ISO 27001 Cost Calculator
To budget ISO 27001 certification, multiply the IAF-MD-5 audit-day count by your registrar's day rate ($1,500–$2,800/day), then add implementation cost across the 14 historic Annex A domains and a Vanta/Drata-style ISMS tool subscription. This calculator plots the full three-year cycle: Stage 1 + Stage 2 in Year 1, surveillance audits in Year 2 and Year 3, recertification in Year 4.
Quick Conversion
Formula: USD = audit-days × day rate
Annex A 14-domain audit checklist
Tap a domain to include / exclude it from your scope. Colour codes follow the 2022 four-theme regrouping (A.5 SoA still requires every control to appear, even when justified-excluded).
Three-year cycle timeline
Profile your ISMS
- Year 2 surveillance
- $100,766
- Year 3 surveillance
- $95,124
- Year 4 recertification
- $114,657
- 4-year TCO
- $692,976
- Implementation (Annex A)
- $282,079
- Consultant / vCISO
- $44,000
- Tooling (Vanta/Drata)
- $35,600
- Stage 1 (gap)
- $6,750
- Stage 2 (cert)
- $14,000
What this estimate really means
A Year 1 cost of $382,429 covers the equivalent of 174 audit days at the BSI/Schellman median day rate. Across the full 3-year cycle, your spend of $578,319 equates to about 16.1K/month sustained programme cost — the band Vanta and Drata both report as the median spend for a SaaS achieving 27001 + SOC 2 + HIPAA simultaneously.
Implementation cost of in-scope domains grouped into the four 2022 themes. Technological controls (access, ops, crypto, SDLC) usually dominate.
Adding Vanta or Drata would cut roughly $120,649 off Year 1 — evidence auto-pulled from AWS/GitHub/Okta and 1-2 fewer surveillance audit days. Toggle automation above to apply it.
Running ISO 27001 jointly with SOC 2 would save roughly $53,000 of implementation through shared evidence and control mapping (Schellman/A-LIGN/Coalfire report 20-30%). For US SaaS targeting enterprise, the consensus is to add 27001 within 6-12 months of SOC 2 Type II.
Reality check — the certification ecosystem
Major IAF-accredited registrars
- BSI Group · UKAccredited by UKAS. Largest 27001 registrar globally.
- DNV · NorwayAccredited by NAB-NL. Strong in maritime/energy verticals.
- Schellman & Co. · USAAccredited by ANAB. SaaS-focused, often pairs 27001 with SOC 2.
- TÜV Rheinland · GermanyAccredited by DAkkS. Industrial/automotive sectors.
- BureauVeritas · FranceAccredited by COFRAC. Multi-site programmes.
- A-LIGN · USAAccredited by ANAB. Fast-growing in SaaS / fintech.
Audit-day bands (IAF MD 5)
| Staff | Stage 1 | Stage 2 | Recert |
|---|---|---|---|
| 1–50 | $4.0K | $8.0K | $10.0K |
| 51–250 | $6.8K | $14.0K | $17.0K |
| 251–1,000 | $11.3K | $25.0K | $30.0K |
| 1,001–5,000 | $18.0K | $43.5K | $51.5K |
| 5,001–50,000 | $30.0K | $75.0K | $87.5K |
2022 revision — 11 new controls
- 5.7 Threat intelligence
- 5.23 Information security for cloud services
- 5.30 ICT readiness for business continuity
- 7.4 Physical security monitoring
- 8.9 Configuration management
- 8.10 Information deletion
- 8.11 Data masking
- 8.12 Data leakage prevention
- 8.16 Monitoring activities
- 8.23 Web filtering
- 8.28 Secure coding
ISO/IEC 27001:2022 Clause 6.1.3 d)
“Produce a Statement of Applicability that contains the necessary controls and justification for inclusions, whether they are implemented or not, and the justification for exclusions of controls from Annex A.”
The SoA is the artefact your registrar reviews first — before the risk assessment, before the policy stack.
Audit-days × day-rate table
IAF MD 5 audit-day rates: $1,500–$2,800/day (illustrative). Most BSI/Schellman quotes land at ~$2,200/day.
| Audit days | @ $1,500 | @ $2,200 | @ $2,800 |
|---|---|---|---|
| 2 | $3,000 | $4,400 | $5,600 |
| 3 | $4,500 | $6,600 | $8,400 |
| 4 | $6,000 | $8,800 | $11,200 |
| 6 | $9,000 | $13,200 | $16,800 |
| 8 | $12,000 | $17,600 | $22,400 |
| 10 | $15,000 | $22,000 | $28,000 |
| 12 | $18,000 | $26,400 | $33,600 |
| 15 | $22,500 | $33,000 | $42,000 |
| 18 | $27,000 | $39,600 | $50,400 |
| 22 | $33,000 | $48,400 | $61,600 |
| 28 | $42,000 | $61,600 | $78,400 |
| 35 | $52,500 | $77,000 | $98,000 |
Need other compliance budgets? Compliance Cost hub.
Formula — 3-year TCO
Year1 = Σ selected_domain_cost + consultant + tooling + Stage1 + Stage2Year2 = tooling + surveillance_audit + 0.20 × implementation_residualYear3 = tooling + surveillance_audit + 0.18 × implementation_residual3-year TCO = Year1 + Year2 + Year3Worked: a 220-staff SaaS with all 14 Annex A domains in scope at base impl ≈$212K, consultant $44K, tooling $36K, Stage 1 $6.75K, Stage 2 $14K ≈ $313K Year 1. Year 2 & 3 surveillance at ~$53K each = ~$419K 3-year TCO.
How to use this calculator
- Tap each Annex A domain to include or exclude it. The SoA must still list every excluded domain with justification.
- Enter staff and sites. The audit-day formula in IAF MD 5 scales by both.
- Flag complications. Cloud, in-house SDLC, existing SOC 2 (-22%), HITRUST overlay, external consultant.
- Calculate. The grid highlights selected domains, the cycle strip shows all 4 years of cost.
- Plan the cycle. Year 1 is the big spend; Year 2 and 3 are ~25-35% of Year 1; Year 4 recertification is ~70% of Year 1 Stage 2.
A short history of ISO 27001 and what it costs to certify
Why this calculator exists. In 2026 a CISO at a 220-staff SaaS facing the 31 October 2025 transition deadline to ISO 27001:2022 needs to defend a 3-year budget to the board without quoting registrar marketing decks. This tool consolidates the BSI / DNV / Schellman published rate cards, the IAF MD 5 audit-day formula, and the Annex A 14-domain implementation cost into one grid and one cycle strip.
ISO 27001 traces to the 1995 British Standard BS 7799-1, written by the UK Department of Trade and Industry and a working group led by John Sheriff and David Lacey. BS 7799-2 (the management-system spec) followed in 1998. ISO and IEC adopted it as ISO/IEC 27001:2005, replacing BS 7799-2. The 2013 revision aligned it with ISO's harmonised management-system structure (Annex SL).
The 2022 revision — ISO/IEC 27001:2022 — was published 25 October 2022. It restructures Annex A from 114 controls in 14 clauses (A.5 through A.18) to 93 controls organised by four themes: Organisational, People, Physical, and Technological. Eleven new controls were added including cloud security (5.23), threat intelligence (5.7), ICT readiness for business continuity (5.30), data masking (8.11), data leakage prevention (8.12), and secure coding (8.28). IAF Mandatory Document 26 set the transition deadline at 31 October 2025.
For practitioners the cost picture remained stable through both revisions because audit-day calculations under IAF MD 5 are scoped by staff count, sites, and ISMS scope — not by which Annex A version applies. A 250-staff SaaS budgets roughly $80K-$160K for Year 1 across implementation, tooling (Vanta or Drata at $25K-$50K), Stage 1 audit (1-2 days, $5K-$8.5K), and Stage 2 audit (3-7 days, $10K-$18K). Surveillance audits in Years 2 and 3 are ~40-50% of Stage 2 cost; recertification in Year 4 is ~70%.
The single biggest cost lever is whether a SOC 2 attestation already exists. Schellman, A-LIGN, and Coalfire all report 20-30% cost reduction on a joint 27001 + SOC 2 audit because evidence collection, control mapping (CC1-CC9 to A.5-A.18), and documentation overlap heavily. For US SaaS targeting enterprise customers, the consensus is to add ISO 27001 within 6-12 months of achieving SOC 2 Type II.
The other lever is automation. Vanta's 2024 State of Trust report places median manual ISMS cost at $285K Year 1 vs $180K with continuous-monitoring automation — a 37% reduction. The savings are largely in evidence collection (auto-pulled from AWS / GitHub / Okta) and in surveillance audits where automated control monitoring replaces 1-2 audit days.
This calculator exists because every ISO 27001 cost guide online either treats the 14 domains as monolithic or treats audit fees as a flat rate. The Annex A grid plus per-band audit-fee strip is meant to make the trade-offs visible — which domains to include, which to scope out, and which audit-day count actually matches your staff size.
What ISMS managers say
“The 14-domain grid still matches how my Schellman auditor talks even though we are on the 2022 revision. The audit fee bands match our actual quotes within 5%.”
“Showed the Year 2 / Year 3 surveillance strip to my CFO and finally got buy-in for a 3-year compliance budget rather than year-by-year. Best ISO calculator on the web.”
“Mapping the 14 domains to the four 2022 themes is exactly the bridge our board needed. The pillar-coloured grid is a brilliant teaching aid for non-technical directors.”
“I have audited 27001 implementations for nine years. This is the first calculator I have seen that prices the controls and the audit days separately, which is exactly how IAF MD 5 works.”
Love using our calculator?
Related compliance calculators
Related Articles
Dive deeper with our expert guides and tutorials related to ISO 27001 Cost Calculator