ISO implementation: Pros and cons of using software vs. consultants

The modern era provides us with an abundance of options to perform any task or project. The question of how to do something is replaced with the question of how to do it in the most efficient way. The same goes for implementation of an Information Security Management System (ISMS) according to ISO 27001.

If you are implementing an ISO 27001 ISMS, you are probably puzzled over the approach you should take, and a consultant is usually the first option that comes to mind. But, is this option really the best for you? Learn more about choosing a consultant for ISO 27001 implementation and the alternatives in this article.

What help do you need in the implementation?

Regardless of the reason for the ISO 27001 implementation, whether it comes from customers, regulatory bodies, or the organization itself, the first questions are always where to start and what needs to be done. This is especially difficult for organizations that are implementing the standard for the first time and don’t have a clue what the standard is, how the implementation will affect the organization, what the implementation should look like, and what the outcome should be – other than the certificate, of course.

  • The first problem organizations face involves clarification of the requirements. They can seem vague or unclear on what needs to be done and to what extent. Badly understood requirements can lead to piles of documentation, missing the entire point of the requirement.
  • The second problem is how to implement the requirements. This is the most important part. Organizations need help with establishing new processes or changing the existing ones, developing procedures and records, performing certain standard-related activities, etc. For example, it is not enough to understand that you need to write a procedure – you need to know what kind of information the procedure needs to contain, and how to write it in the way that is most appropriate for its users.
  • In addition, there is also the problem of managing the project and meeting the deadlines. Implementation projects often get stuck, simply because people always find something more urgent to do, so keeping the project on the right track is very often a challenge.
  • Finally, there is the problem of maintaining the system and making it work. The implementation means nothing if the organization does not apply the policies and procedures, and does not perform the processes as defined during the implementation. Having the standard just on paper is the worst-case scenario for any organization. It doesn’t matter if you have the certificate or not – if you implemented the standard only to get a piece of paper saying you did it, you wasted time and money on a worthless implementation and certification.
ISO implementation: Pros and cons of using software vs. consultants - Advisera

Consultant for ISO 27001 implementation vs. software solutions

Now let’s examine how the problems mentioned above are solved by consultants and software solutions.

Clarification of requirements and know-how ‑ This is a field where the consultants have an upper hand. With their experience with the standard and implementation projects in various industries, they seem to be a much better solution compared to any software. However, software can top that if it comes with comprehensive online support that will help the organization with both technical and expert issues. Such support can be extremely helpful, because you will have access to expert insight any time you need it, and only when you need it.

Implementation and project management ‑ It appears at first sight that this will go much more smoothly with a consultant for ISO 27001 implementation than with the software. But there is a catch. If you let the consultant do everything for you, the implementation will be faster – but, at the end of the day, the employees who need to maintain the system won’t have a clue as to what they need to do, and the system will exist only on paper.

Maintenance of the management system ‑ To get the benefits of the ISO 27001 implementation, the organization needs to run the system and make it work. The ability to maintain the system will depend heavily on the amount of knowledge the organization gathered during the implementation. If everything is done by the consultant, you will need to hire him from time to time to keep your system operational, and this is a clear sign that the standard wasn’t implemented properly (and a costly solution). Software solutions would require more effort, but this effort will pay off.

Where does Conformio fit in?

The Conformio platform offers solutions for all three aspects of the implementation.

The good thing about Conformio is that it is supported heavily by Advisera’s Academy specialized in ISO 27001. All resources, such as articles, white papers, webinars, books, and online courses, are linked to Conformio and easily available, so whenever you have problems or want to find out more, you are always sure to find the information you need and get the proper expert support.

Links to articles and relevant materials in ISO 27001 Compliance Procedure
Figure 1. Links to articles and relevant materials in ISO 27001 Compliance Procedure

In Conformio, implementation is resolved through: 1) templates covering the mandatory, and the most commonly used, documents, each one almost 80% filled, requiring only for you to include the specifics of your organization; 2) step-by-step guides that will navigate you through the entire project, providing you with information on necessary tasks and activities, together with guidance on how to perform the tasks. For more information, see: How to use an online tool for managing tasks, files, and communication for ISO implementation projects.

ISO 27001 Compliance Procedure in Conformio
Figure 2. ISO 27001 Compliance Procedure in Conformio

While implementing the standard, you will be configuring the Conformio platform according to your needs and making it appropriate for the maintenance of your management system. Conformio’s advanced Document Management System enables your organization to keep track of your documentation in compliance with the standard.

For more information, see: What kind of Document Management System (DMS) do you need for handling ISO documents?

Document management
Figure 3. Document management

The built-in Responsibility Matrix, created with information provided during the creation of applicable policies and procedures, can help you not only to schedule periodic management system-related activities (e.g., risk assessment, processes, performance monitoring and measurement, internal audit, and management review), but also get a comprehensive view of your organization’s ISMS roles and responsibilities.

Responsibility Matrix in Conformio
Figure 4. Responsibility Matrix in Conformio

The specific ISO 27001-related modules, covering risk, incidents, audit, and nonconformity management, enable your organization to centralize the management of core aspects of information security, ensuring that all relevant people are informed and notified, and that all information reaches the right people to take the required actions. For more information, see: Collaboration platform for ISO implementation projects – How to replace a bunch of emails.

Incidents Register in Conformio 
Figure 5. Incidents Register in Conformio

Finally, there are ISO 27001-specific modules that enable you to record and manage information security, nonconformities, and corrective actions.

Which approach is better?

There is no single answer to this question, and it will depend on the needs of the organization. Consultants for ISO 27001 implementation provide a human touch to the project, but software solutions can help you set the management system properly in a more cost-effective way and ensure that the maintenance of the system is streamlined.

Conformio offers free access to Conformio wizards, allowing you to start work and have real progress towards your ISO 27001 compliance even before you make any decision about purchase.

Advisera Rhand Leal

Rhand Leal

Rhand Leal has more than 15 years of experience in information security, and for six years he continuously maintained а certified Information Security Management System based on ISO 27001. Rhand holds an MBA in Business Management from Fundação Getúlio Vargas. Among his certifications are: ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, Certified Information Security Manager (CISM), Certified Information Systems Security Professional (CISSP), and others. He is a member of the ISACA Brasília Chapter.
Read more articles by Rhand Leal