u/BuffaloExternal6226

Hi everyone,

I run a small IT MSP company and I’m looking to achieve ISO 27001 certification.

In the Netherlands, there are agencies that support companies through the certification process, but the costs I’ve seen are quite high: around €25,000 to €30,000 for a six-month project, including the external audit.

I’m trying to understand how much of the preparation work I can realistically do myself before involving a consultant or certification body, so I can keep the overall cost as low as possible.

For context, I want to become certified so I can demonstrate to customers that my company has a proper ISMS in place and handles customer data in line with ISO 27001 requirements.

For those who have gone through this process, what would you recommend as a practical roadmap? Which parts are worth doing yourself, and where is it better not to cut corners?

Any advice, lessons learned, templates, tooling recommendations, or cost-saving tips would be greatly appreciated.

Kind regards

For my IT MSP company, I want to obtain ISO 27001 certification. In the Netherlands, there are usually agencies that help companies achieve these certifications, but they are extremely expensive, or perhaps I am not assessing their value correctly. They charge between €25,000 and €30,000 for a six-month process, including obtaining the certificate through an external audit.

I can do a lot of the preparation myself so that I do not have to pay the full amount. What can I do, and what should my roadmap be, to minimize the costs as much as possible?

I want to obtain the certification so that my company has it and I can show my customers that I am ISO 27001 certified and that I handle my customers’ data in accordance with ISO 27001.

I hope you can help me.

Kind regards,