The ISO 27001 2022 certification cost for a mid-market organization (200–2,000 employees) runs from $50,000 to $200,000 in Year 1 — a figure that spans gap assessment, consultant fees, policy documentation, internal labor, and the Stage 1 and Stage 2 certification audits conducted by an accredited certification body. With the mandatory October 2025 transition deadline now passed, all new certifications must target the 2022 revision of ISO/IEC 27001, which restructured the control set from 114 items across 14 domains to 93 controls across four themes and introduced 11 entirely new controls. This guide covers the complete cost anatomy, a month-by-month 12-month implementation roadmap, Stage 1 and Stage 2 audit cost ranges, and a direct comparison of the four certification bodies most commonly used by US mid-market organizations — BSI, Schellman, A-LIGN, and Coalfire — so procurement teams can build an accurate budget before booking the first call.
// 01 What Changed in ISO 27001:2022: From 114 to 93 Controls
ISO/IEC 27001:2022 was published on October 25, 2022 by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), replacing the 2013 edition as the authoritative standard for information security management systems (ISMS — the documented collection of policies, procedures, and controls an organization implements to manage information security risk systematically).
The most consequential change was the restructuring of Annex A, the normative list of security controls that organizations must evaluate and implement as appropriate. The 2013 version contained 114 controls organized into 14 control domains (such as Access Control, Cryptography, and Physical and Environmental Security). ISO 27001:2022 collapsed those into 93 controls across four simplified themes:
| Theme | Control Count | Primary Focus |
|---|---|---|
| Organizational Controls | 37 | Governance, risk management, access policy, supplier security, incident management |
| People Controls | 8 | Background screening, NDAs, security awareness, remote working, disciplinary process |
| Physical Controls | 14 | Facility security, physical access monitoring, media disposal, environmental protection |
| Technological Controls | 34 | Encryption, endpoint protection, DLP, threat intelligence, secure coding, network security |
Beyond the control restructuring, ISO 27001:2022 introduced two new mandatory requirements at the clause level. Clause 6.3 requires organizations to document planned changes to the ISMS and manage them in a controlled manner. The standard also strengthened the requirement to identify and document the needs and expectations of interested parties — stakeholders whose requirements the ISMS must address. Both changes require documented evidence during the Stage 2 audit.
The 2022 revision also added new five attribute annotations to each control (control type, information security properties, cybersecurity concepts, operational capabilities, and security domains), making it easier to map controls to frameworks such as NIST CSF and CIS Controls — a practical benefit for organizations maintaining multiple compliance programs simultaneously.
// 02 The October 2025 Transition Deadline: What It Means in 2026
The International Accreditation Forum (IAF — the body that coordinates international accreditation standards for certification bodies globally) mandated October 31, 2025 as the final date for all ISO 27001:2013 certificates to transition to the 2022 standard. Organizations that held a valid 2013 certificate and did not complete a transition audit before that date had their certification invalidated automatically, regardless of the printed expiration date on the certificate.
As of May 2026, no ISO 27001:2013 certificates remain valid. Every active ISO 27001 certification in the market is now issued under the 2022 standard. There is no longer a "transition audit" pathway — organizations that let their 2013 certificate lapse must pursue full initial certification against ISO 27001:2022, meaning the complete Stage 1 and Stage 2 audit cycle at full cost.
For organizations that missed the deadline, the business impact is immediate. Vendor security questionnaires (particularly those based on the CAIQ from the Cloud Security Alliance), enterprise customer security reviews, and regulatory frameworks that accept ISO 27001 as an equivalent control framework will flag the absence of a valid certificate. The corrective action is a new certification program — there are no shortcuts back.
// 03 ISO 27001 2022 Certification Cost: Full Breakdown by Company Size
The ISO 27001 2022 certification cost varies substantially by organization size, existing security maturity, and whether the implementation is driven by internal staff, an external ISMS consultant, or a GRC (Governance, Risk, and Compliance — a category of software platforms that automate evidence collection, policy management, and audit readiness) automation platform. The table below shows the full Year 1 cost components across three company profiles:
| Cost Component | Small (≤100 employees) | Mid-Market (200–2,000) | Enterprise (2,000+) |
|---|---|---|---|
| Gap Assessment | $2,000–$5,000 | $5,000–$15,000 | $15,000–$40,000 |
| External Consultant | $10,000–$20,000 | $15,000–$50,000 | $50,000–$150,000 |
| Policy Documentation | $3,000–$8,000 | $5,000–$15,000 | $15,000–$30,000 |
| Internal Labor (est.) | $15,000–$30,000 | $30,000–$75,000 | $75,000–$200,000 |
| Training and Tools | $2,000–$5,000 | $5,000–$20,000 | $20,000–$50,000 |
| Internal Audit | $1,000–$3,000 | $3,000–$8,000 | $8,000–$20,000 |
| Stage 1 Audit | $1,500–$2,500 | $2,500–$5,000 | $5,000–$12,000 |
| Stage 2 Audit | $4,000–$8,000 | $8,000–$20,000 | $20,000–$60,000 |
| Year 1 Total | $38,500–$81,500 | $73,500–$208,000 | $208,000–$562,000 |
| Annual Surveillance Audit | $4,000–$8,000 | $8,000–$25,000 | $25,000–$60,000 |
Internal labor is consistently the most underestimated line item. A mid-market organization should budget 300–500 hours of combined CISO, IT manager, and compliance officer time in Year 1. At a blended internal rate of $150 per hour, that represents $45,000–$75,000 in opportunity cost before a single external consultant engages. Organizations that understaff the implementation consistently overshoot their timelines by three to six months.
A concrete benchmark: a 300-employee SaaS company using an external ISMS consultant for six months, an accredited certification body for Stage 1 and Stage 2 audits, and a GRC automation platform such as Drata or Vanta to automate evidence collection can typically complete Year 1 certification in the $65,000–$90,000 range — toward the lower end of the mid-market band — because GRC automation eliminates a significant portion of manual evidence gathering.
// 04 Stage 1 and Stage 2 Audit Costs Explained
The certification audit is conducted in two sequential stages by an accredited certification body (CB — an organization accredited by a national accreditation body, such as ANAB in the US or UKAS in the UK, to assess conformance with ISO standards and issue certificates on behalf of the accreditation body).
Stage 1 audit (documentation review or readiness audit) focuses on whether the ISMS documentation is complete and fit for purpose. The auditor reviews the scope statement, information security policy, risk assessment methodology, risk treatment plan, and — most critically — the Statement of Applicability (SoA). The SoA is the master document that lists all 93 Annex A controls, states whether each is included in or excluded from the ISMS, and provides justification for every exclusion. A missing or poorly justified SoA is the most common reason Stage 1 audits result in major findings that delay the Stage 2. Stage 1 typically runs one to two auditor days.
At 2026 US auditor day rates of $1,400–$2,500 per day — which have increased approximately 20% since 2024 due to a sustained global shortage of qualified ISO 27001 Lead Auditors — Stage 1 costs fall in the $1,800–$5,000 range for mid-market organizations.
Stage 2 audit (the certification audit) assesses whether the controls documented in the SoA are actually implemented and operating effectively. The auditor interviews staff, observes processes, samples logs and configuration records, and verifies that technical controls exist and function as described. Stage 2 typically runs two to five auditor days for a mid-market organization. At the same day rates, Stage 2 costs land between $8,000 and $20,000.
Organizations with multiple sites, complex multi-cloud environments, or a large in-scope workforce (developers, customer support, finance staff who interact with in-scope systems) will see Stage 2 scope expand and costs approach the upper end of that range.
After Stage 2, if the auditor identifies major nonconformities (deficiencies that indicate the ISMS cannot achieve its intended outcome — for example, a risk assessment that was never completed or a critical Annex A control that is absent with no documented justification), the organization must remediate before the certificate issues, typically within 30–90 days depending on the CB's policy. Minor nonconformities (process gaps that do not undermine the ISMS's core function) must be addressed within the first surveillance audit cycle, typically 12 months after certification.
// 05 The 12-Month ISO 27001:2022 Certification Roadmap
For a mid-market organization with moderate security maturity — meaning documented security policies exist, a SIEM (Security Information and Event Management platform) is in place, and an identified internal ISMS owner is available at roughly 50% capacity — a 12-month timeline from initial gap assessment to certification is achievable. Organizations starting from a low baseline (no existing policies, no dedicated security staff) should budget 14–18 months. The accelerated 12-month path requires executive sponsorship secured in Month 1 and a certification body booked no later than Month 6.
The flowchart below maps the full pathway from gap assessment to certificate, including the Stage 1 pass/fail branch:
The implementation timeline visualized as a Gantt-style phase diagram:
Key scheduling rule: book the certification body engagement no later than Month 6. Auditor availability constraints at BSI, Schellman, A-LIGN, and Coalfire mean Stage 2 slots are frequently two to four months out. Organizations that complete control implementation by Month 9 but fail to book the CB until Month 10 routinely push certification into Month 14 or 15.
// 06 The 11 New Annex A Controls You Must Implement
These 11 controls were absent from ISO 27001:2013 and are among the most scrutinized during Stage 2 audits. Organizations frequently underestimate the implementation effort because the controls span both new policy work and new technical tooling:
- A.5.7 — Threat Intelligence: The organization must collect and analyze threat intelligence relevant to its threat landscape and integrate that intelligence into the risk treatment process. Most mid-market organizations satisfy this control by subscribing to an ISAC (Information Sharing and Analysis Center — a sector-specific community that shares threat data), a commercial threat intelligence feed, or configuring a SIEM to ingest threat intel from sources such as MISP or an aggregator like Recorded Future.
- A.5.23 — Information Security for Cloud Services: Governance of cloud service provider relationships must be formally documented, including cloud-specific risk assessments and contractual security requirements. Every IaaS (Infrastructure as a Service), PaaS (Platform as a Service), and SaaS (Software as a Service) provider that processes in-scope data requires a documented security assessment.
- A.5.30 — ICT Readiness for Business Continuity: Critical IT and communication systems must have documented recovery capabilities that align with the organization's business continuity plan. This control requires specific RTO (Recovery Time Objective — the maximum acceptable downtime for a system) and RPO (Recovery Point Objective — the maximum acceptable data loss period) values for in-scope systems, backed by tested recovery procedures.
- A.7.4 — Physical Security Monitoring: Physical access to secure areas must be continuously monitored. CCTV coverage of server rooms, data centers, and secure work areas is the standard implementation. Monitoring logs must be retained and reviewed.
- A.8.9 — Configuration Management: A documented process for managing secure baseline configurations of hardware, software, services, and networks is required. CIS Benchmarks and NIST SP 800-128 provide established baseline profiles that satisfy this control.
- A.8.10 — Information Deletion: Sensitive data must be deleted securely when no longer needed, across all media types including cloud-hosted storage. Documented data retention schedules and a verified deletion process (for example, NIST 800-88-compliant media sanitization) are required.
- A.8.11 — Data Masking: PII (Personally Identifiable Information) and other sensitive data must be masked in non-production environments and where full data access is not operationally required. Techniques include pseudonymization (replacing identifying fields with synthetic tokens), tokenization, and anonymization, depending on the use case.
- A.8.12 — Data Leakage Prevention: Controls must prevent unauthorized disclosure of sensitive data. DLP (Data Loss Prevention — technology that detects and blocks unauthorized data transfers across endpoints, email, and cloud channels) deployment on endpoints and email gateways is the most direct implementation path.
- A.8.16 — Monitoring Activities: Networks, systems, and applications must be monitored continuously for anomalous behavior, and monitoring outputs must be reviewed and acted upon. This control explicitly requires that alerting is not just configured but operationally managed — unused alert queues do not satisfy it.
- A.8.23 — Web Filtering: Access to external websites must be managed to protect users from malicious content and prevent unauthorized data exfiltration via browser. DNS filtering (services such as Cisco Umbrella or Cloudflare Gateway) or proxy-based web filtering satisfies this control.
- A.8.28 — Secure Coding: The organization must apply secure development principles to all internally developed or managed software. This requires documented secure coding guidelines, mandatory code review processes, and developer training aligned with OWASP Top 10 and NIST SSDF (Secure Software Development Framework) principles.
// 07 ISO 27001:2022 Certification Body Comparison: BSI vs Schellman vs A-LIGN vs Coalfire
Choosing the right certification body affects audit quality, timeline, and total program cost. The four most commonly used CBs for US mid-market organizations differ meaningfully in pricing model, audit culture, and market fit:
| Certification Body | Accreditation | Pricing Model | Audit Culture | Best Fit |
|---|---|---|---|---|
| BSI Group | UKAS, ANAB | Auditor day rates — direct quote required | Formal, structured, process-oriented | Organizations selling to UK/EU buyers; enterprises where BSI brand recognition matters |
| Schellman | ANAB | Fixed-fee, outcome-based; <5% amendment rate | Tech-sector expertise, pragmatic | US SaaS and tech companies; organizations prioritizing cost predictability |
| A-LIGN | ANAB | Engagement-based; multi-framework bundles available | Flexible, strong combined-audit capability | Organizations pursuing ISO 27001 + SOC 2 simultaneously |
| Coalfire | ANAB | Engagement-based; premium tier | FedRAMP experience; healthcare and government focus | Government contractors; highly regulated industries |
BSI Group is the UK's national standards body and one of the oldest accredited certification bodies globally. Its certificate register carries strong brand recognition with European and UK procurement teams — a meaningful advantage for organizations with EU customers subject to contracts that require a UKAS-accredited ISO 27001 certificate specifically. BSI does not publish standard rates; pricing is based on an auditor day calculation derived from scope complexity and organization size, and requires direct engagement to quote.
Schellman distinguishes itself with a fixed-fee, outcome-based model. This matters because traditional day-rate engagements create an auditor incentive to identify additional scope and extend the engagement. Schellman caps the audit fee at the agreed amount regardless of how many days the Stage 2 requires, provided the scope does not change after contract signature. For mid-market organizations, Schellman's combined Stage 1 and Stage 2 fees typically fall in the $15,000–$35,000 range. Their amendment rate — the percentage of engagements where the client is billed above the agreed fixed fee — is publicly stated as under 5%.
A-LIGN offers a structurally important advantage for organizations pursuing multiple compliance frameworks: the ability to conduct a combined ISO 27001 and SOC 2 Type II audit in a single engagement. A combined audit avoids duplicating evidence collection — roughly 60% of ISO 27001 Annex A controls map directly to SOC 2 Trust Service Criteria — and typically reduces total combined audit fees by 20–30% compared to running the two certifications independently. For SaaS companies whose enterprise customers require both certifications, A-LIGN's combined audit pathway is a strong cost argument.
Coalfire operates at premium price points and is best positioned for organizations in highly regulated sectors — federal government contractors pursuing FedRAMP authorization, healthcare organizations subject to HIPAA, and financial institutions. Coalfire's lead auditors typically have deep sector-specific expertise that justifies the premium for clients where that context matters.
When evaluating proposals from any of these CBs, request the specific lead auditor's resume and verify their ISO 27001 Lead Auditor certification status under the CQI/IRCA scheme. An auditor with deep SaaS experience will conduct a more relevant Stage 2 than a generalist with infrastructure-only background.
// 08 Year 2 and Beyond: Surveillance and Recertification Costs
ISO 27001 certificates are valid for three years, subject to passing annual surveillance audits. A surveillance audit (also called a maintenance audit) reviews a subset of the ISMS — typically 30–40% of Annex A controls, rotated annually — to confirm the management system remains operational and effective. Surveillance audits run at roughly 40–60% of the original Stage 2 cost: $8,000–$25,000 per year for mid-market organizations at 2026 rates.
At the end of the three-year cycle, organizations undergo a recertification audit, which resembles a Stage 2 in depth. Budget recertification at 80–100% of the original Stage 2 cost — typically $8,000–$20,000 for mid-market. The certificate does not expire between cycles provided surveillance audits are passed on schedule; missing a surveillance audit triggers a suspension period.
Year 2 and Year 3 total program costs are substantially lower than Year 1 because the policy documentation, risk assessment methodology, and control implementation work does not repeat. Ongoing annual costs for a mid-market organization — internal labor for continuous ISMS management, surveillance audit fees, GRC platform subscription, and annual security awareness training — typically run $40,000–$80,000 per year after the initial certification is in place.
// 09 How to Reduce ISO 27001 2022 Certification Cost
Three levers have the most measurable impact on total program cost:
1. Deploy a GRC automation platform before you start. Tools such as Drata, Vanta, or Tugboat Logic connect directly to cloud infrastructure (AWS, Azure, GCP), SaaS applications, and HR systems via API to collect evidence automatically — screenshots, configuration exports, access logs, and policy acknowledgments. Evidence collection is the single most time-intensive manual task in Stage 2 preparation for organizations working without automation. Compliance automation platforms reduce evidence gathering effort by 40–70%, translating to 80–150 fewer internal hours in the pre-audit sprint. At $150/hr blended internal rate, that saves $12,000–$22,500 on internal labor alone — typically more than the annual GRC platform cost of $15,000–$40,000 for mid-market.
2. Right-size the certification scope. ISO 27001 does not require certifying the entire organization. Scope is defined by the organization and can be limited to a specific product, service, or infrastructure environment. Certifying a well-bounded SaaS product and its supporting cloud infrastructure — rather than headquarters, HR systems, and all business processes — compresses the number of Annex A controls in play, shrinks the policy documentation surface, and shortens Stage 2 duration. Many mid-market companies certify their product scope first and expand in subsequent three-year cycles.
3. Combine with SOC 2 Type II if both are required. Enterprise customer contracts in the US increasingly require both ISO 27001 and SOC 2 Type II. If your organization needs both certifications, scheduling a combined audit with A-LIGN or Schellman avoids running two independent audit cycles with redundant evidence collection, and typically reduces combined audit fees by 20–30%. The preparatory work overlaps substantially: a well-prepared SOC 2 program will have already implemented a majority of the ISO 27001 Annex A technical controls.
// 10 Conclusion
The ISO 27001 2022 certification cost is a predictable investment for organizations that plan the project correctly: $65,000–$90,000 for a well-scoped mid-market certification using GRC automation and a fixed-fee certification body, rising to $150,000–$200,000 for larger organizations with complex scope, manual evidence collection processes, and premium-tier auditors. With the October 2025 transition deadline passed, every organization pursuing this certification now implements all 11 new Annex A controls — threat intelligence, cloud service governance, DLP, secure coding, and the rest — under the 2022 standard. The organizations that land at the low end of the cost range share three characteristics: they scoped tightly, automated evidence collection from day one, and booked their certification body no later than Month 6 of the implementation.
See our SOC 2 Type II 90-day guide for a complementary compliance certification comparison, and our compliance evidence automation guide for a tool-by-tool breakdown of GRC platforms that reduce the manual labor cost of both ISO 27001 and SOC 2 programs. Subscribe to the CiphersSecurity weekly threat digest for ongoing updates on compliance framework changes →
For any query contact us at contact@cipherssecurity.com