{"id":4709,"date":"2011-12-06T12:09:54","date_gmt":"2011-12-06T12:09:54","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/27001academy\/blog\/011\/12\/06\/do-you-really-need-a-consultant-for-iso-27001-bs-25999-implementation\/"},"modified":"2024-12-21T16:17:59","modified_gmt":"2024-12-21T16:17:59","slug":"do-you-really-need-a-consultant-for-iso-27001-bs-25999-implementation","status":"publish","type":"post","link":"https:\/\/advisera.com\/27001academy\/blog\/2011\/12\/06\/do-you-really-need-a-consultant-for-iso-27001-bs-25999-implementation\/","title":{"rendered":"Do you really need a consultant for ISO 27001 \/ BS 25999 implementation?"},"content":{"rendered":"<p>I&#8217;ve met quite a few companies considering how to start their <a href=\"\/27001academy\/what-is-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 27001<\/a> \/ <a href=\"https:\/\/advisera.com\/27001academy\/what-is-bs-25999\/\" target=\"_blank\" rel=\"noopener noreferrer\">BS 25999<\/a> project, with quite different approaches \u2013 some are convinced they can do it completely on their own (with no prior ISO 27001 knowledge), while others thought they can do it with the help of a consultant only.<\/p>\n<p>They are both wrong.<\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">Road map for ISO 27001 \/ BS 25999 implementation<\/h2>\n<p>There is one thing you definitely need for the implementation \u2013 knowledge. By knowledge I mean the know-how of the implementation process, so that you don&#8217;t get stuck and waste time on irrelevant issues, while forgetting the important ones. What you need are the guidelines for implementation, as well as knowledge on how to implement all the pieces of the puzzle.<\/p>\n<p>This is why it isn&#8217;t possible to implement these standards with just your existing knowledge base, and it is very rare to find companies who already have experienced ISO 27001 \/ BS 25999 implementers.<\/p>\n<p>Of course, one way to get around this is to hire a consultant. But this is not the only way \u2013 I&#8217;ll address that later.<br \/>\n<div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><br \/>\n<div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">Hiring an ISO 27001 \/ BS 25999 consultant \u2013 pro&#8217;s and con&#8217;s<\/h2>\n<p>The biggest benefit of a consultant is that he\/she is going to get you through the implementation process much quicker than if you did it on your own (provided that the consultant has sufficient knowledge). A consultant should provide you with tips &amp; tricks for each step in the implementation process, check the documentation, train your employees, etc. He\/she could also run interviews with your employees, write the documentation, and process the results (e.g. during risk assessment).<\/p>\n<p>A major drawback of hiring a consultant is that most small (but also medium-sized) organizations cannot afford one \u2013 consultants tend to charge large fees and cannot guarantee the successful implementation. Besides, the more work is done by a consultant, the less will be done by your employees, therefore less knowledge and skills will be passed on to your organization.<\/p>\n<p>Then there is also the issue of confidentiality \u2013 the consultant will learn everything you do from the inside (including your vulnerabilities and controls that are in place), so if you didn&#8217;t check this person thoroughly, he\/she could become quite a significant threat.<\/p>\n<p>Finally, there is the question of quality \u2013 too many times I met &#8220;experts&#8221; who claimed they implemented these standards many times, but didn&#8217;t know e.g. how to run the risk assessment; or what is the purpose of business impact analysis.<\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">Implementation without a consultant<\/h2>\n<p>Consultants are not the only source of knowledge \u2013 you can also choose the option to implement the standards with your employees by providing them appropriate training and support.<\/p>\n<p>Here are some ideas on how to obtain the knowledge:<\/p>\n<ul>\n<li><strong>Send your employees to trainings<\/strong> \u2013 read <a href=\"https:\/\/advisera.com\/27001academy\/blog\/2010\/11\/30\/how-to-learn-about-iso-27001-and-bs-25999-2\/\">How to learn about ISO 27001 and BS 25999-2<\/a> for more info<\/li>\n<li>Get the best practices through <strong>documentation templates<\/strong><\/li>\n<li><strong>Purchase the literature<\/strong> \u2013 there are various books and other publications available on the Internet<\/li>\n<\/ul>\n<p>If you start implementing the standards on your own, it is probably going to take longer than if you did it with a consultant. But, it is going to be cheaper, and most probably your employees will learn better what certification entails, and what their responsibilities will be \u2013 because they will be forced to consider every step very carefully.<\/p>\n<p>So, the answer to the initial question is: no \u2013 a consultant is not mandatory for your implementation (although quite often it is the best solution). However, the implementation knowledge <em>is <\/em>mandatory \u2013 without it, don&#8217;t expect to finish your ISO 27001 \/ BS 25999 project soon, if at all.<\/p>\n<p><em>To implement ISO 27001 &amp; ISO 22301 easily and efficiently, use our <\/em><a href=\"https:\/\/advisera.com\/27001academy\/iso-27001-22301-premium-documentation-toolkit\/\" target=\"_blank\" rel=\"noopener\">ISO 27001 &amp; ISO 22301 Premium Documentation Toolkit<\/a><em> that provides step-by-step guidance and all documents for full ISO 27001 &amp; ISO 22301 compliance.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>I&#8217;ve met quite a few companies considering how to start their ISO 27001 \/ BS 25999 project, with quite different approaches \u2013 some are convinced they can do it completely on their own (with no prior ISO 27001 knowledge), while others thought they can do it with the help of a consultant only. They are &#8230;<\/p>\n","protected":false},"author":26,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[136,381,474,611],"class_list":["post-4709","post","type-post","status-publish","format-standard","hentry","category-blog","tag-consulting","tag-iso-27001","tag-training-awareness","tag-bs-25999-2"],"acf":[],"_links":{"self":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4709","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/users\/26"}],"replies":[{"embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/comments?post=4709"}],"version-history":[{"count":2,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4709\/revisions"}],"predecessor-version":[{"id":104294,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/4709\/revisions\/104294"}],"wp:attachment":[{"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/media?parent=4709"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/categories?post=4709"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/advisera.com\/27001academy\/wp-json\/wp\/v2\/tags?post=4709"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}