ISO27001 Consulting

The ISO27001:2022 Standard is an internationally recognized standard. There is no legal requirement to fulfill ISO27001 requirements but the certificate provides your business with an independent attestation that your organization is adhering to rigorous information security controls & measures, therefore ensuring best practices are implemented when it comes to cybersecurity and consistently protecting customer data and sensitive information.

The ISO27001 certificate fosters trust in your organization by existing and potential new customers, providing a potential competitive edge and may act as a door opener to attract new business. Many large enterprise organizations in market segments such as pharmaceutical, medical device, financial and the insurance industry may require ISO27001 certification by their vendors in order to engage in business.

Furthermore companies can strengthen their overall security posture via adhering and consistently executing the controls defined and outlined by the ISO27001 Standard. A well established ISMS provides you with the means for proper reporting to management, therefore enables your organization address potential issues in a pro-active manner, which significantly contributes to proper prioritization & allocation of resources where it matters.

Implementing a risk based approach is a key driver in achieving higher efficiency and placing focus to high risk areas rather than wasting resources where only minimal security increases can be achieved with high expenses.

After successfully implementing the Information Security Management System (ISMS), Rheintec recommends conducting an internal audit, as outlined in the roadmap, to review the ISMS and overall compliance status. This proactive approach helps prevent unexpected issues or major non-conformities during the certification process.

If the audit confirms that the company's management system has achieved the required maturity level and compliance with ISO 27001 standards, the next step is scheduling the official certification audit with a notified body. To streamline the process, it is advisable to contact a certification body 1–2 months in advance.

Various certification bodies are available, including TÜV, SQS, and Cert-X. Rheintec will coordinate with the selected body to schedule the audit and provide guidance throughout the process.

It is important to note that Rheintec does not conduct certification audits directly. This is to avoid conflicts of interest, as a service provider involved in establishing an ISMS cannot certify the same system.

The overall costs of an ISO27001:2022 certification may vary based on the following factors:

Size of the organization
Scope & complexity of the business
Current status of the ISMS
Available know-how & resources

As a general rule the bigger and more complex the organization the higher the expected costs since more effort is required to implement all the controls and processes. If for example several business locations are established this will increase the effort required by the notified body (certification body) to perform the stage I & II audits and therefore also drive costs.

Another important factor is the existing know-how in the company and already available processes & documentation. The more processes and associated operating procedures the organization has established the lower the effort to fully implement a functioning ISMS.

For a company of around 20 - 50 employees the costs could be estimated as follows:

Gap assessment & consulting for implementation of the ISMS - between 10'000 - 20'000.-
Initial Certification by the notified body - between 6'000 - 10'000

As the ISO27001:2022 Certificate remains valid for 3 years the notified body will carry out surveillance audits in the following years. The costs for these are lower than for the initial certification but these should as well be considered by the business. These can be estimated as follows:

Surveillance Audit - between 4'000 - 6'000.-

Furthermore the organization needs to provide required resources and make these available to continuously maintain the ISMS, a rough estimation would be around 20% of a full time equivalent which of course may vary significantly based on the size & scope of the organization.

The herein stated estimates do not represent binding offers and may vary significantly based on the above outlined factors.

Constraints of other consulting organizations:

focus solely on guidance & compliance
provide a fixed price e.g. 10'000.- but then only offer templates & a portion of technical writing
sell ISMS tools but do not provide the hands-on support required to achieve a well established & functioning ISMS with its benefits
apply a standardized approach which is not tailored to your organization, creating high costs in gap assessments that are not necessarily needed

Your benefits in partnering with Rheintec:

Our focus goes well beyond compliance, if technical measures are required our security engineers support you in the course of the implementation
We custom tailor our approach based on your needs and current ISMS status. If organizations are at the starting point of the implementation we suggest to skip the gap assessment and jump right into the establishment of your ISMS - this saves costs and speeds up the implementation
Risk based & hands-on form an integral part of our principles. Achieving a Zero Risk status is impossible and achieving 99% compliance is extremely resource intense. We focus on high risk areas and drive effective risk mitigation

ISO27001:2022

Information Security Management Systems

Who should get ISO27001 certified and why?

Benefits of an ISO27001 Certification

How Rheintec supports your organization

Roadmap to ISO27001:2022 Compliance

What happens after the ISMS is implemented?

Costs of an ISO27001 Certification

Why partner with Rheintec for your ISO27001 Certification?

Interested in establishing an Information Security Management System or increasing your security posture?

How much does IT security cost for your SMB?