If you’re looking to get your organisation certified to the ISO27001 information security standard, then one of the things you might consider is to use a consultant to help you. This is especially true if you’re not that familiar with the standard or information security in general, or you’re really stuck for time to allocate to the task. But what should you look for when choosing a consultant? Here we offer ten criteria to help with your selection process.
1. Qualifications
Although there are undoubtedly good consultants that don’t have qualifications, this does represent a reasonable starting point in your deliberations. The main qualification you might expect to see is ISO27001 Lead Auditor, but there are also variations on this such as ISO27001 Lead Implementer and ISO27001 Internal Auditor which are also relevant.
On the more technical side, look out for CISSP (from ISC2) or CISM or CISA (both from ISACA). These are general information security qualifications that are at the right kind of level for helping with an ISO27001 implementation.
More specific qualifications such as in particular technologies (Microsoft, Cisco etc.) are less relevant but do no harm if combined with the others previously mentioned.
2. Experience
Look for someone that’s done this before, ideally quite a few times and both within a company and outside it as a consultant. The more relevant the industries and sizes of organisation the better. They should have been the main lead on a number of implementations (rather than one of a team) and they should have gone all the way through to successful certification a number of times.
3. Style
One of the most important but often overlooked criteria in choosing a consultant is their overall style. By this we mean how well they “gel” with you and your team on a personal level; do you speak the same kind of language? Is there a good fit in terms of pace and approach? Do you get a good feeling that you can work with this person? Often this is what makes the difference between a successful implementation and one that founders.
4. Delivery method
Onsite face to face used to be the only way to consult, but now remote virtual services are very common, supported by effective tools such as Microsoft Teams and Zoom. Many consultants now only offer remote services, so this is a question to ask early on if you’re committed to having someone onsite. The choice will often depend on your organisation’s culture, and whether face to face meetings are the norm; obviously the Pandemic has affected this perception hugely, and having fewer restrictions on location will open up the potential consultant pool significantly.
5. Approach
There are many ways of delivering ISO27001 consultancy services and guiding you through to successful certification. For example, some consultants use an online project management tool such as Basecamp to share progress; others use ready-made toolkits of relevant documents.
Some like to conduct a gap assessment at the start of the project whereas others don’t feel it’s necessary. In general we suggest you look for a defined, structured approach to the implementation that gives confidence that nothing will be missed and that progress will be clear and relentless.
6. Value
We labelled this criterion “value” rather than “cost” because it is often the case that the most appropriate consultant for the job is not the cheapest. The price for the job should be taken in the context of the other nine criteria we outline in this article. But be clear about how the services are being charged for – is it by the day, by the hour or is it a fixed price contract? If fixed, what are the parameters of the work – what happens if the first attempt at certification is not successful?
7. Availability
If you’re keen to get your organisation certified to ISO27001 sooner rather than later then the availability of the consultant will be a consideration. However, bear in mind that good consultants are often in demand so you might have to wait a little for the one you really want. Factor in the number of clients the consultant is working with at any one time because if it’s too many then that may become a problem.
8. Responsiveness
Early signs when dealing with a consultant can be good indicators of what will happen in the future. If they are slow to respond to your emails and don’t answer your questions fully then this may be indicative of how they work. Similarly, if they appear helpful from the start then this is a good sign.
9. Resources
If you’re a larger organisation then your choice of consultant may be affected by whether they are a one-person outfit or have an extended team at their disposal. If you’re looking for a team approach, be sure to ask for the qualifications and experience of the team as a whole, rather than just the lead consultant. Having more than one person working with you can speed things up, but make sure you understand the costs involved.
10. Knowledge of the information security marketplace
Lastly, a consultant with a good knowledge of the ISO27001 standard is useful, but there are often additional products and services that you may need to make your life easier, in areas such as training, awareness, software and testing.
A consultant that can identify areas where such expenditure is helpful can save you a lot of time and money in the long run. Ask questions about the tools and services they have worked with to gain an understanding of how wide their knowledge of the information security marketplace is.
Final words
Choosing an appropriate ISO27001 consultant can be a difficult and time-consuming task, so it’s worth being clear about the criteria you will use to choose between alternatives. Hopefully these ten suggestions will help you choose wisely.
