ISO 27001 Certification Cost. Hopefully Less Than £400,000…

Oct 7, 2016

I’m told that ISO 27001 Certification Cost is one of the most searched terms relating to ISO 27001 on the internet.

How much does certification cost? It’s worth reflecting on the cost of not having it. For TalkTalk in October 2016, the “failure to implement the most basic cyber security measures” cost around £400,000 in fines.

Some of TalkTalk’s IT security measures were probably very good indeed. But they were probably the wrong ones for the threat. And it’s highly likely that they even held ISO 27001 certification.

Risk and Compliance; Welcome to The Future!

ISO standards are changing. A key focus is now “risk”, rather than “compliance”. On crucial questions being asked, such as “what if this fails?” or of “if X gains access to Y”.

Back in the old days it was all about compliance, that is, “how do you know your products and services are any good, have you met this regulation, or that customer requirement”. It’s that dreaded man with the brown dustcoat, clip-board and attitude. Measuring and criticizing.

To be truly effective, ISO 27001 needs to start “where you are” as a business, rather than enforcing a vast system of parameters and procedures, only 20% of which have any relevance, but are vital in gaining that framed certificate in your reception area.

Hence, the ISO 27001 certification cost depends on what actually needs protecting. Many companies pay too much…

Risk – Have You Locked The Right Doors?

Imagine your business as a building. Rather than spending a fortune securing it against any but the most talented of 007 types, why not give some considered thought to “who is likely to want to break in anyway? And where?”

This “risk-based” approach can make a huge difference ISO 27001 certification cost; preventing James Bond gaining access to your Server Room might be very difficult and expensive, but are you holding anything he’d actually want anyway ?

Risk, Laptops, and The Cloud. An Example

An example of the “risk-based” approach:- I’m highly sceptical of the current fashion of putting everything into “The Cloud”. I’m almost ashamed to admit, however, below is a situation where The Cloud works rather well.

A laptop is stolen. If you are using purely cloud-based software, with reasonably secure log on and complex password, chances are all you’ve lost is a £500-600 asset which may even be covered by insurance. Your data will remain safely in the cloud and you can just pick up another laptop, log into your account and carry on. Based on this, the vital focus would therefore be on the security of cloud access, rather than laptops being chained to desks and guarded by a Rottweiler. And a procedure being written around this, including type of dog biscuits.

And, Once More For Those Googling ISO Certification Cost?

I suspect I have not answered the key question about ISO 27001 certification cost. Well, not in a day rate and number of days. Because it will depend on how you work as a business. But hopefully I have destroyed the myth that ISO 27001 is a very large and blundering, paperwork-heavy, expensive, hoop-jumping exercise.

Please feel free to give me a call or drop me a line. I promise to start where you are and see where you want to go to protect your business. And avoid the headlines.