ISO 27001 costs: from initial gap analysis to certificate
A realistic budget breakdown for a 30-person SMB. Internal hours, external audit, consultancy (kept to a minimum), and annual maintenance. No marketing fluff.
Budget for a 30-person SMB, initial certification, 2026 figures.
\n\nOne-off costs
\n- \n
- Consultant gap analysis (optional): €2,500 – €6,000 \n
- Policy templates (open-source or purchased): €0 – €1,500 \n
- Internal work: 150–300 hours spread over 6 months \n
- Stage 1 + Stage 2 audit: €4,500 – €8,000 (depending on size and complexity) \n
- Non-conformity remediation if required: €1,000 – €3,000 \n
Annual costs
\n- \n
- Surveillance audit (years 2 & 3): €2,000 – €3,500 per year \n
- ISMS maintenance (internal): 10–30 hours per month \n
- Internal audit (outsourced or in-house): €1,500 – €3,500 \n
- Security training for staff: €500 – €2,000 \n
Every 3 years: re-certification
\nComparable to the initial Stage 2: €4,000 – €6,500.
\n\nTotal cost over 3 years
\nFor a 30-person SMB: €18,000 – €35,000 in external costs + approx. 400 internal hours. Spread over 3 years.
\n\nWhere can you save money?
\n- \n
- Skip the €80k consultant — use one only for the gap analysis and initial policy set. \n
- Use open-source policy templates (e.g. from IASME or ENISA). \n
- Use software that collects evidence automatically — e.g. AccessGuard for access reviews and audit trails. \n
- Handle in-house what can be done in-house. Auditors want evidence, not outsourced documentation. \n
Volledige gids: ISO 27001 para pymes sin gastar €50k en consultores
Dit artikel is onderdeel van onze uitgebreide Compliance-gids. Lees de pillar voor het complete plaatje.
Lees de pillar →