5 criteria for choosing an ISO 22301 / ISO 27001 consultant
If you’re implementing ISO 27001 or ISO 22301 for the first time, you’re probably considering hiring a consultant to help you. But, which consultant should you hire, what are the potential problems, and how much should you pay?
The purpose of an ISO 22301/ISO 27001 consultant
A consultant should shorten your implementation time – he should provide you all the know-how for the implementation, and help you avoid numerous pitfalls during the project. He should lead you step by step throughout your project, and give you a precise idea of what the certification auditors will be looking for.
If your arrangement includes on-site consulting, a consultant can make all the necessary analysis, recommend the best solutions, write the documentation, train your employees, etc. In other words, he can take part of the workload off of your staff.
Potential problems with consultants
However, hiring a consultant carries some risks, too:
- The consultant will be able to see your most critical information, including the areas where you are most vulnerable.
- If a consultant is selling some software or some other solutions, you can expect he will use knowledge of your company to convince that his solution is just what you need. (He might even offer you lower consulting price with this goal in mind.)
- If a consultant is doing all the analysis and documentation writing by himself (with no interference of your employees), two things will probably happen: (1) the documentation will not reflect the real needs of your company, and (2) once the consultant is gone, your employees won’t know how to maintain the documentation – both of these have the same result: the documentation won’t really be useful in daily operations, and employees will probably reject it.
- There are many people claiming to be consultants, but in fact they know very little about this job. In most countries, there is no license needed for doing this job, so practically anyone can declare he or she is a consultant.
Thinking about it, a question arises whether you need a consultant at all – read more about it here: Do you really need a consultant for ISO 27001 / BS 25999 implementation?
If you do decide to hire a consultant, make sure you address all the above-mentioned issues in the project plan, and address them specifically (and in writing) within your contract agreement.
Criteria for choosing a consultant
So, based on all these issues, which criteria should you use?
1) Experience & skills. Do your research, not only about the consulting company, but also about the person who would do the consulting job – does she have certificates like ISO 27001 Lead Auditor Course, or ISO 27001 Lead Implementer Course (same for ISO 22301)? How many jobs has she performed; how long has she been in this business? Which kind of companies did she work for? E.g. if she did only banks, she is hardly the right choice for an IT company.
2) Reputation. By far, the best thing is to call the clients the consultant claims she has worked with – very often you’ll be surprised that the job she was working on was far smaller in scope than you were led to believe, and sometimes the customers won’t speak favorably about the service they received. Also, if a consultant has published some books or articles on a subject, or if she is a frequent speaker at conferences, chances are you’ll make a good choice.
3) Customized service. Avoid the “copy-paste” consultants – they will bring you finished templates and contribute nothing to them. (You would be better off doing the implementation by yourself with our Documentation Toolkit.) Actually, you’ll learn quite a lot about the willingness of a consultant to tailor the service for your specific needs during the negotiation period. If you feel she is not adaptable enough, or you don’t like her communication style, walk away from this deal.
4) Language. Choosing a consultant that doesn’t speak your local language (or speaks it poorly) probably leads to disaster. Don’t expect that a translator will help you with this problem – the job of a consultant is to understand all the nuances of your operations, and that cannot be done via a third person.
5) Conflict of interest. Hire a consultant who sells only this – consulting services. Avoid those who offer other security or IT solutions, unless you want to be an upsell target.
There is a good reason why I didn’t write that price should be one of your criteria – many times I’ve seen companies choose the least expensive consultant, only to find out later that was actually the most expensive option. The cheapest consultants usually don’t have enough work to do, so this is why they offer the lowest prices – they want to survive in the market. But, the important question here is – why don’t they have enough work? Because they’re new to this market, and don’t have enough experience? Or because they have a not-so-good reputation, so many clients are avoiding them? Think about this when you’re making your decision.
Of course price is important, but you have to calculate the total price of the project – and usually the price premium of a good consultant will be far less than the savings such consultant will bring you.
This being said, although a consulting price is usually based on man/days, it is far better to agree on a total price for the whole project – this way the risk is on the consultant, not you. If a consultant claims he cannot anticipate the amount of work needed, let him do a pre-agreement analysis – if he cannot estimate the amount of work, maybe he doesn’t have enough experience.
And remember – the ultimate purpose of a consultant is to save your time.
Click here to see a description of ISO 27001 & ISO 22301 Premium Documentation Toolkit.