The costs of certification mainly depends on the number of people (FTE) working “under the organization’s control”. This includes both internal and external (subcontracted) employees.
Accredited certification bodies will base their calculation on the audit time chart as defined in ISO 27006:2015. With an average cost of € 1500 per day (in Europe), below table will give you a nice indication.
| People (FTE) | Audit days (min-max) | Cost of certification (€) |
|---|---|---|
| 1-10 | 3.5-5 | 5250-7500 |
| 11-15 | 4-6 | 6000-9000 |
| 16-25 | 5.5-7 | 7500-10500 |
| 26-45 | 6-8.5 | 9000-12750 |
| 46-65 | 7-10 | 10500-15000 |
| 66-85 | 8-11 | 12000-16500 |
| 86-125 | 8.5-12 | 12750-18000 |
The lower end on the estimation can be achieved if the certification body has reasons to believe the ISMS is not too complex or has demonstrated previous performance, both of which are the case when you are using Instant 27001!