Here’s an explanation of each of these costs and a rough estimate of amounts (all amounts are in US dollars):
1. The cost of literature and training - Implementation of ISO 27001 is rather complex, requires changes in your organization, and requires new skills. You can prepare your employees by buying various books on the subject and/or sending them to courses (in-person or online) – the duration of these courses varies from 1 to 5 days. Advisera’s ISO 27001 courses – the cost is between $250 and $1,700 per person. And don’t forget to buy the ISO 27001 standard itself – the cost: around $100.
2. The cost of external assistance - Unfortunately, training your employees is not enough. If you don’t have a security officer with in-depth experience in ISO 27001 implementation, you’ll need someone who does have such knowledge – you can either hire a consultant or get some online alternative. Consultant costs differ greatly from one country to another, but for small companies in the United States, the cost could be around $15,000; the cost of Advisera’s Conformio ISO 27001 software is about $2,000 annually. However, be careful here – do not expect the consultant or online software to do the whole implementation for you – your employees will have to invest some time as well.
3. The cost of employees’ time - your employees have to spend some time figuring out where the risks are, how to improve existing procedures and policies or implement new ones, and they have to take some time to train themselves for new responsibilities and for adapting to new rules.
4. The cost of technology - most companies don't need investment in hardware, software, or anything similar. They already had all the technology they needed – however, during the implementation of ISO 27001, they had to start using that technology in a more secure way. So, from the technology point of view, most costs will be related to changing your existing activities, and those costs will be captured under the previous category – the cost of employees’ time.
5. The cost of certification - If you want to obtain public proof that you have complied with ISO 27001, the certification body will have to do a certification audit – this cost will also depend on the size of the company. In the United States, the certification of a smaller company might be around $7,500.

You have to be very careful not to underestimate the true cost of an ISO 27001 project – if you do, your management will start looking at your project in a negative light. On the other hand, forecasting all costs correctly will show your level of professionalism; and don’t forget – you always have to present both the cost and the benefits.