• (0)

    ISO 27001 & ISO 22301 Blog

    Do you really need a consultant for ISO 27001 / BS 25999 implementation?

    I’ve met quite a few companies considering how to start their ISO 27001 / BS 25999 project, with quite different approaches – some are convinced they can do it completely on their own (with no prior ISO 27001 knowledge), while others thought they can do it with the help of a consultant only.

    They are both wrong.

    Road map for ISO 27001 / BS 25999 implementation

    There is one thing you definitely need for the implementation – knowledge. By knowledge I mean the know-how of the implementation process, so that you don’t get stuck and waste time on irrelevant issues, while forgetting the important ones. What you need are the guidelines for implementation, as well as knowledge on how to implement all the pieces of the puzzle.

    This is why it isn’t possible to implement these standards with just your existing knowledge base, and it is very rare to find companies who already have experienced ISO 27001 / BS 25999 implementers.

    Of course, one way to get around this is to hire a consultant. But this is not the only way – I’ll address that later.

    Hiring an ISO 27001 / BS 25999 consultant – pro’s and con’s

    The biggest benefit of a consultant is that he/she is going to get you through the implementation process much quicker than if you did it on your own (provided that the consultant has sufficient knowledge). A consultant should provide you with tips & tricks for each step in the implementation process, check the documentation, train your employees, etc. He/she could also run interviews with your employees, write the documentation, and process the results (e.g. during risk assessment).

    A major drawback of hiring a consultant is that most small (but also medium-sized) organizations cannot afford one – consultants tend to charge large fees and cannot guarantee the successful implementation. Besides, the more work is done by a consultant, the less will be done by your employees, therefore less knowledge and skills will be passed on to your organization.

    Then there is also the issue of confidentiality – the consultant will learn everything you do from the inside (including your vulnerabilities and controls that are in place), so if you didn’t check this person thoroughly, he/she could become quite a significant threat.

    Finally, there is the question of quality – too many times I met “experts” who claimed they implemented these standards many times, but didn’t know e.g. how to run the risk assessment; or what is the purpose of business impact analysis.

    Implementation without a consultant

    Consultants are not the only source of knowledge – you can also choose the option to implement the standards with your employees by providing them appropriate training and support.

    Here are some ideas on how to obtain the knowledge:

    • Send your employees to trainings – read How to learn about ISO 27001 and BS 25999-2 for more info
    • Get the best practices through documentation templates
    • Purchase the literature – there are various books and other publications available on the Internet

    If you start implementing the standards on your own, it is probably going to take longer than if you did it with a consultant. But, it is going to be cheaper, and most probably your employees will learn better what certification entails, and what their responsibilities will be – because they will be forced to consider every step very carefully.

    So, the answer to the initial question is: no – a consultant is not mandatory for your implementation (although quite often it is the best solution). However, the implementation knowledge is mandatory – without it, don’t expect to finish your ISO 27001 / BS 25999 project soon, if at all.

    See this free white paper for more details: Implementing ISO 27001 with a consultant vs. DIY approach.

    Advisera Dejan Kosutic
    Dejan Kosutic
    Dejan holds a number of certifications, including Certified Management Consultant, ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, and Associate Business Continuity Professional. Dejan leads our team in managing several websites that specialize in supporting ISO and IT professionals in their understanding and successful implementation of top international standards. Dejan earned his MBA from Henley Management College, and has extensive experience in investment, insurance, and banking. He is renowned for his expertise in international standards for business continuity and information security – ISO 22301 & ISO 27001 – and for authoring several related web tutorials, documentation toolkits, and books.