO consultant: A specialist firm or independent consultant will typically charge €10,000 to €50,000 for full implementation support, depending on scope and their day rate. You get hands-on guidance, but you are paying for their time in full.
- Template-led approach with expert support: ISO READY 360's Tier 1 setup service costs a one-time €1,299 and covers scoping, ISMS structure, risk framework setup, and documentation guidance. This works well for startups and SMEs willing to own the process internally.
- Fully internal: If you have someone with prior ISO 27001 experience, you can do this without external help. The risk is scope creep and gaps that become audit findings — experienced auditors find issues in self-built programs that templates with clear requirements help avoid.
The difference between a traditional consultant and a template-led approach is not the outcome — both can produce a certified ISMS. The difference is who does the work and at what hourly rate. Templates reduce the hours required significantly by giving you pre-built structures that you adapt rather than create from scratch.
3. Tooling and Platform Costs
You do not need expensive GRC software to achieve ISO 27001 certification. Many certified companies use Notion, Confluence, or even well-organised shared drives. The standard does not prescribe what software you use — it cares that your documentation is controlled, accessible, and maintained.
- Notion: Free tier works for small teams. Paid plans start at around €8/user/month if you need advanced permissions.
- Confluence: Around €5-10/user/month depending on team size.
- Dedicated GRC platforms (Vanta, Drata, Sprinto): €10,000 to €30,000+ per year. These are useful for companies managing multiple frameworks simultaneously or with high audit frequency, but they are not necessary for a first ISO 27001 certification.
For most startups and SMEs, total tooling cost is €0 to €200 per month depending on what you already use.
4. Staff Time
This is the hidden cost that organisations underestimate. ISO 27001 requires an internal owner — typically called the Information Security Officer or ISO Officer — who drives the program. During implementation, expect this person to spend 2 to 4 hours per week on average over a 3-to-6-month period. Translate that to salary cost: at a €60,000 annual salary, 3 hours/week over 4 months is roughly €3,500 in loaded staff time.
Additionally, your wider team will spend time in security awareness training, policy reviews, and participating in the internal audit. For a 20-person company, budget 4-8 hours of total team time for training and audit preparation.
What Company Size Actually Changes
A 10-person SaaS startup with a focused scope (cloud infrastructure and software development only) can realistically target a total first-year cost of €6,000 to €12,000 — covering a mid-tier certification body, a template-led implementation approach, and minimal tooling.
A 100-person SME with multiple locations, physical offices, and third-party integrations in scope is looking at €25,000 to €60,000 in year one, driven primarily by higher certification body fees and greater implementation complexity.
The single most effective lever for controlling cost is scope. A narrow, well-defined scope reduces audit days, reduces the number of controls you need to implement evidence for, and makes the entire program more manageable. Start focused. You can always expand scope in a subsequent certification cycle.
How to Reduce Your Total Cost
- Use a template library rather than building policies from scratch. Writing 25+ policies from a blank page can take 6-8 weeks of ISO Officer time. Pre-built, audit-ready templates cut that to days. Browse the ISO READY 360 template library or download free templates to start.
- Narrow your scope deliberately. Exclude business units, systems, or locations that are not involved in your core service delivery. Document this exclusion clearly and your auditor will accept it.
- Get multiple quotes from certification bodies. Prices are not fixed. Most certification bodies will negotiate, especially for multi-year contracts or if you bring in your Stage 1 and Stage 2 together.
- Avoid GRC platform lock-in early. Do not buy an expensive compliance platform before you understand your real needs. Most companies that start on Notion or Confluence and migrate to a GRC platform later report that the platform did not materially improve their first audit outcome.
- Prepare your Stage 1 thoroughly. Stage 1 findings that require remediation before Stage 2 add cost and delay. A solid documentation review against the standard before Stage 1 prevents this.
Annual Recurring Costs to Budget
After initial certification, plan for these recurring costs annually:
- Surveillance audit (years 1 and 2): €1,500 to €6,000 depending on scope and CB
- Recertification audit (year 3): similar to initial Stage 2 cost
- Security awareness training refresh: €0 to €2,000 depending on whether you use a platform or run it internally
- ISO Officer ongoing time: 1-2 hours/week to maintain the program, run management reviews, and update risk assessments
- Tool and platform subscriptions: same as year one
The recurring costs are significantly lower than year one because the framework is already built. Maintenance is operationally light if you set it up correctly from the start.