The cost of an ISO 27001 certification

The first question I often get when talking to IT Service providers on ISO 27001 certification is: “How much does it cost to get it?” I like to reply with a question: “how much does it cost when you don’t have it?” The answer to the first question is easy, the answer to the second one is more complicated. As a financial I am interested in the business case. If the cost of not having an ISO 27001 certification is higher than the cost of getting and maintaining one, you can actually make a profitable investment by getting certified.

The cost of NOT having an ISO 27001 certification
Let’s have a look at some of the cost components of NOT having an ISO 27001 certification.

Opportunity Cost
Do you know how many opportunities for new customers are lost because you are not properly certified? How many of your target customers would prefer a supplier that is properly certified and won’t even consider you? And after having done the sales funnel math, how much margin would you potentially loose and for how many years?

Lost customers (Churn)
You have invested to acquire and maintain your current customers. How many would potentially turn their back on you because they are increasingly concerned about security and are looking for evidence of compliance? How much margin is at stake today and in future years?

Trust and Transparency: lost opportunity for a competitive advantage
With ISO 27001 you can turn your information security management into a competitive advantage and a weapon against churn. You will earn customers’ trust, being able to provide them with transparent and pro-active reporting on security, incidents and measures taken. This will not only reduce the risk of churn of existing customers, but will also position you better to get new customers in, which will improve your future revenues and margins. Without ISO 27001 chances are this opportunity is lost.

Risk of data loss, breach of privacy or confidentiality and outages
Cost may vary from SLA related compensation credits and “fixing the problem” cost to claims for damages, customer loss and reputation damage. You may limit some of these risks by contractual exclusion and mitigation and - sure - customers will understand this as such. But what if they are not convinced that you are properly in control? Your contractual clauses won’t help you, because they won’t buy your services at all. Will an ISO 27001 certification exclude all possible risk? No, of course not. But in this case customers more easily accept your contractual clauses, because you can prove that you have done your utmost to prevent security incidents. And if your organization is fully aware of all elements of information security and acts and behaves in line with the ISO 27001, no doubt that you have significantly reduced security risk and related cost.

The business case
So, after looking at the above, how much are the cost of NOT having an ISO 27001 certification for you? You might have compensating controls and/or assurance reports like ISAE3000. They have a mitigating effect on the cost of NOT having an ISO 27001 certification, which needs to be taken into account of course. After you have looked at all the components above and you have done the business case, it’s up to you: can you afford the cost of NOT having an ISO 27001 certification?