A Melbourne accounting firm paid $1.2 million to recover from ransomware, lost 3 major clients who couldn't risk their data with a breached provider, and spent $340,000 in legal costs defending against privacy complaints after client tax records were leaked on the dark web.
On this page
Their cyber insurance covered $180,000. They absorbed the remaining $1.36 million.
ISO 27001 implementation would have cost them $32,000.
You're not here for a lecture about "information security maturity journeys." You need actual numbers for ISO 27001:2022 certification in Australia—and you need to understand why certified businesses pay 40-60% less in cyber insurance premiums while uncertified businesses are getting dropped by insurers entirely.
The Real Numbers (27001:2022 Version)
Small business (5-20 employees, basic IT environment):
- Certification audit: $4,500-$9,000
- Consultant implementation: $15,000-$28,000
- Technical controls implementation: $8,000-$18,000
- Total first year: $27,500-$55,000
- Annual surveillance: $3,000-$6,500
Medium business (20-60 employees, moderate IT complexity):
- Certification audit: $9,000-$18,000
- Consultant implementation: $25,000-$48,000
- Technical controls implementation: $18,000-$45,000
- Total first year: $52,000-$111,000
- Annual surveillance: $6,000-$12,000
Large business (60+ employees, complex IT, cloud services, multi-site):
- Certification audit: $22,000-$48,000+
- Consultant implementation: $45,000-$95,000+
- Technical controls implementation: $45,000-$150,000+
- Total first year: $112,000-$293,000+
- Annual surveillance: $12,000-$26,000+
If transitioning from ISO 27001:2013 to 2022:
- Gap analysis and new controls: $8,000-$22,000
- Technical implementation (11 new controls): $6,000-$18,000
- Transition audit: $5,000-$12,000
- Total transition cost: $19,000-$52,000
Note: Technical implementation costs vary wildly based on current security posture. Business with modern cloud infrastructure and existing controls: lower end. Business with legacy systems, no MFA, no encryption: upper end or higher.
Quick comparison: What costs more?
Source: IBM Cost of a Data Breach Report 2024, Australian Cyber Security Centre
Get 3 ISO Quotes. 24 Hours Response
Tell us what you need and compare vetted ISO consultants or certification bodies within 24 hours. Free, no obligation.
Trusted by 400+ businesses like yours
Why Data Breaches Cost More Than Environmental Incidents
Environmental incidents cost fines + cleanup.
Data breaches cost:
- Incident response: $45,000-$280,000 (forensics, containment, eradication)
- Notification costs: $12,000-$85,000 (Notifiable Data Breaches scheme requires notification within 30 days)
- Regulatory fines: $0-$50 million (Privacy Act 1988 penalties increased 2022)
- Legal costs: $80,000-$650,000 (defending privacy complaints, class actions)
- Business interruption: $120,000-$2.8M (avg 21 days downtime for ransomware)
- Lost customers: 35-45% customer churn post-breach (Australian businesses)
- Reputation damage: Unmeasurable but significant
- Cyber insurance premium increases: 80-150% post-breach (if insurer doesn't drop you)
- Remediation costs: $40,000-$380,000 (fixing vulnerabilities that caused breach)
Real Australian examples 2023-2025:
Brisbane legal firm (2023): Ransomware encrypted client files. No offline backups. Paid $95,000 ransom (data not recovered—ransomware operators took payment and disappeared). Rebuilt systems: $180,000. Lost clients: 8 major firms. Legal costs defending complaints: $220,000. Total: $495,000+
Sydney healthcare provider (2024): Patient records leaked via misconfigured cloud storage. Notifiable Data Breach: 12,000 affected individuals. Notification and call centre: $42,000. OAIC investigation and compliance: $85,000. Legal settlement: $280,000. Cyber insurance covered $150,000. Net cost: $257,000
Melbourne SaaS startup (2024): Employee credentials phished, attacker accessed customer database. 40% customer churn (B2B customers cannot risk vendor security). Revenue impact: $1.2M annually. Forensics and remediation: $95,000. Total business impact: $1.295M
Perth engineering firm (2025): Business Email Compromise. CFO tricked into $380,000 fraudulent payment. Bank recovered $85,000. Insurance covered $100,000. Net loss: $195,000
These businesses didn't have ISO 27001. They didn't have MFA. They didn't have incident response plans. They didn't have security awareness training.
ISO 27001 would have required all of these controls.
ISO 27001:2013 vs 27001:2022 (11 New Controls You're Paying For)
If you're certified to ISO 27001:2013, you must transition to 2022 by October 2025 (3-year transition deadline from publication).
What changed:
Control restructure:
- 2013: 14 control themes (A.5 through A.18), 114 controls
- 2022: 4 control themes, 93 controls (11 new, 24 merged, 58 restructured)
The 11 new controls (why your transition costs money):
5.7 Threat intelligence
- Requirement: Collect and analyze information security threat intelligence
- What it means: Monitor threat feeds, vulnerability databases, dark web mentions, industry-specific threats
- Implementation cost: $2,000-$8,000/year (threat intelligence subscriptions + process)
5.23 Information security for use of cloud services
- Requirement: Define and implement processes for cloud service acquisition, use, management, exit
- What it means: Cloud security assessment, vendor due diligence, data sovereignty verification, exit strategy
- Implementation cost: $3,000-$12,000 (initial assessment + ongoing governance)
5.30 ICT readiness for business continuity
- Requirement: ICT readiness planned, implemented, maintained, tested for business continuity
- What it means: IT disaster recovery testing, redundancy verification, backup restoration testing
- Implementation cost: $4,000-$15,000 (testing regime + documentation)
7.4 Physical security monitoring
- Requirement: Premises continuously monitored for unauthorized physical access
- What it means: CCTV, access logs, intrusion detection (if not already implemented)
- Implementation cost: $0-$12,000 (depends on existing physical security)
8.9 Configuration management
- Requirement: Configurations of hardware, software, services, networks defined, documented, implemented, monitored, reviewed
- What it means: Configuration baselines, change control, hardening standards, configuration drift monitoring
- Implementation cost: $5,000-$18,000 (tooling + process)
8.10 Information deletion
- Requirement: Information stored in information systems, devices, other storage media deleted when no longer required
- What it means: Data retention policy, secure deletion procedures, verification of deletion
- Implementation cost: $2,000-$6,000 (policy + secure deletion tools)
8.11 Data masking
- Requirement: Data masking used according to topic-specific policy on access control and other related topic-specific policies, and business requirements
- What it means: Mask sensitive data in non-production environments, during testing, for analytics
- Implementation cost: $3,000-$15,000 (masking tools + implementation)
8.12 Data leakage prevention
- Requirement: Data leakage prevention measures applied to systems, networks, other devices
- What it means: DLP tools to prevent unauthorized data exfiltration
- Implementation cost: $6,000-$25,000 (DLP software + configuration)
8.16 Monitoring activities
- Requirement: Networks, systems, applications monitored for anomalous behavior; appropriate actions taken
- What it means: SIEM or log monitoring, anomaly detection, response procedures
- Implementation cost: $8,000-$35,000 (SIEM/SOC tooling + setup)
8.23 Web filtering
- Requirement: Access to external websites managed to reduce exposure to malicious content
- What it means: Web content filtering, block malicious sites, category filtering
- Implementation cost: $1,500-$6,000/year (filtering service + configuration)
8.28 Secure coding
- Requirement: Secure coding principles applied to software development
- What it means: Secure development lifecycle, code review, static/dynamic analysis, developer training
- Implementation cost: $8,000-$30,000 (training + tools + process if developing software)
If you're transitioning 2013→2022:
Some of these controls you might already have (especially larger businesses with mature security). But most SMEs don't.
Average transition cost for business with moderate maturity:
- Gap analysis: $4,000-$8,000
- New control implementation: $15,000-$45,000 (technical + process)
- Documentation updates: $3,000-$6,000
- Transition audit: $5,000-$12,000
- Total: $27,000-$71,000
If you already have mature security (threat intelligence, DLP, SIEM, secure coding): $12,000-$22,000
If you have minimal existing controls: $45,000-$95,000+
Deadline: October 2025. After that, 2013 certificates are invalid.
What You're Actually Implementing (93 Controls Breakdown)
Most businesses think ISO 27001 is "documentation and policies."
Wrong. ISO 27001 is technical security controls + processes + documentation.
The 93 controls in ISO 27001:2022 Annex A break down into:
Organizational controls (37 controls):
- Policies and procedures
- Roles and responsibilities
- Asset management
- Supplier relationships
- Incident management processes
- Business continuity planning
People controls (8 controls):
- Security awareness training
- Employment agreements (confidentiality, acceptable use)
- Disciplinary processes
- Termination procedures
Physical controls (14 controls):
- Secure areas
- Physical entry controls
- Equipment security
- CCTV monitoring
- Clear desk/screen policies
- Media disposal
Technological controls (34 controls):
- Access control (authentication, authorization, privilege management)
- Cryptography (encryption at rest, in transit)
- Secure development
- Security testing
- Network security
- Logging and monitoring
- Backup and recovery
- Malware protection
- Vulnerability management
- Configuration management
- Data leakage prevention
Not all 93 controls apply to every business. You perform Statement of Applicability (SoA) to determine which controls are:
- Applicable (you must implement)
- Not applicable (with justification)
Typical SME: 75-85 controls applicable Complex enterprise: 88-93 controls applicable
What "implementing a control" actually means:
Example: Control 8.5 - Secure authentication
Not just "have passwords." It means:
- Multi-factor authentication (MFA) on all systems where feasible
- Password policy (complexity, length, rotation)
- Password management tool usage
- Service account management
- Privileged account controls
- Authentication logging and monitoring
Technical implementation:
- Purchase and deploy MFA solution: $1,200-$4,500/year
- Configure MFA on all applications (Microsoft 365, AWS, SaaS tools)
- Deploy password manager: $300-$800/year
- Configure authentication logging to SIEM
- Document authentication standards
- Train users on MFA usage
Cost for this one control: $3,000-$8,000 implementation + $1,500-$5,300/year ongoing
Multiply by 75-85 applicable controls.
This is why ISO 27001 costs more than ISO 9001 or 14001. You're buying and implementing actual security technology, not just writing procedures.
Technical Implementation Costs (The Expensive Part)
Consultant fees are 30-40% of total ISO 27001 cost. Technical implementation is 40-50%.
What you're actually buying:
Identity and access management:
- Multi-factor authentication: $1,200-$6,000/year
- Single sign-on (SSO): $2,400-$12,000/year
- Privileged access management: $3,600-$18,000/year
- Identity governance: $5,000-$25,000/year (larger businesses)
Endpoint security:
- Endpoint detection and response (EDR): $2,400-$8,000/year
- Antivirus/anti-malware: $600-$2,400/year
- Mobile device management (MDM): $1,200-$4,800/year
- Full disk encryption: $0-$1,800/year (built into Windows/Mac or separate)
Network security:
- Next-generation firewall: $3,000-$15,000 capital + $1,200-$4,800/year licensing
- Web application firewall (WAF): $2,400-$12,000/year (if hosting web apps)
- VPN for remote access: $1,200-$6,000/year
- Network access control: $4,800-$18,000 implementation + ongoing
Data security:
- Encryption (at rest, in transit): $0-$6,000 (often built in or cloud-native)
- Data loss prevention (DLP): $6,000-$25,000/year
- Data masking tools: $3,000-$15,000/year (if developing software)
- Backup and disaster recovery: $2,400-$12,000/year
Security monitoring and response:
- SIEM (Security Information and Event Management): $8,000-$35,000/year
- Or SOC-as-a-Service: $12,000-$48,000/year
- Vulnerability scanning: $1,800-$6,000/year
- Penetration testing: $8,000-$25,000 annually
Security awareness and training:
- Security awareness platform: $1,200-$4,800/year
- Phishing simulation: $600-$2,400/year
- Training content development: $2,000-$6,000 (initial)
Governance, risk, and compliance (GRC) platform:
- Policy management, risk register, audit management, asset tracking
- Cost: $3,600-$15,000/year (or manual using spreadsheets: $0)
Real cost example: 35-employee professional services firm
Current state: Microsoft 365, basic antivirus, password-only authentication, no monitoring
Required technical implementation:
| Control Category | Solution | Cost |
|---|---|---|
| MFA | Microsoft MFA (included) + Duo for non-M365 | $1,800/year |
| Password management | 1Password Business | $1,680/year |
| EDR | Microsoft Defender for Endpoint | $2,100/year |
| Email security | Microsoft Defender for O365 P2 | $2,520/year |
| DLP | Microsoft Purview DLP (included) | $0 |
| Monitoring | Microsoft Sentinel (SIEM) | $4,800/year |
| Vulnerability scanning | Qualys | $2,400/year |
| Security awareness | KnowBe4 | $2,100/year |
| Backup | Veeam + Azure Backup | $3,600/year |
| Web filtering | Cisco Umbrella | $1,680/year |
| Policy/GRC platform | Manual (spreadsheets) | $0 |
| Total first year | (includes setup) | $28,400 |
| Ongoing annual | $22,680 |
Plus consultant implementation: $26,000 Plus certification audit: $11,500 Total first year: $65,900
This business already had Microsoft 365. If they didn't, add $12,600/year for E5 licensing.
Notice: 43% of cost is technical implementation (security tools and platforms).
Different example: 25-employee manufacturing with legacy systems
Current state: On-premise servers, no cloud, Windows Server 2012 (out of support), no MFA, local admin access everywhere
Required technical implementation:
Plus consultant: $32,000 Plus certification: $8,800 Total first year: $108,900
Here, 62% of cost is technical implementation because infrastructure needed significant upgrade.
The point: ISO 27001 cost depends heavily on current security maturity.
Modern cloud business with decent security: Lower technical costs Legacy systems, outdated infrastructure, minimal controls: High technical costs
The Certification Audit Reality
Certification bodies calculate audit days using IAF MD5 methodology, same as other ISO standards, but with information security complexity factors.
Base audit days:
- 1-5 employees: 2-2.5 days
- 6-25 employees: 2.5-3.5 days
- 26-65 employees: 3.5-5 days
- 66-125 employees: 5-7 days
- 126-350 employees: 7-10 days
- 351-1,000 employees: 10-14 days
Information security complexity adjustments (+20-50%):
IT environment complexity:
- Basic (Microsoft 365, SaaS only): Base days
- Moderate (hybrid cloud, some on-premise): +15-25%
- Complex (multi-cloud, extensive on-premise, legacy systems): +30-50%
Why complexity matters: Auditor must verify:
- Access controls across all systems
- Encryption implementation
- Logging and monitoring configuration
- Vulnerability management processes
- Incident response capability
- Backup and recovery testing
- Configuration management
- Secure development practices (if applicable)
Complex environment = more systems to audit = more time.
Multi-site operations (+15-30% per site): Each site has different security controls. Auditor samples multiple sites.
Outsourced IT management (+10-15%): Auditor must verify managed service provider controls, contracts, oversight.
Software development (+20-40%): If you develop software, auditor must verify secure development lifecycle, code review, testing, deployment controls. Adds significant time.
High-risk industry (+10-20%): Finance, healthcare, government contractors get additional scrutiny.
Example calculation: 45-employee SaaS company, AWS cloud, develops software
Base duration: 4.5 days (45 employees) Cloud complexity (AWS + development): +1.5 days Software development lifecycle: +1 day Total: 7 days
Day rate: $2,300
- Stage 1: 2.5 days = $5,750
- Stage 2: 4.5 days = $10,350
- Total certification: $16,100
- Surveillance (40%): $6,440/year
Different example: 30-employee accountancy firm, Microsoft 365 only, no development
Base duration: 3.5 days Basic IT environment: no addition High-risk (financial data): +0.5 days Total: 4 days
Day rate: $2,200
- Stage 1: 1.5 days = $3,300
- Stage 2: 2.5 days = $5,500
- Total certification: $8,800
- Surveillance (35%): $3,080/year
What auditor actually verifies:
Stage 1 (documentation review):
- ISMS scope and boundaries
- Risk assessment methodology and results
- Risk treatment plan
- Statement of Applicability (all 93 controls addressed)
- Information security policies
- Asset inventory
- Supplier security requirements
Stage 2 (on-site/remote implementation audit):
- Interview staff about security awareness
- Test access controls (attempt to access systems without authorization)
- Review logs and monitoring outputs
- Verify MFA implementation
- Test backup restoration
- Review vulnerability scan results
- Check patch management compliance
- Verify incident response procedures
- Sample supplier assessments
- Review business continuity testing evidence
- Check physical security controls
- Verify cryptography implementation
Technical auditor will actually test controls, not just review documents.
Example: "Show me how your DLP prevents engineers from emailing source code to personal accounts."
If you can't demonstrate it working, that's a non-conformance.
Hidden Costs: Technical Capability Requirements
ISO 27001 assumes you have information security expertise.
The standard requires:
- Risk assessment (identifying information security risks)
- Control selection (choosing appropriate security controls)
- Technical implementation (deploying security technologies)
- Security monitoring (detecting and responding to threats)
- Vulnerability management (identifying and patching weaknesses)
- Incident response (handling security breaches)
If you don't have internal InfoSec expertise, you're paying for:
Virtual CISO (vCISO) services: $4,000-$12,000/month
- Strategic security guidance
- Risk assessment leadership
- Control selection and prioritization
- Vendor selection support
- Incident response planning
- Board/executive reporting
Security architecture: $8,000-$25,000 (project-based)
- Design security architecture for your environment
- Cloud security configuration
- Network segmentation
- Identity and access model
Security operations: $3,000-$15,000/month
- Monitor security alerts (SIEM)
- Respond to incidents
- Threat hunting
- Vulnerability management
Many businesses underestimate this cost.
They budget for consultant to "get ISO 27001 certified" but don't realize they need ongoing security expertise to:
- Actually implement controls correctly
- Monitor security continuously
- Respond to vulnerabilities and threats
- Maintain controls over time
Real example: Melbourne legal tech startup, 18 employees
Hired ISO consultant: $18,000 Hired certification body: $6,500
Then discovered:
- No one on team knows how to configure SIEM (required for Control 8.16)
- No one knows how to interpret vulnerability scan results
- No one knows how to conduct security architecture review for new cloud deployment
- No one can write incident response runbooks
Hired vCISO: $6,000/month = $72,000/year
Total first-year cost: $102,500 (not the $24,500 they budgeted)
Options to manage this:
- Hire security person ($95,000-$160,000/year salary + super + benefits)
- Retain vCISO ($48,000-$144,000/year for part-time)
- Use managed security services ($36,000-$180,000/year depending on scope)
- Train existing IT person ($8,000-$15,000 training + certification + time to learn)
Or accept higher risk and rely on consultant/MSP for security decisions (cheaper but less control).
Budget for ongoing security capability, not just one-time certification.
Consultant Competency: Why InfoSec Experience Matters
ISO 27001 consultant needs both ISO expertise and information security technical knowledge.
Why ISO knowledge alone isn't enough:
Real example: Perth professional services firm hired "ISO consultant with 15 years quality and safety experience" who'd done "several ISO 27001 projects."
Consultant delivered:
- Risk assessment identifying "data breach" and "system failure" as risks (too generic, useless)
- Statement of Applicability marking 35 controls "not applicable" without proper justification
- Access control policy saying "passwords must be strong" (no technical specification)
- Backup procedure saying "IT backs up important data regularly" (no RPO/RTO, no testing requirement)
- No guidance on MFA selection or implementation
- No SIEM configuration support
- Generic vulnerability management procedure with no tool recommendations
Result at Stage 2 audit:
- 8 major non-conformances
- 15 minor non-conformances
- Cannot certify
Why? Consultant understood ISO requirements but didn't understand information security technical implementation.
Hired actual InfoSec consultant to fix: $16,000 Re-audit: $7,200 Total wasted: $23,200 + 4 months delay
What ISO 27001 consultant actually needs:
Technical qualifications:
- CISSP (Certified Information Systems Security Professional), or
- CISM (Certified Information Security Manager), or
- CISA (Certified Information Systems Auditor), or
- Equivalent security certifications (CEH, OSCP, Security+, GSEC)
Plus ISO experience:
- IRCA/Exemplar Global ISO 27001 Lead Implementer
- Or equivalent ISO 27001 implementation training
Plus practical experience:
- Implemented ISO 27001 at least 5-8 times
- Understands cloud security (AWS/Azure/GCP)
- Knows security tooling (SIEM, EDR, DLP, etc.)
- Can configure technical controls, not just write policies
- Understands threat landscape and attack patterns
Red flags when interviewing consultants:
"I've implemented ISO 9001, 14001, 45001, so 27001 is similar" Wrong. ISO 27001 is fundamentally different. It's technology-focused, not process-focused.
"We use our standard templates and customize for your business" Risk assessment, control selection, technical architecture must be business-specific. Templates don't work.
Can't answer: "How would you implement Control 8.16 (monitoring activities) for our AWS environment?" If consultant doesn't know what SIEM is, how to configure CloudTrail, what monitoring rules to implement—walk away.
"You don't need DLP/SIEM/EDR for certification" Technically true (Statement of Applicability can mark controls not applicable), but practically dangerous. Controls exist for risk reduction. Consultant pushing minimum compliance is maximizing your risk.
Questions to ask consultants:
- "What information security certifications do you hold?" (Looking for CISSP, CISM, CISA, or equivalent)
- "How many ISO 27001:2022 implementations have you completed?" (2022 is different from 2013, need recent experience)
- "What's your approach to implementing Control 8.9 (Configuration Management) for a business using AWS?" (Testing actual technical knowledge)
- "How do you help clients select and implement SIEM?" (Should discuss options like Splunk, Sentinel, ELK, managed SOC, selection criteria, configuration approach)
- "Can you provide references from businesses similar to ours who've achieved certification in the last 12 months?"
- "Will you actually help implement technical controls or just document requirements?"
Best answer to #6: "We'll help with vendor selection, configuration guidance, testing, and verification. We'll configure baseline security settings but you'll need dedicated security resource or MSP for ongoing operations."
Bad answer: "That's outside our scope, you'll need to handle technical implementation separately."
Red Flags That Waste Money
"Certified in 6 weeks guaranteed"
ISO 27001 requires:
- Complete risk assessment (identifying all information assets and threats)
- Statement of Applicability (evaluating all 93 controls)
- Technical control implementation (MFA, encryption, monitoring, backups, etc.)
- Evidence collection (minimum 3 months operational evidence)
- Internal audit
- Management review
Realistic timeline: 5-9 months for initial certification.
6-week consultant is selling a certificate, not implementing security controls. You'll fail Stage 2 audit.
"We'll handle the certification, you don't need to be involved"
ISO 27001 is operational, not documentation.
Your staff needs to:
- Understand and use security controls daily
- Respond to security incidents
- Manage access requests
- Monitor security logs
- Conduct security reviews
If consultant does everything and your staff doesn't understand the system, auditor will discover this in interviews and you'll fail.
"Cloud security is outside our scope"
In 2026, most businesses use cloud services (Microsoft 365, AWS, Azure, Google Workspace, SaaS applications).
Control 5.23 specifically requires information security for cloud services.
Consultant who can't guide cloud security configuration is incompetent for modern ISO 27001.
"You can skip penetration testing, it's not required"
Control 8.8 requires security testing.
While penetration testing isn't explicitly mandated, it's the gold standard for verifying security control effectiveness.
Many auditors expect annual penetration testing, especially for high-risk or internet-facing businesses.
Consultant discouraging pentest is minimizing your security, not maximizing it.
"We use the same risk assessment for all clients in your industry"
Information security risks are business-specific:
- Different data types (customer PII, financial, health, IP, operational)
- Different threat actors (competitors, cybercriminals, nation-states, insiders)
- Different vulnerabilities (cloud misconfig, legacy systems, poor access controls)
- Different business impacts (revenue loss, regulatory fines, reputation damage)
Generic risk assessment fails to identify your actual risks.
Example: Two accounting firms:
Firm A: Cloud-only, Microsoft 365, no development, 12 employees Firm B: On-premise, custom software, 45 employees, multi-site
Same industry. Completely different risk profiles and required controls.
How to Get Accurate Quotes
Information to provide:
IT environment details:
- Employee count (including contractors with system access)
- Primary systems and applications (Microsoft 365, Xero, Salesforce, AWS, custom applications, etc.)
- Infrastructure type (cloud-only, hybrid, on-premise)
- Network architecture (office, remote workers, VPN, cloud connectivity)
- Software development (yes/no, languages, deployment frequency)
- Data classifications (customer PII, payment card data, health records, IP, etc.)
Current security posture:
- Existing security tools (MFA, EDR, SIEM, backup, vulnerability scanning)
- Recent security assessments or audits
- Known security gaps or concerns
- Previous security incidents
- Compliance requirements (Privacy Act, PCI DSS, etc.)
Scope and objectives:
- What's in scope (entire business, specific department, specific systems)
- Business drivers (customer requirement, insurance requirement, tender requirement, risk reduction)
- Timeline expectations
- Budget constraints
Critical questions to ask consultants:
1. "What information security certifications do you hold personally?" If they don't have CISSP, CISM, CISA, or equivalent—be cautious.
2. "How many ISO 27001:2022 implementations have you completed? Can I speak with 3 recent clients?" Need recent 2022 experience (not 2013 experience claimed as equivalent).
3. "How do you approach risk assessment for businesses in our industry?" Looking for: threat modeling, business impact analysis, vulnerability assessment, industry-specific risks, crown jewels identification.
4. "What technical security controls do you expect we'll need to implement?" They should provide preliminary view based on what you've told them. Vague answer = inexperienced.
5. "Will you help with vendor selection and configuration of security tools?" "Yes, we provide guidance and best practice configuration" = good "That's out of scope" = you'll struggle
6. "What's included vs what costs extra?" Get specific breakdown: risk assessment, gap analysis, control implementation support, documentation, training, internal audit, audit support—what's included in quoted price?
7. "What's your approach for the 11 new controls in 27001:2022?" If they can't articulate threat intelligence (5.7), cloud security (5.23), configuration management (8.9), data leakage prevention (8.12), monitoring (8.16)—they don't understand 2022 version.
For certification bodies:
1. "Are you JASANZ accredited for ISO 27001?" Non-accredited certificate is worthless.
2. "Do your auditors have information security backgrounds, not just ISO auditing?" Need technical security expertise, not just ISO audit training.
3. "What's your Stage 2 pass rate for first-time ISO 27001 certifications?" Should be 70-85%. Higher = they're not auditing thoroughly. Lower = unrealistic expectations.
4. "Can you provide the lead auditor's CV?" You're entitled to know who's auditing you. Review their InfoSec experience.
5. "What happens if we receive major non-conformances at Stage 2?" Understand timeline and cost for non-conformance closure and re-audit.
Get 5-7 consultant quotes and 4-6 certification body quotes.
Compare on:
- Information security expertise (most important)
- ISO 27001:2022 experience
- Implementation approach (technical support vs documentation only)
- Total cost including technical guidance
- Client references in your industry
- Timeline realism
Cheapest consultant without InfoSec expertise will cost more when you fail audit.
2026 Market Reality (Ransomware Changed Everything)
What changed 2023-2026:
Ransomware epidemic intensified.
- Australian businesses targeted: 94,000 ransomware attacks reported 2023-24 (ACSC)
- Average ransom demand: $1.8M (up from $850K in 2022)
- Average total cost (ransom + recovery): $2.4M
- 62% of businesses hit with ransomware go out of business within 12 months
Cyber insurance became mandatory—and expensive.
- Insurance premiums increased 80-150% (2022-2024)
- Insurers requiring ISO 27001 or equivalent for coverage
- Sub-limits for ransomware reduced ($1M coverage now common, down from $5M)
- Exclusions expanded (nation-state attacks often excluded)
- Some businesses deemed "uninsurable" without security certification
Privacy Act penalties increased dramatically.
- Pre-2022: Maximum $2.2M penalties
- Post-2022: Maximum $50M or 30% of turnover (whichever is greater)
- Notifiable Data Breaches scheme enforcement strengthened
- OAIC conducting more proactive audits
Supply chain security became customer requirement.
- Enterprise procurement now mandates vendor security certification
- Government contractors require Essential Eight Maturity Level 2+ (ISO 27001 supports compliance)
- B2B SaaS customers requiring SOC 2 or ISO 27001
- Businesses losing deals due to lack of security certification
Result: ISO 27001 demand exploded.
Impact on pricing:
2022 average consultant rate: $185-$240/hour 2026 average consultant rate: $240-$320/hour
Increase driven by:
- Higher demand (insurance requirements, customer mandates)
- Limited supply (qualified InfoSec consultants are scarce)
- Increased complexity (11 new controls in 2022, ransomware focus, cloud security)
2026 certification trends:
Integrated audits more common: ISO 27001 + SOC 2 Type II ISO 27001 + Essential Eight ISO 27001 + PCI DSS
Specific control focus areas:
Ransomware resilience: Auditors scrutinizing:
- Offline/immutable backups
- Privileged access management
- EDR deployment and monitoring
- MFA on all systems
- Vulnerability patching speed
Cloud security (Control 5.23):
- Cloud configuration reviews
- Data sovereignty verification (Australian data stored in Australia)
- Cloud access governance
- SaaS security assessments
Supply chain security:
- Vendor risk assessments
- Supplier security requirements in contracts
- Fourth-party risk (your vendors' vendors)
Threat intelligence (Control 5.7):
- Dark web monitoring (leaked credentials)
- Vulnerability intelligence feeds
- Industry-specific threat sharing
Zero trust architecture: Not ISO 27001 requirement, but best practice emerging trend:
- Verify every access request
- Least privilege access
- Assume breach mindset
Market prediction 2026-2027:
Prices will continue increasing 8-12% annually until supply of qualified InfoSec consultants meets demand.
Early 2027 reality: Budget 15-20% more than 2026 quotes if you delay.
Cyber Insurance Requirements
Cyber insurance in 2026 is fundamentally different than 2020.
Pre-2020: Get insurance easily, minimal security requirements, broad coverage, reasonable premiums.
2026: Insurance difficult to obtain, strict security requirements, limited coverage, expensive premiums.
What insurers require for cyber insurance coverage:
Minimum security controls (non-negotiable):
- Multi-factor authentication on all remote access and privileged accounts
- Endpoint detection and response (EDR) on all devices
- Email security (anti-phishing, anti-malware)
- Regular backups with offline/immutable copies
- Vulnerability scanning and patch management
- Security awareness training
- Privileged access management
Increasingly required:
- ISO 27001 certification or equivalent (SOC 2 Type II, NIST CSF)
- Annual penetration testing
- Incident response plan with tabletop testing
- SIEM or managed detection and response (MDR)
- Data loss prevention (DLP)
Example: Melbourne law firm, 28 employees, seeking $2M cyber insurance
2022 application:
- Premium: $8,400/year
- No specific security requirements
- Coverage: $2M ransomware, $1M data breach, $500K business interruption
- Accepted with basic antivirus + backups
2026 renewal: Insurer requirements:
- Must have MFA (they didn't)
- Must have EDR (they had basic antivirus)
- Must have email security (they didn't)
- Must have security awareness training (they didn't)
- Prefer ISO 27001 certification
Options provided:
- Implement required controls + ISO 27001: Premium $14,200/year, coverage maintained
- Implement minimum controls, no certification: Premium $19,600/year, ransomware sub-limit reduced to $750K
- No improvements: Coverage declined
They chose option 1:
- ISO 27001 implementation: $35,000
- First year cost: $35,000 + $14,200 = $49,200
But saved: $5,400/year vs non-certified premium, plus maintained full coverage
ROI: Insurance savings alone justify certification in 4-5 years. Protection from $1.8M average ransomware cost is the real value.
Businesses being declined cyber insurance entirely:
- Healthcare without encryption at rest
- Financial services without privileged access management
- Any business storing payment cards without PCI DSS
- Businesses with previous breach and no remediation evidence
- Manufacturing/infrastructure with legacy systems and no segmentation
ISO 27001 certification is becoming de facto requirement for cyber insurance.
Not because insurers mandate it explicitly, but because implementing the 93 controls addresses insurer requirements.
Insurance discount for ISO 27001: 15-40% premium reduction (varies by insurer, industry, coverage amount)
Example: $18,000 premium without certification → $12,600 with certification = $5,400 annual saving
Over 3-year certificate: $16,200 savings (significant offset to certification cost)
Government Support and Incentives
Commonwealth programmes:
Cyber Security Skills Partnership Innovation Fund: Grants for cyber security skills development. ISO 27001 training qualifies.
Australian Small Business Advisory Services (Digital Solutions): Rebates up to $5,000 for cyber security improvements including certifications.
State-specific:
New South Wales:
- Small Biz Connect: Cyber security advice and support (free)
- TechVouchers: Up to $15,000 for cyber security technology and advice
Victoria:
- Cybersafe Victoria Initiative: Grants for SMEs implementing security improvements
- Victorian Innovation Vouchers: Up to $20,000 for cyber security
Queensland:
- Business Basics Grant: Up to $10,000 for cyber security certifications
- Digital Skills Boost: Training and security improvement rebates
Western Australia:
- Small Business Development Corporation: Cyber security advice (free)
- Innovation Vouchers: Up to $15,000 for security implementation
South Australia:
- Cyber Security Capability Grant: Up to $12,000 for security certifications
Tasmania:
- Digital Ready for Business: Cyber security implementation support
Australian Cyber Security Centre (ACSC) resources (free):
- Essential Eight Maturity Model (aligns with ISO 27001)
- Cyber security advice for small business
- Threat intelligence bulletins
- Incident response guidance
Many grants require pre-approval before engaging consultant.
Application strategy:
- Research eligible grants for your state/industry
- Apply BEFORE starting ISO 27001 project
- Frame application as "cyber security improvement" not just "certification"
- Emphasize risk reduction, customer protection, business resilience
- Include implementation timeline and measurable outcomes
Expect 3-6 months grant approval timeline. Plan accordingly.
The Bottom Line: Controls vs Certificate
Small business (5-20 employees, basic IT): Budget $30,000-$60,000 first year.
Medium business (20-60 employees, moderate complexity): Budget $60,000-$120,000 first year.
Large/complex business (60+ employees, multi-cloud, development): Budget $120,000-$300,000+ first year.
Transitioning from ISO 27001:2013 to 2022: Budget $20,000-$75,000 depending on gap.
3-year total cost (certification + surveillance + recertification + tool subscriptions + ongoing security): Add 80-110% to first year cost.
Example: 40-employee professional services, Microsoft 365, no development
- Year 1: $72,000 (consultant, technical implementation, certification)
- Year 2: $34,000 (surveillance, tool subscriptions, security operations)
- Year 3: $45,000 (surveillance, recertification, tools, operations)
- 3-year total: $151,000
Compare to breach cost: $280,000-$1.8M (Australian averages)
Remember: You're not buying a certificate. You're implementing 75-85 security controls to protect your business.
The certificate proves you did it. The controls protect you.
What matters more than cost:
- JASANZ accreditation (non-accredited certificate is worthless)
- Consultant information security expertise (CISSP/CISM/CISA, not just ISO knowledge)
- Technical implementation quality (controls that actually work, not just documented)
- Current security tool selection (avoid vendor lock-in, choose scalable solutions)
- Ongoing security capability (vCISO, MDR, or internal resource)
- Alignment with cyber insurance requirements (MFA, EDR, testing, etc.)
Key insight most businesses miss:
Cheap consultant ($15,000) + weak technical implementation ($8,000) + failed audit + re-work ($18,000) = $41,000 total
Quality consultant with InfoSec expertise ($32,000) + proper technical implementation ($22,000) + pass first time = $54,000 total
Price difference: $13,000 Risk difference: Massive
Don't optimize for lowest quote. Optimize for successful implementation of effective security controls.
One ransomware attack costs 5-50x more than ISO 27001 certification.
Next Steps
If you're serious about ISO 27001:2022 certification:
- Check cyber insurance requirements (your insurer may subsidize/require certification)
- Research grant eligibility (could recover $5,000-$20,000)
- Assess current security maturity (determines technical implementation costs)
- If transitioning from 2013, complete by October 2025 (deadline for transition)
- Visit CertBetter platform
- Request matches with verified ISO 27001 consultants with InfoSec credentials
- Request quotes from 4-6 JASANZ accredited certification bodies
- Verify consultant holds CISSP, CISM, CISA or equivalent (not just ISO training)
- Get total cost including technical implementation, not just consulting/audit
- Budget for ongoing security operations/vCISO (don't forget this cost)
At CertBetter, we verify information security consultants and certification bodies across Australia.
We've checked:
- Information security qualifications (CISSP, CISM, CISA, not just ISO training)
- JASANZ accreditation (for certification bodies)
- ISO 27001:2022 implementation experience (not 2013 experience)
- Technical capability (cloud security, SIEM, EDR, DLP implementation)
- Client outcomes (pass rates, re-work rates, reference checks)
No sales pressure. No commission. Just verified security professionals and transparent comparison.
Stop risking $1.8M ransomware cost. Start comparing ISO 27001 consultants who understand both ISO requirements and actual information security.
Because you're not buying documentation. You're implementing 93 controls that protect your business from cyber threats.
Unsure what ISO 27001 will cost your organisation? Our ISO 27001 cost calculator gives you an AI-generated estimate based on team size, scope, and complexity before you compare consultant proposals.
