Blog Ten Criteria for Choosing an ISO27001 Consultant

1. Qualifications

Although there are undoubtedly good consultants that don’t have qualifications, this does represent a reasonable starting point in your deliberations. The main qualification you might expect to see is ISO27001 Lead Auditor, but there are also variations on this such as ISO27001 Lead Implementer and ISO27001 Internal Auditor which are also relevant. On the more technical side, look out for CISSP (from ISC2) or CISM or CISA (both from ISACA). These are general information security qualifications that are at the right kind of level for helping with an ISO27001 implementation. More specific qualifications such as in particular technologies (Microsoft, Cisco etc.) are less relevant but do no harm if combined with the others previously mentioned.

2. Experience

Look for someone that’s done this before, ideally quite a few times and both within a company and outside it as a consultant. The more relevant the industries and sizes of organization the better. They should have been the main lead on a number of implementations (rather than one of a team) and they should have gone all the way through to successful certification a number of times.

3. Style

One of the most important but often overlooked criteria in choosing a consultant is their overall style. By this we mean how well they “gel” with you and your team on a personal level; do you speak the same kind of language? Is there a good fit in terms of pace and approach? Do you get a warm feeling that you can work with this person? Often this is what makes the difference between a successful implementation and one that founders.

4. Delivery method

Onsite face to face used to be the only way to consult, but now remote virtual services are very common, supported by effective tools such as Microsoft Teams and Zoom. Many consultants now only offer remote services, so this is a question to ask early on if you’re committed to having someone onsite. The choice will often depend on your organization’s culture, and whether face to face meetings are the norm; obviously the Pandemic has affected this perception hugely, and having fewer restrictions on location will open up the potential consultant pool significantly.

5. Approach

There are many different ways of delivering ISO27001 consultancy services and guiding you through to successful certification. For example, some consultants use an online project management tool such as Basecamp to share progress; others use ready-made toolkits of relevant documents. Some like to conduct a gap assessment at the start of the project whereas others don’t feel it’s necessary. In general we suggest you look for a defined, structured approach to the implementation that gives confidence that nothing will be missed and that progress will be clear and relentless.

6. Value

We labelled this criterion “value” rather than “cost” because it is often the case that the most appropriate consultant for the job is not the cheapest. The price for the job should be taken in the context of the other nine criteria we outline in this article. But be clear about how the services are being charged for – is it by the day, by the hour or is it a fixed price contract? If fixed, what are the parameters of the work – what happens if the first attempt at certification is not successful?

7. Availability

If you’re keen to get your organization certified to ISO27001 sooner rather than later then the availability of the consultant will be a consideration. However, bear in mind that good consultants are often in demand so you might have to wait a little for the one you really want. Factor in the number of clients the consultant is working with at any one time because if it’s too many then that may become a problem.

8. Responsiveness

Early signs when dealing with a consultant can be good indicators of what will happen in the future. If they are slow to respond to your emails and don’t answer your questions fully then this may be indicative of how they work. Similarly, if they appear helpful from the start then this is a good sign.

9. Resources

If you’re a larger organization then your choice of consultant may be affected by whether they are a one-person outfit or have an extended team at their disposal. If you’re looking for a team approach, be sure to ask for the qualifications and experience of the team as a whole, rather than just the lead consultant. Having more than one person working with you can speed things up, but make sure you understand the costs involved.

10. Knowledge of the information security marketplace

Lastly, a consultant with a good knowledge of the ISO27001 standard is useful, but there are often additional products and services that you may need to make your life easier, in areas such as training, awareness, software and testing. A consultant that can identify areas where such expenditure is helpful can save you a lot of time and money in the long run. Ask questions about the tools and services they have worked with to gain an understanding of how wide their knowledge of the information security marketplace is.

Final words

Choosing an appropriate ISO27001 consultant can be a difficult and time-consuming task, so it’s worth being clear about the criteria you will use to choose between alternatives. Hopefully these ten suggestions will help you choose wisely.

Written by CertiKit’s CEO, Ken Holmes CISSP, CIPP/E. Ken is the primary author of CertiKit’s toolkit range, an ISO27001 Lead Auditor and has helped to implement, operate and audit ISO certifications over a varied 30-year career in the Information Technology industry. 

Discuss your requirements with CertiKit's ISO27001 consultants

Contact us for a free no obligation meeting to discuss your requirements and see if we’re the right fit for your organization.

Benefit from the knowledge of our experts who have years of experience in implementing an Information Security Management System.

Our consultants are qualified lead auditors and have helped many organizations implement and prepare for their ISO/IEC 27001 certification audit with great results. Based in the UK and conducted remotely via MS Teams, our consultancy is best suited to organizations  within 5 hours of the UK time zone.