ISO 27001 certification cost behaves differently from every other ISO standard. Employee count still matters, but it is not the primary driver. What determines your audit time — and therefore your cost — is the scope of your Information Security Management System: which systems, data assets, and processes you choose to include in your certification boundary.
On this page
Why ISO 27001 Uses a Different Audit Day Framework
ISO 27001 certification bodies are accredited under ISO/IEC 27006, a separate standard that specifies audit time requirements for information security management systems. Where IAF MD5 uses employee count as the base variable, ISO/IEC 27006 also considers the number of systems and data flows in scope, the complexity of the Annex A controls being implemented, and whether the organisation handles particularly sensitive data categories.
This means a 500-person organisation that certifies a single cloud product can pay less than a 50-person business that certifies its entire data environment. Scope selection is not just a cost lever — it is a strategic decision. The CertBetter ISO 27001 cost calculator helps you model different scope scenarios before committing to one.
ISO 27001 Cost by Certification Scope (2026)
Initial certification audit estimates. Excludes consulting, implementation, and ongoing surveillance costs. Source: ISO/IEC 27006, IAF MD5, and CertBetter provider data.
For Australian businesses specifically, our breakdown of what the 93 Annex A controls actually cost to implement in Australia gives a fuller picture of the total investment — not just the audit fee.
The Annex A Controls: What Auditors Are Actually Testing
ISO 27001:2022 includes 93 controls across four themes: organisational, people, physical, and technological. Auditors do not test all 93 in equal depth — they focus on the controls your Statement of Applicability declares as applicable and the evidence that those controls are operating effectively.
The preparation cost for ISO 27001 is typically higher than for ISO 9001 or ISO 14001 because the evidence requirements are more technical: access logs, penetration test results, encryption key management records, incident response documentation, supplier security assessments. Businesses without a technical person managing this work often engage a consultant — which is a separate cost on top of the certification audit itself.
If you are comparing consultant options, our guide to comparing ISO 27001 consultants covers what to look for and what questions to ask before signing an engagement.
Remote vs On-Site: ISO 27001 Is Well-Suited to Remote Auditing
Unlike ISO 45001 or ISO 14001, where physical site observation is often mandatory, ISO 27001 audits are predominantly document and evidence-based. Most certification bodies now conduct ISO 27001 stage 1 and stage 2 audits entirely or predominantly remotely, with the exception of physical security controls (data centre access, clean desk policy, CCTV systems) which may require a site visit.
This makes ISO 27001 one of the best candidates for cost reduction through remote auditing — often saving 25–35% compared to a fully on-site engagement. The cost calculator accounts for this when you select your audit preference.
How Long Does ISO 27001 Certification Actually Take?
The audit itself is a fraction of the timeline. Most businesses spend three to twelve months building and documenting their ISMS before they are ready for the stage 1 audit. For a detailed breakdown of the phases, see our guide on how long ISO 27001 certification takes — including what typically delays businesses and how to avoid the most common hold-ups.
Does ISO 27001 cost more than ISO 9001?
The audit itself can be comparable for similarly scoped certifications. The difference is implementation: ISO 27001 typically requires more technical groundwork — risk assessments, control documentation, penetration testing, access management systems — which adds preparation cost that ISO 9001 does not usually carry to the same degree. For a lean technology business certifying a single product, ISO 27001 can actually cost less than a multi-site ISO 9001 audit.
Can I reduce scope to reduce cost?
Yes, and this is a legitimate and common approach. Certifying a defined product scope rather than the whole organisation reduces audit days, speeds up implementation, and lowers the barrier to your first certificate. Many businesses start narrow and expand their scope at recertification. The risk is that some customers or tender requirements specify organisation-wide certification — confirm this before narrowing scope.
What is the difference between ISO 27001 and SOC 2?
SOC 2 is a US-origin attestation framework popular with SaaS businesses selling to US enterprise customers. ISO 27001 is an internationally recognised certification used across Australia, UK, Europe, and Asia-Pacific. Businesses selling internationally increasingly pursue ISO 27001 for its global recognition. They address overlapping concerns but have different structures, evidence requirements, and markets.
Is a risk assessment required before the audit?
Yes — ISO 27001 Clause 6.1 requires a documented information security risk assessment as a core element of your ISMS. Auditors will review your risk register, risk treatment plan, and Statement of Applicability at stage 1. If these are not in place, the stage 1 audit cannot proceed. Our plain-English guide to ISO 27001 risk assessment for non-technical business owners explains exactly what is required without the jargon.
