"How much does ISO 9001 cost?" is the first question asked by almost every managing director or quality manager when their company decides to pursue certification. The honest answer is that there is no fixed fee: the final cost depends on at least five different variables, which we explain in this article with real data from the Spanish market for 2025-2026. What we can guarantee is that, with the right guidance, the project is profitable even for SMEs with 10-50 employees.
The Three Main Cost Blocks of ISO 9001
Before looking at figures, it is worth distinguishing the three components that make up the total outlay. Mixing them up is the most common mistake when requesting a quote.
1. Implementation Consultancy Fees
A specialist ISO 9001 consultancy designs the quality management system, documents the processes, trains the teams and supports the company up to the external audit. This block tends to be the most variable: it depends on the complexity of the organisation, the number of processes to document and the company's starting point (whether it already has internal documentation or is starting from scratch).
In the Spanish market, the typical ranges in 2025-2026 for this component are:
| Company size | Consultancy fees (indicative range) | Average project duration |
|---|---|---|
| Micro-enterprise (1-9 employees) | €1,800 – €4,000 | 3-5 months |
| Small company (10-49 employees) | €4,000 – €9,000 | 5-8 months |
| Medium-sized company (50-250 employees) | €9,000 – €20,000 | 8-14 months |
| Large company / multi-site | €20,000 and above | 12-18 months |
Important note: these ranges are indicative market figures and do not represent Summum Marketing's rates, which are quoted on a personalised basis for each project.
2. Certification Body Fees
The ISO 9001 certificate is issued by a certification body accredited by ENAC (in Spain) or by an IAF member body at European level: AENOR, Bureau Veritas, SGS, TÜV, Lloyd's Register, DNV, among others. Summum, as a consultancy, supports the implementation; the certificate is always issued by an accredited third party.
The certifier's fees depend on the number of employees and the scope of the system. In general terms:
- Initial certification audit (stage 1 + stage 2): between €1,200 and €4,500 for SMEs.
- Annual surveillance audits: between €800 and €2,500 per visit.
- Recertification audit (every 3 years): similar to the initial audit, or slightly lower.
The reference standard is ISO/IEC 17021-1:2015, which sets out the requirements for bodies that audit and certify management systems. The minimum audit times are set by IAF MD 5 (IAF standard application document), calculated according to the number of full-time employees.
3. Internal Company Costs
The third block is the least visible but no less real: the time that the company's own employees devote to the project. An internal quality manager can spend between 4 and 20 hours per week during implementation, depending on the level of existing documentation maturity. Calculating this opportunity cost helps to justify the investment internally and to correctly size the workload.
Factors That Increase or Reduce the Project Cost
Knowing the cost drivers allows decisions to be made before requesting a quote. These are the five factors with the greatest impact:
Complexity and Number of Processes
A professional services firm with 15 employees and three main processes (sales, delivery, support) is much more straightforward to certify than an industrial SME with 40 employees, several production lines, subcontracting and critical supplier management. The ISO 9001:2015 standard requires a risk-based approach for all processes that affect product or service conformity, so the greater the complexity, the greater the documentation and audit effort.
Existing Documentation Baseline
Companies that already have written procedures, incident records or have carried out previous internal audits significantly reduce the consultancy time required. Starting from scratch, on the other hand, means documenting everything from the organisational chart to supplier evaluation criteria, adding weeks to the project.
Number of Sites or Premises
When the certification scope includes more than one workplace, the certification body applies the sampling formula in IAF MD 1 to calculate the additional audit days per site. Each additional location adds between 0.5 and 1.5 audit days.
Sector and Type of Activity
Some sectors have specific guidelines that complement ISO 9001:2015 and add requirements: the automotive sector uses IATF 16949 as an extension; the food sector adds food safety requirements. When the scope covers highly regulated activities, the consultancy must be familiar with those particularities, which may increase the project cost.
Consultancy Modality (On-Site vs. Remote)
100% remote consultancy is viable for many projects, especially in service companies. It eliminates travel and can reduce the cost by 15 to 25% compared with intensive on-site work. However, for industrial projects that require plant visits or involve high staff turnover, physical presence remains the most effective option.
What a Well-Structured ISO 9001 Implementation Project Should Include
Beyond the hourly rate, it matters to know what deliverables and activities the project should cover. A comprehensive engagement should include:
- Initial gap analysis against the requirements of ISO 9001:2015, with a report on the starting position.
- Process map design and process sheets (inputs, outputs, indicators, risks and opportunities).
- System documentation: quality policy, mandatory procedures (retained and maintained documented information), records and forms.
- Team training on the standard's requirements and use of the document management system.
- Pre-certification internal audit to identify gaps before the external audit and avoid surprises.
- Documented management review with analysis of quality indicators and objectives.
- Support during the external certification audit (stage 1 and stage 2).
- Closing of non-conformities identified by the external auditor, if any.
Indicative Total Budget Comparison for a Spanish SME
Adding the three blocks — consultancy, certification fees and an estimate of internal costs — the total investment range for an SME of 20-40 employees in Spain during 2025-2026 typically falls between €6,000 and €14,000 in the first year (including the initial audit). In subsequent years, the cost is reduced to surveillance audits and system maintenance.
| Component | Indicative range (SME 20-40 employees) | Frequency |
|---|---|---|
| Implementation consultancy | €5,000 – €9,000 | Once (first year) |
| Certification audit (body fees) | €1,500 – €3,000 | Once (first year) |
| Annual surveillance audit | €900 – €2,000 | Years 2 and 3 |
| Recertification (year 3) | €1,200 – €2,500 | Every 3 years |
| Estimated internal cost (employee hours) | €1,500 – €4,000 | First year (most intensive) |
These figures are market ranges published by certification bodies and sector consultancies; they do not constitute an economic offer from Summum Marketing.
Can the Cost Be Reduced? Three Real Levers
Yes, and significantly, provided the robustness of the system is not sacrificed. The most effective levers are:
Leverage Existing Documentation
Many SMEs have written operating procedures even if they are not formally linked to any standard. The initial gap analysis identifies which existing documentation is usable, reducing the time spent writing from scratch.
Involve Internal Staff from the Start
Assigning an internal quality manager to lead the project alongside the consultancy reduces the consultancy's billable hours. This role does not need to be an ISO expert: with appropriate training and consultant support, an administrative or technical profile can take on a large part of the document management work.
Negotiate the Scope Strategically
ISO 9001:2015 allows the certification scope to be defined in a way that excludes activities or sites that do not affect the conformity of the main product or service. In some cases, certifying only one line of business or a critical process is sufficient to meet a customer or tender requirement, and reduces the scope of the external audit.
ISO 9001 and Public Tenders: The Clearest Return
In Spain, Law 9/2017 on Public Sector Contracts (LCSP) allows contracting authorities to require ISO 9001 certification as a criterion of technical solvency (Article 90). In practice, many tender documents list it as a minimum requirement or as an evaluation criterion. For an SME aiming at public contracts, the investment in ISO 9001 can unlock a volume of business far greater than the project cost.
Similarly, large companies and corporations in the industrial, automotive, construction and food sectors require certification from their suppliers as part of their homologation requirements. Without a valid certificate, you simply do not enter the selection process.
How to Request a Useful Quote (Without Comparing Apples and Oranges)
To receive comparable quotes from different consultancies, prepare the following minimum information beforehand:
- Number of employees full-time and, if applicable, part-time.
- Number of sites or premises to be included in the scope.
- Main activity and whether it involves manufacturing a physical product or is a service only.
- Existing documentation: are there written procedures, records, a formalised organisational chart?
- Target date for obtaining the certificate (is there a tender deadline?).
- Preferred certification body or whether a proposal from the consultancy is acceptable.
With that information, any experienced consultancy can provide a concrete proposal rather than a vague «it depends». If the proposal does not break down at least the consultancy and certification fee blocks separately, request it explicitly: combining them makes comparison impossible.
At Summum we have been supporting ISO implementation projects for SMEs and mid-market companies in Castilla y León and the Canary Islands since 2007. If you want to know exactly what your company would invest, contact us with no obligation and we will give you a range tailored to your situation within 48 hours.
Frequently Asked Questions
How long does it take to obtain the ISO 9001 certificate?
For a well-organised service SME, the typical timeline from the start of the project to receiving the certificate is 5 to 8 months. In companies with greater operational complexity or limited internal resources, it can extend to 12 months. The timeline depends mainly on how quickly the company completes the documentation and on the certification body's availability to schedule the audit.
Are there grants or subsidies to finance ISO 9001?
In Spain, some regional governments and chambers of commerce have partially funded certification projects through lines of support for industrial competitiveness. In Castilla y León, ITACYL and programmes of the Junta de Castilla y León have included management system certification as an eligible expense in various calls. The Kit Consulting programme (the Ministry of Industry's advisory voucher scheme, active in 2024-2026) can also cover part of the consultancy fees if the company meets the size and turnover requirements. It is advisable to check the calls open at the time of starting the project.
Does ISO 9001 require hiring someone exclusively for quality?
No. The ISO 9001:2015 standard does not require a full-time «quality manager» or the creation of a dedicated department. It does require management to assign responsibilities for the relevant functions of the management system (clause 5.3). In practice, in SMEs with fewer than 50 employees, these functions are taken on as additional responsibilities by existing profiles: the managing director, production manager or administrative manager. The key requirement is that the assignment of those responsibilities is documented.
What happens if I do not pass the certification audit?
If the certification body's auditor identifies major non-conformities, the certificate is not issued until they are closed with verified corrective actions. The process is not an exam that is definitively «failed»: the certification body grants a period (typically 90 days) to address the gaps and may schedule a partial additional audit. Minor non-conformities do not block certification but must be closed before the first surveillance audit. A good implementation project includes a specific internal audit beforehand to identify and address these gaps before the external auditor arrives.