This is usually one of the first questions I receive from the potential client. To their disappointment, I cannot give them the exact figure right away – here is why.
First of all, the total cost of implementation will depend on the size of your organization (or the size of the business unit(s) that will be included in the ISO 27001 scope), the level of criticality of information (for instance, information in banks is considered more critical and demands a higher level of protection), the technology the organization is using (for instance, the data centers tend to have higher costs because of their complex systems), and the legislation requirements (usually the financial and government sectors are heavily regulated with regards to information security).
Second, you won’t be able to calculate the exact costs before you know which level of protection you need – first you have to perform risk assessment, because such analysis will tell you which security measures are required.
When you know the results of risk assessment, you will have to take into account the following costs:
1. The cost of literature and training
Implementation of ISO 27001 requires changes in your organization, and requires new skills. You can prepare your employees by buying various books on the subject and/or sending them to courses (in-person or online) – the duration of these courses varies from 1 to 5 days.
And don’t forget to buy the ISO 27001 standard itself – too often I run across companies implementing the standard without actually seeing it.
2. The cost of external assistance
Unfortunately, training your employees is not enough. If you don’t have a project manager with deep experience in ISO 27001 implementation, you’ll need someone who does have such knowledge – you can either hire a consultant or get some online alternative (this is what we do at Information Security & Business Continuity Academy ).
The greatest value of someone with experience helping you with this kind of project is that you won’t end up in dead end streets – spending months and months doing activities that are not really necessary or developing tons of documentation not required by the standard. And that really costs.
However, be careful here – do not expect the consultant to do the whole implementation for you – ISO 27001 can be implemented by your employees only.
3. The cost of technology
It might seem funny, but most companies I’ve worked with did not need a big investment in hardware, software or anything similar – all these things already existed. The biggest challenge was usually how to use existing technology in a more secure way.
However, you do need to plan such investment if it proves to be necessary.
4. The cost of employees’ time
The standard isn’t going to implement itself, neither can it be implemented by a consultant only (f you hire one). Your employees have to spend some time figuring out where the risks are, how to improve existing procedures and policies or implement new ones, they have to take some time to train themselves for new responsibilities and for adapting to new rules.
5. The cost of certification
If you want to obtain public proof that you have complied with ISO 27001, the certification body will have to do a certification audit – the cost will depend on the number of man days they will spend doing the job, ranging from under 10 man days for smaller companies up to a few dozen man days for larger organizations. The cost of man day depends on the local market.
You have to be very careful not to underestimate the true cost of ISO 27001 project – if you do, your management will start looking at your project in a negative light. On the other hand, forecasting all costs correctly will show your level of professionalism; and don’t forget – you always have to present both the cost and the benefits.