TL;DR
ISO 27001 certification costs a Belgian SME on average between €15,000 and €50,000, depending on company size and existing security level. The process typically takes 6 to 14 months. Under the Belgian NIS2 law, ISO 27001 is one of three recognized routes for conformity assessment, alongside CyberFundamentals (CyFun) and a CCB inspection. Flemish SMEs can receive up to a 45% subsidy on cybersecurity advice around ISO 27001 through the VLAIO SME portfolio.
More and more Belgian companies are being asked by customers, partners or insurers, “Are you ISO 27001 certified?” At the same time, the NIS2 law is forcing thousands of organizations to demonstrably get their cybersecurity in order, with a first deadline on April 18, 2026. The result: ISO 27001 is high on the agenda of many SMEs, but the practical questions often remain unanswered. What does it cost? How long does it take? And is it actually the best route for your company?
This article will give you a clear overview of the full ISO 27001 process in the Belgian context, including a realistic cost estimate, the comparison with CyberFundamentals and the subsidies available.
What is ISO 27001 and why is it relevant to Belgian SMEs?
ISO 27001 is the international standard for establishing, implementing and continuously improving an Information Security Management System (ISMS). The certification proves that your organization addresses information security structurally: from risk analysis and policy documentation to technical measures and employee awareness.
For Belgian SMEs, ISO 27001 is more topical than ever for three reasons. First, more and more large clients and government agencies are requiring the certificate as a condition of tenders and supplier selection. Second, the Belgian NIS2 law recognizes ISO 27001 as one of the three valid routes for conformity assessment. And third, the certificate provides an internationally recognized seal of approval, whereas the Belgian CyberFundamentals framework is primarily deployed nationally.
The version used today is ISO/IEC 27001:2022, which is aligned with the latest cyber threats and aligns with other management system standards such as ISO 9001.
What does ISO 27001 certification cost for an SME?
The total investment for ISO 27001 certification depends on three factors: your company size, the complexity of your IT environment and your current level of security. Organizations that already have some security maturity save significantly on implementation time.
Cost structure in three components
1. Implementation costs (setting up the ISMS) This is usually the biggest cost. You identify risks, establish policies, implement technical and organizational measures and train employees. Many SMEs engage an outside consultant here.
- Small organizations (up to 50 employees): €8,000 to €15,000 in consulting
- Medium-sized organizations (50-250 employees): €15,000 to €25,000 in consultancy
- Internal time investment: 200 to 800 hours, depending on company size
2. Certification audit (external audit by an accredited institution) The audit is in two phases. Phase 1 assesses the documentation and design of the ISMS. Phase 2 tests the actual implementation.
- Small organizations: €5,000 to €10,000 for initial certification
- Medium-sized organizations: €10,000 to €20,000
- In Belgium, Brand Compliance (BELAC-accredited), DEKRA and Bureau Veritas, among others, are active as certification bodies
3. Ongoing costs (maintenance after certification) The ISO 27001 certificate is valid for three years. A surveillance audit follows annually, and a full recertification after three years.
- Annual surveillance audit: 30 to 50% of initial audit cost
- ISMS maintenance: internal audits, risk reassessment, policy updates, awareness trainings
Total overview of costs ISO 27001
| Cost item | Small SME (up to 50 FTE) | Medium-sized SME (50-250 FTE) |
|---|---|---|
| Consultancy/implementation | €8.000 – €15.000 | €15.000 – €25.000 |
| Technical modifications | €4.000 – €9.000 | €10.000 – €25.000 |
| Certification audit (phase 1 + 2) | €5.000 – €10.000 | €10.000 – €20.000 |
| Total first year | €15.000 – €30.000 | €30.000 – €60.000 |
| Annual cost (years 2-3). | €3.000 – €6.000 | €5.000 – €12.000 |
An organization that already has an ISO 9001 management system can save 30 to 50 percent on implementation costs thanks to the shared High Level Structure (HLS) of both standards.
How long does an ISO 27001 process take?
The average certification process for a Belgian SME takes 6 to 14 months, from the initial gap analysis to receiving the certificate. The lead time strongly depends on your starting position.
Typical phasing
| Phase | Duration | What happens. |
|---|---|---|
| Gap analysis | 2-4 weeks | Map current situation, determine distance to standard |
| ISMS set-up | 2-4 months | Prepare risk analysis, policies and procedures, Statement of Applicability (SoA) |
| Implementation | 2-4 months | Implement technical measures, train employees, set up processes |
| Internal audit | 2-4 weeks | Verification that the system is working as described |
| Management Review | 1-2 weeks | Management reviews results and approves ISMS |
| External audit phase 1 | 1-2 days | Documentation review by certification body |
| External audit phase 2 | 2-5 days | On-site implementation audit |
| Certification | 2-4 weeks | Processing and issuance of certificate |
Organizations already working with a framework such as CyberFundamentals or NIST CSF typically have a shorter turnaround time because some of the documentation and risk analysis already exists.
Important note for NIS2 entities: essential entities choosing ISO 27001 as the NIS2 compliance route must submit their ISMS scope and Statement of Applicability (SoA) to the CCB by April 18, 2026. Full ISO 27001 certification must be completed within 30 months of the NIS2 law coming into effect. This means that organizations that have not started by now have little time to waste.
ISO 27001 vs CyberFundamentals: which framework fits your company?
This is the question on the minds of many Belgian companies. Under the NIS2 law, essential entities have three options for conformity assessment: CyberFundamentals (CyFun) certification or verification, ISO 27001 certification, or an inspection by the CCB Inspection Service. Both frameworks are valid routes, but they differ fundamentally in design and scope.
Comparison chart ISO 27001 vs CyFun
| Criterion | ISO 27001 | CyberFundamentals (CyFun) |
|---|---|---|
| Scope | Internationally recognized | Belgian national framework |
| Basic | ISO/IEC Standard | Based on NIST CSF 2.0, ISO 27001, CIS Controls, IEC 62443 |
| Structure | One uniform standard with Annex A measures | Four levels: Small, Basic, Important, Essential |
| Suitable for | Companies with international customers, tenders or supply chains | Companies with mainly national activities |
| NIS2 compliance. | Yes, with additional SoA mapping at the CyFun level | Yes, designed directly for NIS2 compliance |
| Lead time | 6-14 months | 3-8 months (depending on level) |
| Cost | €15.000 – €60.000+ | Lower entry level, especially for Basic and Important |
| Internationally recognized | Yes | No (national label) |
| OT coverage | Via Annex A measures | Explicit through IEC 62443 integration |
When do you choose ISO 27001?
ISO 27001 is the better choice if your company serves international customers who require a recognized certificate, if you participate in tenders where ISO 27001 is a requirement, or if you operate in industries where the certificate has become standard (software, SaaS, financial services).
When do you choose CyberFundamentals?
CyFun is often the more pragmatic route for SMEs operating primarily in Belgium. The framework is specifically designed for the Belgian market, the entry threshold is lower at Basic and Important levels, and it aligns seamlessly with NIS2 legislation. Moreover, an ISO 27001 certification also allows you to apply for a CyFun label, provided your Statement of Applicability covers the required CyFun measures.
Combination is possible
An interesting option that the CCB explicitly provides: organizations with ISO 27001 certification can also apply for a CyFun label on that basis. The certification authority of the CCB (NCCA) then checks whether the SoA covers the required CyFun level. In this way, you combine international recognition with Belgian NIS2 compliance.
The NIS2 link: ISO 27001 as a compliance pathway
The Belgian NIS2 law (Law of April 26, 2024) requires essential and key entities to implement demonstrable cybersecurity measures. Essential entities are subject to a mandatory periodic conformity assessment through an accredited Conformity Assessment Body (CAB).
Deadlines for essential entities
- April 18, 2026: Submit ISMS scope and Statement of Applicability (SoA) to the CCB, or a CyFun Self Assessment at Basic or Important level
- April 18, 2027: Submit progress report
- Within 30 months: Complete ISO 27001 certification or complete CyFun certification
Specifically, what does this mean?
If your organization is identified as a key entity and you choose to go the ISO 27001 route, you must submit your scope and SoA to the CCB by April 18, 2026. The SoA must include measures that are at least equivalent to the applicable CyFun level. The CCB will assess whether your SoA contains the appropriate CyFun equivalent measures, with particular attention to the key measures defined by the CCB based on current attack patterns in Belgium.
Important entities fall under a lighter supervision regime (only ex post, after an incident or based on signals), but must also implement appropriate measures. For them, CyFun verification at Basic or Important level is often the most proportional route.
VLAIO subsidies: up to 45% back on your investment
Flemish SMEs investing in ISO 27001 can take advantage of two VLAIO grant programs that significantly lower the financial threshold.
SME portfolio (cybersecurity consulting).
Since February 1, 2026, the SME portfolio has been reserved exclusively for cybersecurity advice. This means that advice around ISO 27001 implementation and gap analyses is eligible for funding.
- Small businesses: 45% subsidy
- Medium-sized enterprises: 35% subsidy
- Maximum €7,500 support per year
Cybersecurity improvement projects
VLAIO also subsidizes broader cybersecurity improvement pathways through approved service providers, with 50% intervention for SMEs. These pathways include analysis, action plan and guidance on resolving security issues.
- Three packages: START (€7,100 – €11,900), MEDIUM (€16,600 – €28,600), PLUS (€26,500 – €39,900)
- Grant: 50% for SMEs, 35% for non-SMEs covered by NIS2
- 19 recognized service providers available
Calculation example
A medium-sized SME invests €40,000 in ISO 27001 certification (consultancy + audit + technical modifications). Through the SME portfolio, the consultancy part (suppose: €15,000) can be subsidized 35%, good for €5,250 back. In addition, a cybersecurity improvement project (MEDIUM package) can provide an additional 50% subsidy on €20,000: €10,000 back. The net investment thus drops from €40,000 to about €25,000.
The ISO 27001 journey in 6 steps
Below is a practical roadmap for a Belgian SME wanting to get started with ISO 27001.
Step 1: Perform Gap Analysis Map your current security level and measure its distance from ISO 27001 requirements. Many organizations engage an external partner for an objective assessment here. This provides a concrete action plan with priorities.
Step 2: Set up and document ISMS Define the scope of your ISMS, conduct a risk analysis and prepare your Statement of Applicability (SoA). This document describes which Annex A measures you are implementing and why. In addition, draft information security policies and associated procedures.
Step 3: Implement measures Implement the technical and organizational measures: access management, log management, encryption, incident response plans, vendor management and employee awareness training.
Step 4: Internal audit and management review Conduct an internal audit to verify that the ISMS is working as described. Present the results to the board in a management review. Take corrective action as needed.
Step 5: External certification audit Contact an accredited certification body (in Belgium e.g. Brand Compliance with BELAC accreditation, DEKRA or Bureau Veritas). The auditor will assess your documentation in phase 1 and the practical implementation in phase 2.
Step 6: Obtain and maintain certification After a successful audit, you will receive the ISO 27001 certificate, valid for three years. A surveillance audit follows annually. After three years, a full recertification. The ISMS is a living system that is continuously adjusted.
Frequently asked questions about ISO 27001 certification
What does ISO 27001 certification cost for an SME?
Total costs range from €15,000 to €60,000, depending on company size and complexity. Small organizations (up to 50 employees) charge €15,000 to €30,000. Medium-sized companies (50-250 employees) come out at €30,000 to €60,000. Through VLAIO grants, you can recover up to 45% of consulting costs.
How long does an ISO 27001 process take?
A typical certification process for an SME takes 6 to 14 months from gap analysis to certification. Organizations already working with CyberFundamentals, NIST CSF or an ISO 9001 management system can certify faster due to existing documentation and processes.
What is the difference between ISO 27001 and CyberFundamentals?
ISO 27001 is an internationally recognized standard for information security, while CyberFundamentals is a Belgian national framework developed by the CCB. Both are valid routes for NIS2 compliance assessment. ISO 27001 offers international recognition; CyFun has a lower entry threshold and is specifically tailored to the Belgian market.
Is ISO 27001 mandatory under NIS2?
ISO 27001 is not mandatory, but it is one of three recognized options for NIS2 compliance assessment in Belgium. Essential entities can choose from CyFun certification, ISO 27001 certification or a CCB inspection. Important: the SoA must cover the applicable CyFun level.
Can I get VLAIO funding for ISO 27001?
Yes. Through the SME portfolio, you can receive up to 45% (small enterprises) or 35% (medium-sized enterprises) subsidies on cybersecurity advice, including ISO 27001 guidance. In addition, VLAIO subsidizes cybersecurity improvement projects for 50% of the costs with approved service providers.
Conclusion: ISO 27001 as a strategic investment
ISO 27001 certification is more than a compliance checkmark. It is a structural investment in your organization’s security, credibility and commercial strength. With the NIS2 deadline of April 2026 in sight and growing pressure from customers and partners, now is the time to embark on the journey.
The costs are real, but thanks to VLAIO subsidies, the threshold for Flemish SMEs is significantly lowered. And whether you choose ISO 27001, CyberFundamentals or a combination of both: the important thing is that you start today.
Want to know if ISO 27001 or CyberFundamentals is the best fit for your company? Schedule a free orientation meeting with Cyberplan and find out which route is most efficient for your situation. Cyberplan supports you with technical gap analysis, pentesting, security awareness training and compliance guidance, all under one roof. Through the VLAIO SME portfolio, you can get up to 45% subsidy on this advice.
