Preparation Guide

How to Prepare for an ISO 27001 Audit: Reduce Cost, Avoid Delays

Preparation is 60-80% of total certification cost. A structured approach saves money, reduces audit findings, and gets you certified faster. Budget $5,000 - $75,000+ depending on your approach and company size.

6-Phase Preparation Timeline

The typical preparation journey from gap analysis to audit readiness.

1

Gap analysis

4 - 8 weeks$5,000 - $20,000 (outsourced)

Assess your current security posture against ISO 27001 requirements. Identify what exists, what needs creating, and what needs improving. This defines the scope and cost of the entire project.

2

Documentation build

6 - 12 weeks$3,000 - $15,000 (templates + staff time)

Create the mandatory documents: ISMS policy, risk assessment methodology, SoA, risk treatment plan, procedures. Templates accelerate this but every document needs tailoring to your context.

3

Risk assessment

3 - 6 weeks$5,000 - $15,000

Identify information assets, assess threats and vulnerabilities, evaluate risk levels, and determine treatment options. This drives your control selection and SoA. Must be genuinely risk-based, not checkbox.

4

Control implementation

8 - 16 weeks$5,000 - $30,000+

Implement the controls identified in your risk treatment plan. This is the longest phase: access controls, encryption, logging, supplier management, incident response, training, physical security.

5

Internal audit

2 - 4 weeks$5,000 - $15,000 (outsourced)

Mandatory ISO 27001 requirement. Must cover the full ISMS scope. Must be conducted by someone independent of the areas being audited. See our internal audit cost guide.

6

Management review

1 - 2 weeksInternal time only

Senior management reviews ISMS performance, internal audit results, risk status, and resource needs. Must result in documented decisions and action items. Cannot be skipped.

Preparation Cost by Approach

Four approaches compared. These are preparation costs only, excluding the certification audit itself.

ApproachSmall (11-50)Medium (51-250)Large (251-1,000)
DIY / internal$5,000 - $15,000$10,000 - $25,000$15,000 - $35,000
Consultant-assisted$15,000 - $30,000$25,000 - $50,000$40,000 - $75,000
Fully outsourced$25,000 - $45,000$40,000 - $75,000$60,000 - $110,000
Platform-assisted$10,000 - $20,000 + platform$15,000 - $35,000 + platform$25,000 - $50,000 + platform

When to Use a Consultant

Micro/Small: DIY + Platform

Under 50 employees can often self-serve with a compliance platform. Outsource only the internal audit. Total: $10k-$25k.

Medium: Part-time Consultant

51-250 employees benefit from a consultant 1-2 days/week for 3-6 months. They guide the project while your team does the work. Total: $25k-$50k.

Large: Dedicated Consultant

251+ employees almost always need dedicated consultant support. Complex scope, multiple stakeholders, and extensive documentation justify the investment. Total: $40k-$75k+.

Common Mistakes That Increase Cost

Overscoping the ISMS

20-40% higher audit cost

Start with a focused scope (e.g. product engineering + cloud infrastructure) and expand later. Every department in scope adds audit days.

Starting Stage 2 too early

$2,000-$10,000 re-audit cost

Do not schedule Stage 2 until your internal audit is complete and all critical controls are operating. A failed Stage 2 is far more expensive than a delayed one.

Inadequate evidence collection

Extended audit, more findings

Start collecting evidence from day one of implementation. Auditors want 3-6 months of operational evidence, not documents created the week before the audit.

Not involving senior management

Major NC for management review

ISO 27001 requires demonstrated management commitment. Brief the CEO/CTO early, schedule management reviews, and ensure they understand their role.

Treating it as an IT project

Gaps in HR, legal, physical security

ISO 27001 covers organisational, people, physical, and technological controls. HR (training, joiner/leaver), legal (contracts), and facilities (physical security) must all be involved.

Related Pages

Audit Checklist

What auditors look for

Internal Audit

Outsource vs in-house

Stage 1 Audit

What preparation leads to

Cost Estimator

Total cost with preparation

Frequently Asked Questions

Can you do ISO 27001 without a consultant?

Yes, especially for micro and small companies with existing security knowledge. Use a compliance platform (Vanta, Sprinto, Drata) for templates and guidance, supplement with the standard itself (available from ISO.org), and outsource only the internal audit. Budget $5,000-$15,000 for a small company DIY approach, mostly in staff time.

How long should ISO 27001 preparation take?

For an organisation starting from scratch: 6-18 months depending on size and approach. Small companies with platform assistance: 4-6 months. Medium companies with consultant: 6-12 months. Large companies: 9-18 months. The biggest variable is control implementation, which depends on how many new controls need building.

What is the cheapest way to prepare for ISO 27001?

DIY with platform assistance is the cheapest path for most SMBs. Use a compliance platform ($10k-$15k/year) for templates, automated evidence collection, and audit readiness tracking. Outsource only the internal audit ($5k-$10k). Total preparation cost: $10k-$25k for a small company. This works best if you have at least one person with security and compliance experience.