When we started the road to ISO 27001 it was hugely daunting, a lot of unfamiliar terms and typical tech speak lingo made it all sound horribly complicated and difficult. We decided early on to hire a consultancy firm to help us prepare, and received quotes from £2,000 to £40,000 for the same job (help us prepare for ISO27001).
It became quickly apparent there are 2 approaches to take to getting ISO 27001.
1) ‘One stop shop certify’ – Very cheap, sometimes ‘no win no fee’, ISO 27001 certification. This means that the same company helps prepare your processes and documentation, and then they also certify you.. Err, there is an obvious conflict here, you do do get the same certificate. So if this is a box ticking exercise for your firm, it is probably the cheapest and quickest way to get certified, but be warned that many UK Government customers, and more discerning businesses will not accept it. We were quoted circa £3,500 setup and £700 a year for this (the sales docs were fab, featuring a famous dragons den type celebrity endorsement). It became apparent they don’t really check for evidence that you do what you say you do. And also that you’re pretty much guaranteed to get certified in a few months.
2) ‘Independent audit & advisor’ UKAS audited ISO 27001 certification. With this model, you prepare for the audit yourself or with independent help, and then a UKAS accredited audit company will come and audit you. The people who help you cannot audit you (for obvious reasons!) This for me is the real value in the process, an independent party will check what you say you do and decide whether you’re compliant. This is quite a bit more expensive, we paid about £6,000 for an advisor on a special plan, and the annual audits cost about £2,000- £3,000 (some for the advisor, and some for the certification authority). The advisor helped prep all the processes, and then ran our internal audit in preparation for the real thing.
The cost difference over a few years for a micro business or boot strapped firm is big, but of course the biggest cost by far is making sure you internal processes and people are good. My take is, if you’re serious about security, make sure you are going to be audited by a different company to the advisors, and that they’re UKAS registered. Some of the cheapest quotes we were given in Summer 2014 are attached.
We choose IT Governance to help us get through the process, and they did a great job. BM Trada were also very helpful and seemed very credible.