It truly is a interesting time to be in Information Technology. Especially on the information security front. Although hacks and breaches consume the media, audit and controls run the IT hallways. This article contains a random sampling of notes acquired on this topic as leaders unpack what to measure and what not to measure.
“SOC2 audit is required to do business with us.” – Prospective Client
SOC2: https://www.aicpa.org/interestareas/frc/assuranceadvisoryservices/cpas.html
Not all auditors charge the same and, just like everything else, many times you get what you pay for. I’ve found quality and consulting come at a higher price, so selecting the right auditor is a key success point.
Found this article from Linford & Co, LLP CPA firm about SOC2 pricing:
Price estimates differ between firms as each will:
- Estimate the effort / cost required to do the work
- Have related overhead expenses allocated to the audit
- Require a certain level of profit from the engagement
Typically, our SOC 1 audits start at $17,500 and our SOC 2 audits start at $19,500 for small, non-complex organizations. And, since everyone needs one, we include a readiness or gap assessment as part of every first time SOC audit. These are starting points and the price of a specific SOC audit may go up or down as we customize proposals to our clients’ specific needs.
“ISO 27001 certification is required to do business with us.” – Prospective Client
ISO 27001: https://www.iso.org/isoiec-27001-information-security.html
Any idea how much an ISO 27001 certification costs? Found this article from Pivot Point Security:
- Precertification Phase I: $20,000 (e.g., Scope Definition, Risk Assessment, Risk Treatment Plan, Gap Assessment, Phase II Remediation Plan)
- Precertification Phase II: $18,000 (e.g., Gap closure (collaboratively), registrar selection, ISMS Artifact development, Risk Management Committee, Incident Response, Internal ISMS Audit, On-site Certification Audit Support)
- Certification Audit: $10,000
- Total cost for ISO 27001 certificate: $48,000
Once you have your certificate you will require a “surveillance” audit in years 2 and 3 to maintain your certificate. You will also need to conduct an Internal ISMS Audit each year – which the “average” company usually outsources to a third party. So figure your year 2 and year 3 costs are likely to be as follows:
- Surveillance Audit: $7,500
- Internal ISMS Audit: $7,000
“COBIT as an emphasis for IT governance, control, and risk management” – Prospective Customer
COBIT: http://www.isaca.org/Knowledge-Center/COBIT/Pages/Overview.aspx
\\ JMM