When you submit an enquiry via our website, we use the personal data you supply to respond to your query, including providing you with any requested information about our products and services. We may also email you several times after your enquiry in order to follow up on your interest and ensure that we have answered your it to your satisfaction. We will do this based on our legitimate interest in providing accurate information prior to a sale. Your enquiry is stored and processed as an email which is hosted by Microsoft within the European Economic Area (EEA). We keep enquiry emails for two years, after which they are securely archived and kept for seven years, when we delete them.
If you’re looking to get your organization certified to the ISO27001 information security standard, then one of the things you might consider is to use a consultant to help you. This is especially true if you’re not that familiar with the standard or information security in general, or you’re really stuck for time to allocate to the task. But what should you look for when choosing a consultant? Here we offer ten criteria to help with your selection process.
Although there are undoubtedly good consultants that don’t have qualifications, this does represent a reasonable starting point in your deliberations. The main qualification you might expect to see is ISO27001 Lead Auditor, but there are also variations on this such as ISO27001 Lead Implementer and ISO27001 Internal Auditor which are also relevant. On the more technical side, look out for CISSP (from ISC2) or CISM or CISA (both from ISACA). These are general information security qualifications that are at the right kind of level for helping with an ISO27001 implementation. More specific qualifications such as in particular technologies (Microsoft, Cisco etc.) are less relevant but do no harm if combined with the others previously mentioned.
Look for someone that’s done this before, ideally quite a few times and both within a company and outside it as a consultant. The more relevant the industries and sizes of organization the better. They should have been the main lead on a number of implementations (rather than one of a team) and they should have gone all the way through to successful certification a number of times.
One of the most important but often overlooked criteria in choosing a consultant is their overall style. By this we mean how well they “gel” with you and your team on a personal level; do you speak the same kind of language? Is there a good fit in terms of pace and approach? Do you get a warm feeling that you can work with this person? Often this is what makes the difference between a successful implementation and one that founders.
Onsite face to face used to be the only way to consult, but now remote virtual services are very common, supported by effective tools such as Microsoft Teams and Zoom. Many consultants now only offer remote services, so this is a question to ask early on if you’re committed to having someone onsite. The choice will often depend on your organization’s culture, and whether face to face meetings are the norm; obviously the Pandemic has affected this perception hugely, and having fewer restrictions on location will open up the potential consultant pool significantly.
There are many different ways of delivering ISO27001 consultancy services and guiding you through to successful certification. For example, some consultants use an online project management tool such as Basecamp to share progress; others use ready-made toolkits of relevant documents. Some like to conduct a gap assessment at the start of the project whereas others don’t feel it’s necessary. In general we suggest you look for a defined, structured approach to the implementation that gives confidence that nothing will be missed and that progress will be clear and relentless.
We labelled this criterion “value” rather than “cost” because it is often the case that the most appropriate consultant for the job is not the cheapest. The price for the job should be taken in the context of the other nine criteria we outline in this article. But be clear about how the services are being charged for – is it by the day, by the hour or is it a fixed price contract? If fixed, what are the parameters of the work – what happens if the first attempt at certification is not successful?
If you’re keen to get your organization certified to ISO27001 sooner rather than later then the availability of the consultant will be a consideration. However, bear in mind that good consultants are often in demand so you might have to wait a little for the one you really want. Factor in the number of clients the consultant is working with at any one time because if it’s too many then that may become a problem.
Early signs when dealing with a consultant can be good indicators of what will happen in the future. If they are slow to respond to your emails and don’t answer your questions fully then this may be indicative of how they work. Similarly, if they appear helpful from the start then this is a good sign.
If you’re a larger organization then your choice of consultant may be affected by whether they are a one-person outfit or have an extended team at their disposal. If you’re looking for a team approach, be sure to ask for the qualifications and experience of the team as a whole, rather than just the lead consultant. Having more than one person working with you can speed things up, but make sure you understand the costs involved.
Lastly, a consultant with a good knowledge of the ISO27001 standard is useful, but there are often additional products and services that you may need to make your life easier, in areas such as training, awareness, software and testing. A consultant that can identify areas where such expenditure is helpful can save you a lot of time and money in the long run. Ask questions about the tools and services they have worked with to gain an understanding of how wide their knowledge of the information security marketplace is.
Choosing an appropriate ISO27001 consultant can be a difficult and time-consuming task, so it’s worth being clear about the criteria you will use to choose between alternatives. Hopefully these ten suggestions will help you choose wisely.
Written by CertiKit’s CEO, Ken Holmes CISSP, CIPP/E. Ken is the primary author of CertiKit’s toolkit range, an ISO27001 Lead Auditor and has helped to implement, operate and audit ISO certifications over a varied 30-year career in the Information Technology industry.
Contact us for a free no obligation meeting to discuss your requirements and see if we’re the right fit for your organization.
Benefit from the knowledge of our experts who have years of experience in implementing an Information Security Management System.
Our consultants are qualified lead auditors and have helped many organizations implement and prepare for their ISO/IEC 27001 certification audit with great results. Based in the UK and conducted remotely via MS Teams, our consultancy is best suited to organizations within 5 hours of the UK time zone.