ISO 27001 Surveillance and Recertification Cost
The certificate is just the start. Maintaining ISO 27001 requires annual surveillance audits, a recertification every 3 years, and ongoing ISMS maintenance. Here is the total cost of ownership.
Updated April 2026
The 3-Year Certification Cycle
Year 1
Initial Certification
100% of total cost
Gap analysis, ISMS build, controls implementation, Stage 1 + Stage 2 audit. This is the big investment year.
Year 2
First Surveillance
25-35% of Year 1
Surveillance audit (30-40% of cert fee), platform subscription, pen test, internal audit, continuous improvement.
Year 3
Recertification
40-55% of Year 1
Full recertification audit (similar to initial cert fee), plus platform, pen test, and maintenance costs.
3-Year Total Cost of Ownership
| Company Size | Year 1 (Cert) | Year 2 (Surv) | Year 3 (Recert) | 3-Year Total |
|---|---|---|---|---|
| Micro (1-10) | $10K-$25K | $5K-$10K | $8K-$15K | $23K-$50K |
| Small (11-50) | $15K-$50K | $8K-$18K | $12K-$28K | $35K-$96K |
| Medium (51-250) | $50K-$150K | $20K-$50K | $30K-$75K | $100K-$275K |
| Large (251-1K) | $150K-$350K | $50K-$110K | $75K-$175K | $275K-$635K |
| Enterprise (1K+) | $250K-$500K+ | $75K-$175K | $120K-$275K | $445K-$950K+ |
Annual Maintenance Costs Beyond Audits
| Cost Item | Small (11-50) | Medium (51-250) | Large (251-1K) |
|---|---|---|---|
| Surveillance audit | $3K-$6K | $6K-$15K | $10K-$25K |
| Compliance platform | $7.5K-$20K | $15K-$40K | $25K-$60K |
| Penetration testing | $3K-$8K | $5K-$12K | $8K-$20K |
| Internal audit (outsourced) | $3K-$6K | $5K-$10K | $8K-$15K |
| Awareness training | $1K-$3K | $2K-$5K | $5K-$15K |
| Internal resource time | $5K-$12K | $10K-$25K | $20K-$50K |
| Management review | $500-$1K | $1K-$2K | $2K-$5K |
How to Reduce Ongoing Costs
- Automate evidence collection. A compliance platform that continuously collects evidence reduces audit preparation from 80+ hours to 10-20 hours per surveillance cycle.
- Train internal auditors. A 5-day ISO 27001 Internal Auditor course ($2,000-$5,000) pays for itself by eliminating the need to outsource internal audits ($5,000-$15,000/year).
- Integrate with other audits. If you also hold SOC 2 or ISO 9001, combine surveillance audits to share preparation effort and reduce total audit days.
- Maintain continuously. Organisations that update their ISMS quarterly spend 40% less on audit preparation than those that sprint before each surveillance audit.
- Negotiate multi-year CB contracts. Committing to 3 years of surveillance with one CB typically saves 10-15% on per-audit pricing.
Frequently Asked Questions
How much does an ISO 27001 surveillance audit cost?
Surveillance audits cost 30-40% of the initial certification audit fee. For a medium organisation that paid $18,000 for Stage 1 + Stage 2, the annual surveillance audit costs approximately $5,400-$7,200. There are two surveillance audits in a 3-year cycle (Year 1 and Year 2 after initial certification).
What happens if you fail a surveillance audit?
Minor non-conformances get 90 days to resolve with evidence submitted to the auditor. Major non-conformances trigger a follow-up audit (additional cost of $2,000-$5,000 per day). If non-conformances are not resolved within the timeframe, the certification body can suspend or withdraw your certificate. Suspension is typically 6 months; failure to resolve during suspension leads to withdrawal.
Is recertification cheaper than initial certification?
Recertification audit fees are similar to initial certification (sometimes 5-10% less as the CB is already familiar with your organisation). However, total recertification cost is lower because you do not need to rebuild the ISMS from scratch. The main costs are audit fees, internal preparation time, and any gap remediation since the last surveillance audit.
Can I reduce ongoing ISO 27001 costs?
Yes. Key strategies: (1) Automate evidence collection with a compliance platform. (2) Train internal auditors to reduce outsourced audit costs. (3) Integrate ISO 27001 surveillance with other audits (SOC 2, ISO 9001) for efficiency. (4) Maintain the ISMS continuously rather than doing a sprint before each audit. (5) Negotiate multi-year pricing with your certification body.