Costs
The expenses for the certification - including the person-days for the audits - are determined on the basis of the information contained in the application form, the first meeting and the definition of expenses depending on the standard. The OCG will state this certification fee in its offer to the customer.
The time required to carry out the ISO/IEC 27001:2013 certification audits varies, depending on the following aspects:
- Definition of the scope of the management system to be certified
- Maturity level of the management system
- Number of IT services
- Number of sites, temporary sites, if any
- Complexity of processes
- Risk potential of the particular sector
- Audit language(s)
- Dependence on supplier and service providers (outsourcing of work)
Estimate
Number of employees within the scope |
Audit time for certification audit (recertification audit approx. -33%) |
Auditor time for surveillance audit |
1-10 |
5 days |
1.5 days |
11-25 |
7 days |
2 days |
26-45 |
8.5 days |
3 days |
46-65 |
10 days |
3.5 days |
66-85 |
11 days |
4 days |
86-125 |
12 days |
4 days |
126-175 |
13 days |
4.5 days |
176-275 |
14 days |
5 days |
276-425 |
15 days |
5 days |
426-625 |
16.5 days |
5.5 days |
626-875 |
17.5 days |
6 days |
875-1,175 |
18.5 days |
6.5 days |
>1,175 |
see ISO/IEC 27006 C3.1 |
see ISO/IEC 27006 C3.1 |
The above estimates are reference values and may increase by a factor 1.5 to 2 depending on the aspects listed above. Audit costs for re-certification may decrease by another 1/3.