The foundation for ISO 27001 is your risk assessment and then your statement of applicability (SoA) and risk treatment plan. This is where you decide what controls you need to put in place. Depending on this there might be controls that are already in place (zero cost) and there might be controls that needs to be designed and implemented. There is a cost associated with this but until you have decided on the control and how to mitigate the risk you are not able to budget for the cost. For example it might be that all of your 25 employees need to receive awareness training on your information security policy at a cost of say £6000 in internal employee time or it might be that you want to buy a software solution that will help you manage and deploy security patches to your 1500 servers in your data centre at the cost of say £45000. You get the picture.
This also hints at the variable cost that has to do with the size of the organisation, the complexity of the organisation, the geographical scope, the scope of the ISMS, the technology already used, etc.
To be successful with ISO 27001 design and implementation ISO 27001 should be treated as a project and hence there will be cost associated with this such as a project manager. Perhaps you have someone in the organisation that has ISO 27001 experience as well as project management experience or perhaps you are looking at getting external assistance. In whatever case there is a cost, either internal employee time or external consulting assistance (or both in many cases).
ISO 27001 is however not just done by having a project manager and a consultant. Involvement of employees is a must so this means cost in employee time doing training, risk assessment, writing documentation, reviewing documentation, etc. Finally if you want external certification there is a cost associated with the certification body (CB). Again the cost here depends on the CB and the size of the organisation and scope of the ISMS but will probably be in the region of 5 – 10 man days.
So what does ISO 27001 certification cost? Well assuming a company with 25 employees, operating in the UK, using external consultant assistance, wanting external certification, for a one year ISO 27001 project the cost (including internal employee time) could be anywhere between £10,000-£25,000 in my experience.
BUT what does it cost if you don’t implement ISO 27001? Well if you do ISO 27001 correctly it will be a management system that will give you a more efficient operation, it will give you an edge over the competitors who do not have ISO 27001 and it will enable you to participate in bids where ISO 27001 is required. Again if you design and implement a good management system it will both prevent incidents and should incidents happen it will help you get the business back on track. The Pwc 2014 Information Security Breaches Survey showed that the cost associated with breaches was on average £65k – £115k for a small business.
See www.pwc.co.uk/audit-assurance/publications/2014-information-security-breaches-survey.jhtml
Another study from Ponemon Institute’s 2013 Cost of Cyber Crime finds the average company experiences more than 100 successful cyber attacks each year at a cost of $11.6M. The study also shows that those employing good security governance practices reduced costs by an average of $1.5M (seewww.hpenterprisesecurity.com/register/thank-you/2013-fourth-annual-cost-of-cyber-crime-study-global). In my book that means ROI is less than one year.