Implementing an ISO 27001 compliant information security management system (ISMS) requires a significant investment of time, money and resources. It will vary from organisation to organisation depending on a lot of factors including what is already in place, what skills are in-house, how large or complex an organisation is and speed of implementation. Here are some guidelines.


  • The quickest implementation period is 12 -16 weeks.
  • More usually, for a small to medium sized organisations, the implementation process takes 6-12 months on average. For larger companies, 12-24 months is typical.
  • After achieving certification, you will need to factor in time to maintain your ISMS so time for monitoring, reviews, internal audits and continuous improvement.


  • The certification audit itself will cost £2,000 to £10,000 for smaller companies and £10,000+ for larger companies.
  • If you choose to use software tools for risk assessment, audits and policies they will dent your budget too (Frankly we run very successful implementations without any specialist software – so no additional cost).
  • There will also be the cost of the staff time implementing the ISMS, this is frequently hard to quantify as it just becomes part of their job role.
  • Annual surveillance audits are required after certification, typically costing 30-50% of the initial audit.


  • A cross-functional ISO 27001 project team is required, involving leadership, IT, HR, legal, finance and other departments.
  • Involving a consultant is highly recommended to provide expertise, training and implementation guidance.
  • Employee time will be required for training, implementing controls and contributing to risk management.

The investment pays off through enhanced security, lower risk, compliance and competitive advantage. With proper planning and budgeting, organisations of any size can achieve ISO 27001 success.