ISO 27001 Audit Cost - Certification Body Fees Explained
Certification body fees account for 25-35% of your total ISO 27001 budget. Here is how they calculate audit days, what the major CBs charge, and how to get the best quote for your organisation.
Updated April 2026
Audit Days by Company Size (IAF MD 5 Guidelines)
The International Accreditation Forum (IAF) publishes Mandatory Document 5 which sets minimum audit day guidelines based on effective headcount. Certification bodies may add days for complexity, multiple locations, or sector-specific requirements.
| Employees (EHC) | Stage 1 Days | Stage 2 Days | Total Days | Estimated Fee (US) |
|---|---|---|---|---|
| 1-10 | 1 | 3-4 | 4-5 | $5,000-$8,000 |
| 11-25 | 1-2 | 4-5 | 5-7 | $7,000-$12,000 |
| 26-45 | 2 | 5-6 | 7-8 | $9,000-$15,000 |
| 46-65 | 2 | 6-8 | 8-10 | $12,000-$20,000 |
| 66-125 | 2-3 | 7-10 | 9-13 | $14,000-$28,000 |
| 126-175 | 3 | 8-12 | 11-15 | $17,000-$32,000 |
| 176-275 | 3-4 | 10-14 | 13-18 | $20,000-$40,000 |
| 276-425 | 4 | 12-16 | 16-20 | $25,000-$45,000 |
| 426-625 | 4-5 | 14-18 | 18-23 | $28,000-$52,000 |
| 626-875 | 5 | 16-20 | 21-25 | $33,000-$58,000 |
| 876-1,175 | 5-6 | 18-22 | 23-28 | $36,000-$65,000 |
| 1,176+ | 6+ | 20+ | 26+ | $40,000-$75,000+ |
Fees estimated at $1,400-$2,500/day (US rates). Multi-site organisations: add 0.5-1 day per additional location for sampling. EHC = Effective Headcount (full-time equivalents in scope).
Certification Body Comparison
All listed CBs are accredited (UKAS, ANAB, or equivalent national body). Pricing is indicative and varies by region, scope, and negotiation.
| Certification Body | Day Rate (US) | Day Rate (UK) | Reputation | Best For |
|---|---|---|---|---|
| BSI | $2,000-$2,500 | GBP 1,200-1,800 | Premium | Enterprise, government, finance |
| Bureau Veritas | $1,800-$2,400 | GBP 1,100-1,600 | Premium | Multi-national, manufacturing |
| LRQA | $1,800-$2,300 | GBP 1,100-1,500 | Premium | Maritime, energy, technology |
| DNV | $1,700-$2,200 | GBP 1,000-1,500 | Strong | Manufacturing, energy, automotive |
| TUV | $1,700-$2,200 | GBP 1,000-1,500 | Strong | German/European market |
| Intertek | $1,600-$2,100 | GBP 1,000-1,400 | Strong | Consumer goods, retail, tech |
| SGS | $1,600-$2,100 | GBP 1,000-1,400 | Strong | Agriculture, food, supply chain |
| NQA | $1,400-$1,800 | GBP 800-1,200 | Good | SMEs, cost-conscious organisations |
| Alcumus | - | GBP 800-1,100 | Good | UK SMEs, construction, property |
Stage 1 vs Stage 2 Cost Split
Stage 1: Documentation Review
20-25% of audit fee
- 1-3 days (can be remote)
- Reviews ISMS documentation, SoA, risk assessment
- Identifies readiness gaps before Stage 2
- Typically 4-8 weeks before Stage 2
Stage 2: Implementation Audit
75-80% of audit fee
- 3-15+ days (mostly on-site)
- Interviews staff across departments
- Reviews evidence of control effectiveness
- Certificate issued if no major non-conformances
Hidden Audit Costs to Budget For
- Auditor travel and accommodation: $500-$3,000 per visit if the CB is not local. Remote audits (permitted post-COVID) eliminate this but some CBs charge a premium for remote delivery.
- Evidence preparation time: 40-80 hours of internal time gathering screenshots, logs, policy versions, and interview preparation. Often underestimated by 50%.
- Non-conformance remediation: If Stage 1 surfaces major gaps, expect 4-8 weeks delay and $5,000-$15,000 in remediation costs before Stage 2.
- Additional audit days: If the CB determines your organisation is more complex than initially quoted, they may add audit days at the quoted day rate.
- Re-audit costs: Major non-conformances in Stage 2 require a follow-up audit ($2,000-$5,000 per day) to verify remediation.
See the full hidden costs guide for expenses beyond audit fees.
How to Get the Best Audit Quote
- Get at least 3 quotes. Contact BSI, one mid-tier CB, and one smaller accredited CB. Prices vary 30-40% for the same scope.
- Define your scope clearly before requesting quotes. Ambiguous scope leads to inflated estimates. Provide: employee count, locations, services in scope, existing certifications.
- Ask for a fixed-price quote. Some CBs quote day rates with "estimated" days that can increase. A fixed price protects your budget.
- Negotiate multi-year contracts. Committing to 3-year surveillance can reduce per-audit pricing by 10-15%.
- Check auditor industry experience. An auditor who understands your sector will be more efficient, reducing additional day requests.
- Ask about remote audit options. Remote Stage 1 is now standard and saves travel costs. Some CBs offer hybrid Stage 2 (partly remote).
Frequently Asked Questions
How are ISO 27001 audit fees calculated?
Certification bodies calculate audit fees using the IAF MD 5 formula: number of audit days multiplied by the auditor day rate. Audit days are determined by your effective headcount (full-time equivalent employees in scope), number of locations, sector complexity, and whether you have an Integrated Management System. The certification body applies their specific day rate ($1,400-$2,500/day in the US).
What is the difference between Stage 1 and Stage 2 audit costs?
Stage 1 is a documentation review taking 1-3 days (20-25% of total audit time). Stage 2 is the full implementation audit taking 3-15+ days (75-80% of total audit time). For a company requiring 10 total audit days, Stage 1 would be approximately 2 days ($3,000-$5,000) and Stage 2 would be approximately 8 days ($12,000-$20,000).
Which certification body is cheapest?
Smaller accredited certification bodies (NQA, Alcumus, QMS International) typically offer 15-25% lower rates than premium brands (BSI, Bureau Veritas, LRQA). However, the cheapest option is not always the best value. Consider the auditor's industry experience, the CB's reputation with your customers, and availability. Some enterprise customers specifically require BSI or Bureau Veritas certification.
Can I switch certification bodies at recertification?
Yes, you can switch at any point but it is most cost-effective at the 3-year recertification. The new CB will conduct a transfer audit that covers their Stage 1 review plus verification of your existing certificate. Transfer audits typically cost 10-20% more than a standard surveillance audit but significantly less than a full initial certification.