- The Total Cost of Ownership (TCO) of compliance software encompasses far more than the license fee: setup, training, migration, maintenance, support, and opportunity costs belong in any serious calculation.
- SaaS tools with seat pricing become expensive as user numbers grow. With 100 employees and 50-200 euros per seat, companies end up at 60,000 to 240,000 euros over five years — without add-ons and price increases.
- Self-hosted solutions have higher initial investments but predictable ongoing costs. ISMS Lite costs 2,500 euros over five years as a subscription or 2,500 euros as a one-time purchase — regardless of user count.
- The break-even between SaaS and self-hosted is reached after just 6 to 18 months, depending on the provider. The more users and the longer the period, the more pronounced the cost advantage for self-hosted becomes.
- Beyond pure cost, data sovereignty plays a growing role: self-hosted solutions keep sensitive ISMS data within your own network and eliminate dependencies on third-party providers.
Why the List Price Lies
Most comparisons of compliance software begin and end at the monthly license fee. 29 euros per user per month sounds manageable. 199 euros per user per month sounds like enterprise. But both figures say almost nothing about what the software will cost over its actual period of use.
The Total Cost of Ownership (TCO) of ISMS software encompasses everything you must invest for the tool to fulfill its purpose: setup, data migration, user training, ongoing administration, support tickets, upgrades, integration effort, and the costs that arise when you want to switch providers. With SaaS models, annual price adjustments, paid add-ons, and the risk of vendor lock-in come on top. With self-hosted solutions, server costs, maintenance, and updates are on the bill.
This article calculates both models for a typical mid-market company with 100 employees over five years. With concrete numbers, not marketing promises.
What Belongs in a TCO Calculation
Before we calculate, the cost categories must be clear. An honest TCO calculation for ISMS software includes at least these items:
Direct Costs
License or subscription fees: The most obvious item. With SaaS as a monthly or annual fee per user (seat) or per package. With self-hosted as a one-time purchase, annual subscription, or both.
Setup and onboarding: The costs for initial configuration. With SaaS, the provider often handles this (sometimes for an extra charge); with self-hosted, installation on your own server is added.
Data migration: If you are migrating from Excel, SharePoint, or another tool, the migration takes time. Existing risk assessments, controls, policies, and audit results must be transferred.
Training: Users must learn the tool. This costs internal working time and potentially external trainers or workshops.
Ongoing Costs
Support and maintenance: SaaS providers often include basic support in the price, but premium support (fast response times, dedicated contact) costs extra. With self-hosted, maintenance contracts or support hours apply.
Updates and upgrades: With SaaS, updates are included, but you have no influence on timing or scope. With self-hosted, you must apply updates yourself, but you control the pace.
Server costs (self-hosted only): Hosting, power, backup, monitoring. Whether on your own hardware or a virtual server at a hosting provider — the infrastructure costs money.
Administration: Someone must maintain the tool. Creating and deactivating users, managing permissions, adjusting configurations. This is internal effort that rarely appears in comparisons.
Hidden Costs
Price increases: SaaS providers raise prices regularly. In the compliance market, 5-15% annual increases are not uncommon. After five years, you may be paying 30-50% more than in the first year.
Add-ons and premium features: Many SaaS tools offer core functions in the base package and sell extended features separately. API access, advanced reporting, audit log export, SSO integration, or additional frameworks are frequent upselling candidates.
Vendor lock-in: If you want to switch after three years, how easily can you get your data? Proprietary formats, missing export functions, and platform dependency create switching costs that almost nobody factors in at the initial decision.
Opportunity costs: Time your team spends on tool problems instead of working productively on the ISMS. Outages, performance issues, or missing features that require workarounds.
The SaaS Model: Seat Pricing and Its Pitfalls
Most cloud ISMS tools use a seat-based pricing model. You pay per user per month. This sounds fair — you only pay for what you use. In practice, this model has properties that quickly add up in mid-market companies.
How Seat Pricing Works
A typical compliance SaaS tool has three to four pricing tiers:
| Tier | Price per Seat/Month | Included Features |
|---|---|---|
| Starter | 29-49 € | Basic functions, 1 framework, basic reports |
| Professional | 59-99 € | Multiple frameworks, audit management, API |
| Enterprise | 149-199 € | Everything, SSO, dedicated support, SLA |
The prices refer to named users — identified users with their own accounts. In the ISMS context, you need not only the ISM and IT management but also risk owners, control owners, and potentially auditors. In a company with 100 employees, that quickly becomes 10 to 30 active users.
The Growth Trap
The problem with seat pricing becomes apparent with growth. If your company grows from 100 to 150 employees, the number of ISMS users also rises. New department heads as risk owners, new team leads as control owners, new locations with local contacts. The software scales, but costs scale with it.
And here comes the psychological effect: teams start rationing access. Instead of giving all relevant people their own account, three risk owners share a login. This undermines the traceability that an ISMS is supposed to establish. Who approved which risk assessment and when? With shared accounts, this question becomes unanswerable.
Hidden Costs in the SaaS Model
Annual price increases: SaaS providers in the B2B compliance space typically raise prices by 5-15% per year. This is no secret but rarely appears in the comparison. The pricing page shows the entry price, not the price in year five.
Add-ons as revenue drivers: A common pattern with larger compliance platforms:
- Base framework (e.g., ISO 27001) included; additional frameworks (NIS2, TISAX, SOC 2) at extra cost
- API access only from the Professional tier
- SSO/SAML integration only in the Enterprise plan
- Advanced reports and dashboards as a premium feature
- Dedicated support or guaranteed response times as a paid add-on
- Audit trail export only at extra cost
Individually, these items seem manageable. In total, they can add 30-60% on top of the base price.
Vendor lock-in as a strategic risk: The longer you use a SaaS tool, the deeper your data is embedded in its structures. Risk assessments, action plans, audit results, policy versioning. If you want to switch after three years, you face the question: does the tool export my data in a usable format? The answer is often sobering. CSV exports with information loss, no relationships between records, proprietary field formats. The actual switching costs (data migration, rebuilding structures, re-training) easily amount to 10,000-30,000 euros of internal and external effort.
The Self-Hosted Model: Control Has Its Price
Self-hosted means the software runs on your own infrastructure. This can be a physical server in the server room, a VM at a hosting provider, or a container in your private cloud. You have full control over the data, configuration, and operations.
The Cost Structure
Self-hosted software has a different cost distribution than SaaS. The initial investment is higher, the ongoing costs are lower and, above all, more predictable.
One-time costs:
| Item | Typical Cost |
|---|---|
| License (one-time purchase or first annual subscription) | 500-5,000 € |
| Server setup and installation | 200-1,000 € |
| Initial configuration and data migration | 500-2,000 € |
| Training (internal) | 500-1,000 € |
| Total initial investment | 1,700-9,000 € |
Ongoing annual costs:
| Item | Typical Cost/Year |
|---|---|
| Server/hosting (VPS or own infrastructure) | 120-600 € |
| Maintenance and updates (internal effort) | 300-800 € |
| Backup and monitoring | 60-200 € |
| Support/maintenance contract (optional) | 0-500 € |
| Total ongoing/year | 480-2,100 € |
The Advantage of Predictability
The greatest advantage of the self-hosted model is cost predictability. Your server costs the same in year five as in year one (or less, because hosting prices tend to decline). The license is paid or follows a fixed annual price without seat dependency. And when your company grows, costs do not increase linearly.
A self-hosted tool with flat-rate licensing costs the same for 30 users as for 130 users. That is a fundamental difference from the seat model.
What You Need to Watch For
Self-hosted is not self-running. You need someone who operates the server, applies updates, and monitors backups. In a company with 100 employees, the IT department typically has the competence for this — the same department also operates file servers, intranets, and other internal applications. Still, it is honest to include this effort in the calculation.
Updates are a double-edged sword. You decide when you update, which is good if you take change management seriously. But you also must take action instead of relying on automatic updates. A good self-hosted vendor makes it easy: clear update instructions, tested migration paths, and transparent changelog communication.
Calculation Example: 100 Employees Over 5 Years
Now it gets concrete. We calculate three scenarios for a company with 100 employees that needs 20 active ISMS users (ISM, IT management, 5 department heads as risk owners, 8 control owners, 2 auditors, 2 managing directors, 1 DPO).
Scenario A: Mid-Range SaaS (79 euros/seat/month)
An established provider in the DACH region with the Professional tier:
| Item | Year 1 | Year 2 | Year 3 | Year 4 | Year 5 | Total |
|---|---|---|---|---|---|---|
| License (20 seats x 79 €/mo) | 18,960 € | 18,960 € | 18,960 € | 18,960 € | 18,960 € | 94,800 € |
| Price increase (8%/year cumulative) | - | 1,517 € | 3,153 € | 4,920 € | 6,830 € | 16,420 € |
| Onboarding package | 3,000 € | - | - | - | - | 3,000 € |
| SSO add-on | 2,400 € | 2,400 € | 2,400 € | 2,400 € | 2,400 € | 12,000 € |
| NIS2 framework add-on | 1,200 € | 1,200 € | 1,200 € | 1,200 € | 1,200 € | 6,000 € |
| Internal training and admin | 2,000 € | 800 € | 800 € | 800 € | 800 € | 5,200 € |
| Annual costs | 27,560 € | 24,877 € | 26,513 € | 28,280 € | 30,190 € | 137,420 € |
Five-year TCO: 137,420 euros
And this is the optimistic case. We have not included additional seats (realistic with company growth), no premium support, and no additional framework add-ons.
Scenario B: Enterprise SaaS (149 euros/seat/month)
An international provider with extensive feature set:
| Item | Year 1 | Year 2 | Year 3 | Year 4 | Year 5 | Total |
|---|---|---|---|---|---|---|
| License (20 seats x 149 €/mo) | 35,760 € | 35,760 € | 35,760 € | 35,760 € | 35,760 € | 178,800 € |
| Price increase (10%/year cumulative) | - | 3,576 € | 7,510 € | 11,832 € | 16,579 € | 39,497 € |
| Implementation service | 8,000 € | - | - | - | - | 8,000 € |
| Premium support | 4,800 € | 4,800 € | 4,800 € | 4,800 € | 4,800 € | 24,000 € |
| Internal training and admin | 3,000 € | 1,000 € | 1,000 € | 1,000 € | 1,000 € | 7,000 € |
| Annual costs | 51,560 € | 45,136 € | 49,070 € | 53,392 € | 58,139 € | 257,297 € |
Five-year TCO: 257,297 euros
At this price point, the question arises whether a mid-market company with 100 employees can justify this investment to the board. And whether the feature set actually warrants the premium over leaner solutions.
Scenario C: Self-Hosted with ISMS Lite
ISMS Lite as a self-hosted solution with two pricing options: ab 500 Euro pro Jahr oder als Einmalkauf für 2.500 Euro. We calculate both variants.
Variant C1: Annual subscription (500 euros/year)
| Item | Year 1 | Year 2 | Year 3 | Year 4 | Year 5 | Total |
|---|---|---|---|---|---|---|
| License (annual subscription, flat) | 500 € | 500 € | 500 € | 500 € | 500 € | 2,500 € |
| Server (VPS, e.g., Hetzner) | 180 € | 180 € | 180 € | 180 € | 180 € | 900 € |
| Installation and setup | 500 € | - | - | - | - | 500 € |
| Data migration (from Excel/SharePoint) | 800 € | - | - | - | - | 800 € |
| Internal training | 600 € | 200 € | 200 € | 200 € | 200 € | 1,400 € |
| Maintenance and updates (internal) | 300 € | 300 € | 300 € | 300 € | 300 € | 1,500 € |
| Backup and monitoring | 120 € | 120 € | 120 € | 120 € | 120 € | 600 € |
| Annual costs | 3,000 € | 1,300 € | 1,300 € | 1,300 € | 1,300 € | 8,200 € |
Five-year TCO: 8,200 euros
Variant C2: One-time purchase (2,500 euros)
| Item | Year 1 | Year 2 | Year 3 | Year 4 | Year 5 | Total |
|---|---|---|---|---|---|---|
| License (one-time purchase) | 2,500 € | - | - | - | - | 2,500 € |
| Server (VPS) | 180 € | 180 € | 180 € | 180 € | 180 € | 900 € |
| Installation and setup | 500 € | - | - | - | - | 500 € |
| Data migration | 800 € | - | - | - | - | 800 € |
| Internal training | 600 € | 200 € | 200 € | 200 € | 200 € | 1,400 € |
| Maintenance and updates (internal) | 300 € | 300 € | 300 € | 300 € | 300 € | 1,500 € |
| Backup and monitoring | 120 € | 120 € | 120 € | 120 € | 120 € | 600 € |
| Annual costs | 5,000 € | 800 € | 800 € | 800 € | 800 € | 8,200 € |
Five-year TCO: 8,200 euros
Both variants arrive at identical five-year costs. The difference is in cash flow: the subscription distributes costs more evenly; the one-time purchase concentrates them in the first year.
The Side-by-Side Comparison
All four scenarios side by side:
| Metric | SaaS Mid-Range | SaaS Enterprise | ISMS Lite Subscription | ISMS Lite Purchase |
|---|---|---|---|---|
| 5-year TCO | 137,420 € | 257,297 € | 8,200 € | 8,200 € |
| Cost per month (average) | 2,290 € | 4,288 € | 137 € | 137 € |
| Cost per user/month (effective) | 115 € | 214 € | 7 € | 7 € |
| Price change risk | High (8-10%/year) | High (10-15%/year) | None (flat) | None (one-time) |
| Seat dependency | Yes | Yes | No | No |
| Vendor lock-in | High | Very high | Low | Low |
| Data sovereignty | Provider's cloud | Provider's cloud | Own server | Own server |
The factor between mid-range SaaS and ISMS Lite is approximately 17x. Between enterprise SaaS and ISMS Lite, it is 31x. Even if you generously adjust the self-hosted costs upward (more expensive server, external support), the difference remains an order of magnitude.
The Break-Even Analysis
At what point does self-hosted become cheaper than SaaS? The answer depends on the SaaS price, but the break-even comes sooner than many expect.
ISMS Lite Subscription vs. Mid-Range SaaS
Cumulative costs compared:
| Time | SaaS Cumulative | ISMS Lite Cumulative | Difference |
|---|---|---|---|
| Month 3 | 6,890 € | 3,000 € | 3,890 € |
| Month 6 | 12,480 € | 3,325 € | 9,155 € |
| Month 12 | 27,560 € | 3,000 € | 24,560 € |
| Month 24 | 52,437 € | 4,300 € | 48,137 € |
| Month 36 | 78,950 € | 5,600 € | 73,350 € |
The break-even is reached in the first month. Even the initial investment of 3,000 euros for ISMS Lite (including setup and migration) is below the monthly costs of the SaaS tool from month 3. The gap only widens from there.
What if SaaS Were Cheaper?
To be fair, there are SaaS offerings with team or company pricing instead of pure seat pricing. Some providers offer packages for small teams (e.g., 5 seats) from 200-500 euros per month. Even with such a package at 300 euros per month (3,600 euros per year), the break-even versus ISMS Lite would be reached after about two years. And that is without factoring in price increases or add-ons.
Costs Nobody Talks About
Beyond the hard numbers, there are cost factors that are difficult to quantify but significantly influence the decision.
Data Sovereignty as a Cost Factor
With SaaS, your ISMS data resides on a third-party provider's infrastructure. This includes risk analyses with detailed descriptions of your vulnerabilities, action plans revealing your security architecture, audit reports with findings and deviations, and emergency plans with internal contact details and recovery procedures. This data is highly sensitive. It describes in detail where your company is vulnerable and how you protect yourself. With self-hosted, this data stays on your server, in your network, under your control. That is not a luxury but a logical consequence of what you are trying to protect with the ISMS. Tools like ISMS Lite run entirely on your infrastructure and do not transfer data to external servers.
Provider Dependency
What happens if your SaaS provider ceases operations, gets acquired by a competitor, or doubles the prices? You face the choice: pay or migrate. Migration under time pressure is expensive and risky. With self-hosted, you have the software and your data. Even if the vendor closes tomorrow, your system keeps running. You have the installation, the database, and the export capabilities. This gives you negotiating power that a SaaS customer does not have.
Compliance Requirements for the Software Itself
NIS2 and ISO 27001 increasingly impose requirements on supply chain security. A SaaS tool is a service provider in the ISMS sense. You must assess the provider, conclude a DPA, review their security measures, and repeat all of this regularly. With self-hosted, this effort is eliminated because you are not outsourcing data processing to a third party. This saves not only money but also simplifies the ISMS documentation.
The Real Price of Seat Rationing
When the tool charges per user, companies get creative about who really needs an account. The result: the ISM maintains risk assessments alone instead of directly involving risk owners. Control owners receive their tasks via email instead of in the tool. Audit findings are tracked in separate documents because the auditor has no seat.
The irony: you buy a tool to digitize your ISMS and end up with a hybrid of tool and manual process because you are saving seats. This undermines the entire purpose of the software and ultimately costs more than the saved seats are worth. In ISMS Lite, there is no seat limitation. Everyone who has a role in the ISMS gets an account without increasing costs.
Asking the Right Question
The question "SaaS or self-hosted?" is actually the wrong question. The right question is: which deployment model fits my company, my budget, and my compliance requirements?
When SaaS Still Makes Sense
SaaS is not inherently bad. There are scenarios where a SaaS tool is the better choice:
- No internal IT know-how: If you have no IT department capable of running a server (rare with 100+ employees, but possible)
- Quick start without infrastructure: If you need to be productive within days and have no time for server setup
- Integration requirements: If you need deep integrations with other SaaS tools that only work through their cloud APIs
- No interest in operations: If management decides that running your own software is not a core competency
When Self-Hosted Is the Better Choice
- Data sovereignty is a priority: If ISMS data must not leave the corporate network
- Budget is limited: If the TCO difference of factor 10-30x is the deciding factor
- Long-term planning: If you need planning certainty over five years instead of annual price surprises
- Independence from third parties: If you want to minimize the vendor lock-in effect
- Existing infrastructure: If you already operate servers and the marginal cost of an additional application is low
For the majority of mid-market companies with 50 to 500 employees, most points in the second list apply.
Checklist: TCO Calculation for Your Evaluation
If you are currently evaluating compliance software, use this checklist to capture the TCO completely:
- Determine license costs for the actual required user count (not just the ISM, but all ISMS roles)
- Check price increase clauses in the contract (is there a cap?)
- Identify all required add-ons and include their cost (frameworks, SSO, API, reports)
- Request onboarding and migration costs (flat or by effort?)
- Estimate internal training effort (hours x internal hourly rate)
- Calculate annual administration effort (user management, configuration)
- For self-hosted: realistically estimate server costs and internal maintenance effort
- Determine switching costs: what does a migration away from the provider cost?
- Check export functionality: can you export your data completely and in a structured format?
- Review contract term and cancellation periods
- Ask the provider's reference customers about actual total costs
Common Mistakes in Tool Selection
Only looking at the entry price: The price on the website is the lowest. Configure the tool as you actually need it and calculate with the real user count.
Underestimating seat requirements: Most companies underestimate how many people need to be active in the ISMS. Plan with 15-25% of the workforce as potential users, not just the ISM and two IT admins.
Ignoring growth: If your company has 50% more employees in five years, seats at SaaS cost 50% more. Self-hosted with flat rate does not.
Treating data sovereignty as a nice-to-have: Your ISMS data describes your vulnerabilities. Treat the question of where this data resides with the same care as the data itself.
Only showing management the monthly rate: When presenting the IT security budget to management, show the five-year TCO. Monthly seat costs look harmless; the five-year total does not.
Conclusion
The choice between SaaS and self-hosted is not an ideological question. It is a calculation. And if you do this calculation honestly — with all cost factors over a realistic period — the result for most mid-market companies is clear. Self-hosted solutions with flat-rate pricing are not only cheaper but give you back control over your most sensitive data.
This does not mean every SaaS tool is bad. It means you should know the total costs before you sign. And that "29 euros per seat" yields a very different number over five years than it looks on the pricing page.
Further Reading
- Self-Hosted vs. Cloud: Datensouveränität bei Compliance-Software
- Was kostet ein ISMS? Budget, Aufwand und ROI realistisch einschätzen
- Build vs. Buy: Eigenentwicklung oder fertige Lösung für ISMS-Prozesse
- ISMS-Software auswählen: Worauf es bei der Evaluation ankommt
- ISMS aufbauen: Der komplette Leitfaden für Unternehmen mit 50 bis 500 Mitarbeitern