Dejan Kosutic If you’re an independent consultant at the beginning of your career, you’re probably wondering how to perform your first consulting job for ISO 27001 or ISO 22301 implementation. But, don’t worry – here’s what you need to do.
Steps before you start the project
If this is really your first job, the chances are you don’t have enough knowledge for the implementation of these standards – therefore, it is always a good thing to prepare as much as possible. This article will help you: How to become an ISO 27001 / ISO 22301 consultant.
Further, if you’re doing this for the first time, you’ll need templates for all the policies, procedures, and plans, as well as for your consulting work (project plan, consulting proposal, presentations, etc.) – see this Consultant toolkit to get some ideas.
The next thing is to make sure you set the right expectations from the client – you have to clarify who is going to run the project, who organizes the meetings, who performs the interviews and analysis, who writes the documentation, etc. The best thing is to document all of these either as part of your consulting proposal, or as part of the consulting agreement. Also, when a question arises regarding how long the project will last, you can use this ISO 27001 / ISO 22301 Implementation Duration Calculator.
I’ll provide you some tips on who should do what in the next section, but let me emphasize here one crucial thing: you, as an external consultant, cannot run the project. The project manager needs to be someone from inside the company, someone who knows very well the people, processes, and the specific ways the things are done in that company; most importantly, this project manager needs to have enough authority to push the project when needed, and this is something the outside consultant cannot do. (See also: Who should be your project manager for ISO 27001/ISO 22301?)
Finally, a very important element for the success of the project is the support from the top management of the company – I don’t mean here just theoretical support, but real support in terms of money, human resources, and willingness to eliminate the obstacles once they turn up (and, believe me, they will turn up.) To get this support, the project manager (probably with your assistance) needs to present the business benefits to the top management – see these articles: Four key benefits of ISO 27001 implementation and ISO 22301 benefits: How to get your management’s approval for a business continuity project.
Steps during the implementation
Of course, the formal start of the project should be the development of the project plan – here you’ll find a free template.
Basically, the steps in the implementation are determined by the standards themselves, since they are written in a sequential way – here you can see an overview of the main steps: ISO 27001 implementation checklist and 17 steps for implementing ISO 22301.
But, let me emphasize the best practice on how the job should be divided between the consultant and the client:
- Project management – as mentioned earlier, this should be the client’s part of the job.
- Who organizes the meetings – since this is part of the project management, again, it’s the client’s job.
- Who performs the interviews – this is normally done by you, because you need the input information for writing the documents.
- Who performs the analysis – again, your job; you have to know why particular controls are needed.
- Writing and reviewing the documents – you should write the documents; however, you should ask the client to actively participate in reviewing them. That way, you will get not only the most appropriate rules, but also the commitment of those employees who will work with you. (See also: Seven steps for implementing policies and procedures.)
- Approving documents – this is obviously the top management’s task.
- Making sure that the policies and procedures are implemented – this is something the client has to do, i.e., their project manager.
Here are two more tips on how to make the implementation more successful:
- First, you should recommend that your client approve and implement the documents one by one, not all at the same time – a couple of times I’ve seen companies approve 20 policies and procedures in the same day, only to find out later that the employees were both puzzled and negative towards such a large number of rules.
- Second, you should organize training and awareness sessions in parallel to publishing the documents – this way, the company will be able to explain to their employees not only how to perform certain security/business continuity activities, but also why they are needed.
Steps after the implementation
At the very end of the project you should deliver a final presentation to the top management – the purpose of such presentation is to show how your contract has been (successfully) fulfilled, and how all the expectations have been met.
And, if you see that the top management is satisfied with what they’ve got for their money, you should ask them for a recommendation – they can do this in a formal way on their company letterhead, but lately the recommendations through LinkedIn have more and more significance.
Of course, it would be nice if you could get some recurring revenue from the clients – therefore, you should offer to perform some jobs that need to be done repeatedly. If they don’t have their own internal auditor, you can act as one; if they need training, you can always jump in; if they need help when the standard changes, you should be there for them. Therefore, be creative and think about what you can offer to get more revenue from past clients.
What to be most careful about
Many things can go wrong in a project like this. But, in my experience, there is one major cause for most unsuccessful projects: lack of top management commitment. If they don’t understand this project well enough, they won’t devote enough money or enough people to it; when the project gets stalled, they won’t have the motivation to eliminate the problem.
So, it is not enough to get a contract with your client – you have to sell the whole idea to their top management even before you start with the implementation.
Click here to see a Consultants White Label Toolkit that will help you with the detailed steps in the implementation project, as well as provide all the required templates.
