The four cost buckets
- Certification body fees. Driven by audit man-days, which scale with headcount, scope complexity, and number of locations under accreditation duration rules. Get the full three-year figure in writing, not just year one.
- Internal effort. The dominant real cost: risk assessment, control implementation, policy work, evidence collection, internal audit, and management review. A motivated small company typically spends 200 to 400 person-hours reaching first certification.
- Optional consultants. From a few thousand dollars of milestone coaching to $15,000 to $40,000 for a guided build. Valuable when nobody internal owns security; wasteful when they write policies describing a company that does not exist.
- Optional tooling. Compliance automation platforms typically run $5,000 to $25,000 per year. They accelerate evidence collection for cloud-native companies but are not required by the standard, and auditors certify systems, not dashboards.
What moves your quote up
Multiple offices and data centers in scope, development activities included (secure development controls get audited), regulated data (health, payment), heavy outsourcing requiring supplier control evidence, and broad scopes. The single best cost decision is a precise scope: certify the parts of the organization your customers actually care about, stated honestly on the certificate, and expand scope at a later surveillance if needed.
Where not to save
Unaccredited certificate mills sell ISO 27001 paper cheaply, and security-literate customers detect it in one procurement question ("who accredits your certification body?"). The audience that asks for ISO 27001 is precisely the audience that verifies it. Choose a certification body whose accreditation and audit rigor match what your customers expect, and remember the certificate must survive their vendor security review, not just decorate your website footer.