How much does it cost to establish and implement a management system and to get your organization certified by an accredited certification body?
The simple answer is that it can cost you anywhere from nearly nothing to lots and lots. In this post, I will try to explain the options that you have so you can choose an approach that will best suit your project’s budget.
Bear in mind, when planning the project budget, there will be some known costs that are reasonably predictable upfront (e.g. certification body, templates, training, consultant) and then there will be some additional costs that will likely come up as you move through each stage of the project (e.g. risk treatment and corrective actions).
I will be focusing mostly on the more knowable factors here, but depending on your current state (i.e. you’re already doing it or not already doing it) and the context of your organization (e.g. you’re a nuclear power station or you’re a small grocery shop) you should be able to put a reasonable estimate together for the unknowns too.
Anyhow, let’s try to answer the unanswerable question – how much does it cost to implement an ISO management system. We’ll start with certification itself, since, if you want to get your organization certified, then this is an unavoidable cost. Then, we’ll move on to the implementation costs, starting at the low budget end of the scale and adding some common options as we go.
The cost of accredited certification (also known as registration) is ongoing, and it starts with the initial certification audit. The certification audit is carried out in two stages; the first stage focuses on auditing the management system documentation and planning, while the second stage will focus on the implementation and effectiveness of the management system.
The stage one audit is typically conducted onsite in a day or two by the lead auditor. The stage two audit is always conducted onsite and its duration could be anywhere from a single day to weeks, either with a single or multiple auditors. The team size and duration of these audits depends on things such as the management system scope, number of employees, type of business, and the organization’s geographic set-up.
Clearly, the bulk of the cost here is in the number of auditors x the number of days. There are other associated costs, such as administrative fees, but these are small in comparison. Other large costs could be travel and accommodation if the auditor is coming from out of town.
It is also important to realize that the initial certification is not the end of the journey, it is the beginning, and surveillance audits will take place at least once every year to maintain the certification.
Expect to pay anywhere up to +/- $2,000 per audit day for a reputable audit company. For a small organization then, let’s say less than 50 persons, you’re likely talking about a 2-3 day certification audit and 1-day surveillance audit per year for ISO 9001 certification. That tallies up to somewhere around $10,000 for a three-year certification period.
Audit costs should be known quite early on. Once you have determined the scope of your management system and the associated staff numbers the certification body should be able to provide a quotation for the whole process. And don’t forget to shop around.
As you might imagine, correctly scoping your management system will be a key factor in managing costs.
DIY – Do It Yourself
On to the implementation side of things, obviously the cheapest way to go is the “do it yourself” approach. All very possible and a common approach in small companies. Buy a copy of the relevant standard, read it, and away you go!
It’s not rocket science and many companies do this. If you know nothing about these standards in the first place, however, then it will likely take a lot longer than it could or should, and in some cases may cost you more if you end up doing or implementing things that you don’t need to do or implement.
There’s also a higher likelihood of failing the initial certification audits, which will add to your total costs. But, in theory, this could cost you less than $200, plus the costs associated with the certification audit.
Where do I get that $200 figure from? At the very least, you must purchase a legal copy of the relevant standard!
In keeping with the low-cost approach, since all management systems require certain documentation, it is often a good idea to purchase some standardized templates for customization.
This can save a lot of time, effort, and also go a long way to help ensure that you are doing and documenting the important stuff. Template quality will vary and costs likely go from being free, up to the low $1,000s.
Once you purchase your templates you’ll have to spend time customizing them to fit with your own company practices.
However, without expert knowledge, this can still be a huge leap for the uninitiated and time-consuming, and you can still potentially fail an audit if something is wrong. Still, you’re now spending somewhere around $1,000 or less, plus the certification audit fees, and you will eventually get certified. It’s not a bad deal!
Adding to our budget approach, let’s consider training. Most companies who undertake a certification project will send key staff for “implementation” training, management and others will often undertake a shorter course at the “awareness” level, and then there is the more specific knowledge and skills of internal auditors who are sent on “internal auditor” or ”lead auditor” courses. There are other types of training, but these three categories are pretty core to most implementation projects. As a generalization, all are necessary; however, none are explicitly required.
Clearly, costs associated with training have the potential to dramatically increase the budget, with publicly run commercial courses selling in the region of $700 – $3,500 per student. If you have a lot of staff to attend, it can be more cost effective to bring an instructor to do the courses in-house. Cheaper options could include instructor-led and non-instructor-led online training.
So, a generalized and minimal expectation for a reasonable sized project for training might be as follows:
- Project manager/lead implementer: 1 day awareness training course; 2-5 days implementer or lead implementer training; 2-3 day internal auditor course.
- Internal audit team of two members: 2 x 1 day awareness training course; 1 x 5 day lead auditor course with exam; 1 x 2-3 day internal auditor course.
- Top management and senior staff: 5 x 1 day or 1/2 day awareness course.
Total budget estimate for commercial public training: $12,000 – $15,000.
Note that many training companies will be able to offer in-house training and with large numbers often provides for a cheaper option than public training.
Free or cheap online training courses could also be a good option for grasping the basics. And, plenty of books have also been written on the subject of implementing management systems and would be another, more affordable, option.
We’ve seen to this point that with a bit of effort and self-discipline your implementation and certification project can be achieved under your own steam and at a reasonable cost. However, for a first timer, it’s not always easy, so an additional cost that many organizations traditionally opt for is that of the consultant.
The idea of bringing in the consultant, at first suggestion, might appear to be an expensive option, but this is not necessarily so; though it will depend very much on what the consultant’s role will be and of course their pack numbers, as well as, and probably most importantly, their level of competence and experience.
Here’s a couple of reason why a well-selected consultant may be useful and could save you money:
- Experience and in-depth knowledge of the standards and requirements for certification and the audit process; A good project plan will be focused on completing all of the necessary steps to achieve your policy goals and certification; no less, and no more, unless you specifically require it. In comparison, many internal implementation projects often drag on for much longer than necessary, so projects last longer and could cost more.
- Consultants will often deliver most, if not all of the required training as a part of the implementation project. This means that typically more people will be trained for less cost.
- A knowledgeable consultant will be able to guide you with regard to any purchases, such as for equipment, hardware, software, facilities, etc. This is no small point. I have personally seen companies spend extortionate sums of money over and beyond what they should be spending based on a lack of understanding or worse, poor consulting advice! Most companies have everything they need, anything more is an improvement.
- As we have discussed, when it comes to the certification audit, a poorly defined management system scope could cost you dearly by potentially doubling or tripling your audit costs. A competent consultant should help to define a scope which includes everything as necessary, but not necessarily includes everything!
The cost of a consultant, like everything else, can vary exponentially. But to have an idea what we are talking about, there is the hourly or daily fee, x the number of consultants, + logistics, expenses, etc, etc, and consultants being consultants will often quote for as much as they can grab of your project, even offering to do all of the work for you (not a good idea!).
In my opinion, a good consultant will typically take on the role of a project manager, advisor or mentor, provide well considered guidance and direction, deliver all necessary training or recommend appropriate external training, plan and lead, or oversee the first internal audit, provide support and, most importantly, transfer knowledge throughout the project.
An average day rate could be anywhere between $600 and $2000+ per day, plus expenses, depending on their experience and whether or not they are independent or part of a large consulting firm. The big brand type consulting firms could be a lot higher. And of course, this all depends on many other factors, such as location in the world, consultant experience and competencies, and the standard you are implementing.
When it comes to choosing and using consultants, be aware that if their company are also in partnership with product companies, or if their company is selling their own products, then rather than being objective about purchases they will often push you towards their own “solutions” that may not be appropriate or necessary and substantially push up project costs.
And, since we are on the subject, be aware and avoid any consultancy who’s own company or any ‘sister’ company is the same body who will perform your certification audits as you will not have an independent assessment; and an objective, independent, unbiased assessment is what you are actually paying for when it comes to external audit.
To put an estimate out there then, for the total consultancy cost based on my own projects and experience, time spent on a typical project has averaged between 20-40 actual consulting days (one consultant) for the entire project; that is from planning through to successful certification. Those days are typically spread over a 6-9 month project period, or less for very small companies or companies who are already in good shape.
Let’s estimate a total price range then of somewhere around $8,000 – $35,000 for our consultant on a small/medium sized project. Apparently more expensive than the DIY approach, although not necessarily so.
As mentioned previously I’ve seen companies who have spent more than $100,000++ on things that they would not have spent on given the proper advice! So a good consultant can potentially save you a significant amount of money.
One recent example that springs to mind, a company whom I had provided consultancy to was able to renegotiate the quotation from their certification body which resulted in reducing the number of audit man days down from 12 to just 5 days. That alone amounted to a saving of somewhere between $12-14,000 for the company.
Other Implementation Costs – The Unknown Factor
Depending on the management system you are implementing, be it ISO/IEC 27001 for information security, ISO 22301 for business continuity, or ISO 9001 for quality management, there may be additional costs that come up for things such as equipment, hardware, software, additional services, etc. These unknowns can be difficult to predict upfront and are likely the types of things that come up during the implementation process itself. For example, after having identified your risks and when planning risk treatments or corrective actions. Hence, it is certainly a good idea to set aside a budget to cover these additional costs whenever possible.
Once you have established your management system policy, scope, and objectives, and conducted a thorough gap analysis, potential costs will become a little more clear. In general, the more you can budget in, the better.
The reality is that you likely won’t need it all. Why? Well, these unpredictable costs often become evident at the point of the actual implementation, and the implementation of a management system is all about going about your everyday business and doing what you’ve said you are going to do. Translated, most organizations already have what they need to do business!
In most scenarios, it is unlikely to be the case that anything significant is missing from the mix.. otherwise you likely would have gone out of business and closed down before reading this post anyway. So always keep the project objectives in mind when considering additional costs. This is probably true to a greater degree with successful, well-managed companies vs. those companies that are not so well managed or resourced. But as a generic statement to an internet audience of a couple of billion, it’s probably about right.
The point is, none of the standards actually require that you purchase anything. They simply tell you to spell out what you are trying to achieve and demand that you implement a management system in whatever form suits you, as long as it works and you can prove it. That means, you still call the shots! Standards do not require “perfection,” and it is time and money not well spent trying to achieve perfection when you first implement your management system. What is required is “continual improvement”, so you can consider a lot of your wants and desires as future improvement opportunities, i.e. as new projects – something to plan for and to implement as a next step.
In a nutshell, this is where a misinformed or misled organization will often spend a lot of time and even more money! The Annex A of ISO/IEC 27001 is a particular culprit when it comes to overspending in projects, where companies are doing a blanket implementation of all controls listed in the appendix as opposed to only implementing the controls that are necessary and in a way that is appropriate to the organization’s context, policy, objectives, and risk assessment findings.
So remember, management system standards specify requirements for good management practices, processes, and control; and not for expensive retina-scanning devices, remote hot-sites, or state of the art machinery. Keep this in mind and you’ll keep your costs low.
Budget under this topic will vary greatly of course, but a small/medium business might consider amounts in the range of $5,000 – $50,000. This is entirely speculative and is provided as a fair guess; in most cases, a small/medium size business will be able to complete the project and achieve certification with very little expenditure from this purse, but it is of course always a good idea for it to be there in case it is needed.
So in summary, it’s hard to say exactly how much it will cost, but I hope I’ve been able to point out some of the key expenses involved.
In most cases, you won’t really know what the full extent of the cost will be until you get started with some sort of gap analysis. Perhaps you already comply and just have to bring in the certification auditors!
As a last thought on costs, though – the major cost of implementing a management system is time, effort, and commitment. No consultant can do the work for you (the consultant doesn’t do your day job and the auditor doesn’t audit the consultant). Everyone in the company will likely be involved and if the organization’s top management isn’t on board and committed to making the change, it’ll never succeed regardless that you have the money or not.