What will your certification actually cost?

A realistic estimate for European tech companies — including the line items that don't appear on most proposals but end up on your invoice anyway. Cash costs and internal time.

ISO 27001
Implementation
Estimator

01 Company Profile

Company Size

IT / Security Team Size

The people who will own the ISMS project internally — typically IT, security, or ops staff, not developers. Most Series A startups have 1–3 people in this function.

Avg. Fully-Loaded Cost / Person / Year (€) IT/security staff in EU: €60k–€100k fully loaded. Used to price the opportunity cost of their time on the ISMS project.

02 Scope & Security Maturity

In-Scope Systems & Services

Cloud services, SaaS tools, and infrastructure components in scope

Infrastructure

Cloud-native_0.88×

Hybrid_1.0×

On-premise_1.18×

Current Security Maturity

1Initial

2Developing

3Defined

4Managed

5Optimised

Processes documented; some controls in place but not consistently measured.

Head start — existing frameworks Already have one of these? It reduces implementation effort.

SOC 2−10%

NIST CSF−7%

Compliance Automation Platform

Standard_{basic tooling}

Using one_{Vanta / Drata / Sprinto}

Manual_spreadsheets

Standard security tooling is included in base costs. A compliance platform reduces effort by ~18%; manual evidence collection adds ~30%.

03 SOC 2 Specifics

Report Type

Type II is what enterprise customers actually require. Type I is faster but most prospects will ask for Type II within 18 months — meaning two audits.

Trust Services Categories

✓

Securityrequired

Availability+12%

Confidentiality+10%

Privacy+15%

03 Implementation Approach

Advisory partner handles documentation, risk treatment, control implementation, and audit prep. Your team participates but doesn't run it (~2–4 weeks internal time).

Consultant Rate / Day (€) BARE market rate: €1,000–€1,500

Internal Rate / Day (€) Auto-set from engineer cost

ISO 27001 · Year 1 estimate

—

Cash costs only. Internal time cost shown below.

Opportunity cost: IT / security staff time

—

Effort

—

person-days

Duration

—

weeks

Audit Days

—

ISO 27006

Internal FTE

—

required

Effort by phase

Cost breakdown — Year 1 cash costs

Advisory / consultant fees—

Internal labour cost—

Security tooling awareness + vuln scanning—

Penetration test external, required—

Certification body audit—

Opportunity cost IT/security staff time, not invoiced—

Realistic Year 1 total—

💡 Implementation insights

Year 2 ongoing costs

Surveillance audit—

Security tooling (annual)—

Advisory retainer (ISMS maintenance)—

Annual total —

Figures are indicative, anchored to ISO 27006:2015 audit day tables and European market data (BSI, DNV, Bureau Veritas rates). Actual costs depend on ISMS scope, documentation maturity, and choice of certification body. BARE engagements are fixed-fee — you'll know the number before we start.