If you’re considering the implementation of ISO 27001, ISO 9001, ISO 14001, ISO 20000, or any other ISO management standard, you’re probably overwhelmed with various approaches on how to start and finish such project successfully.
In my opinion, there are three basic options to implement these standards: (1) do it completely using your own employees, (2) use a consultant, or (3) (somewhat in the middle) implement the standard with a Do-It-Yourself approach – but taking advantage of external know-how.
But, not all of these approaches are applicable to everyone – here’s an explanation of each of these options, and who can benefit the most.
1) Implementing the standard using your own employees
This is when you decide to implement the standard without any external help, using only the knowledge and the capacity of your own employees. In this option, your employees are doing all the analysis, performing all the interviews, writing the documentation, etc.
Pros. This is probably the cheapest option because you’re not paying for some external service; you’re also not allowing anyone from the outside to learn anything about your internal processes or documentation; finally, writing your own documentation increases the commitment of your employees towards the required changes.
Cons. This is probably the slowest option because you’re doing everything on your own; if your employees are not experienced or skilled enough, this could prove to be the most expensive option because of the mistakes they could make.
2) Using a consultant
In this option you hire an expert from outside (usually this is a local consultant) who has experience with the implementation of the standard – this person then performs the analysis of your company, does the interviews, writes the documentation, and everything else – basically, he is implementing the whole standard on your behalf.
Pros. This is definitely the quickest way to implement the standard – if you hire a good consultant, he or she will have lots of experience, and will know how to organize the project to finish it quickly; this is also the best way if your employees have no time whatsoever to dedicate to this project.
Cons. Consultants obviously cost money, so this is the most expensive option; further, you are opening access to almost all of your company secrets (e.g., how the company is organized, its main processes and key competitive advantages, who the most important people are, etc.) to an outsider; finally, when someone from outside is writing the documentation, the employees might feel those policies and procedures are imposed on them, so often they look for ways to bypass them.
This article may also help you: 5 criteria for choosing an ISO 22301 / ISO 27001 consultant.
3) Implementing the standard with a DIY approach and using external know-how
This option became very popular in the last couple of years, and is basically something in between the first two options. This is where your employees are doing the whole implementation, but they get the complete know-how, documentation, and support from an external party. (Please note: this is what we in Advisera are specialized in.)
Pros. This option is not as expensive as consultants, and yet you get all the necessary know-how and support; further, you do not open access to your confidential information to anyone from the outside. Also, since your employees are writing the documentation, their commitment to following the new rules will probably be much higher.
Cons. Your employees will still need to learn about the implementation, so this is not the quickest way to implement the standard; also, this option does not resolve the problem if your employees are completely overwhelmed with other projects and have absolutely no time for anything new.
See also this article: When to use tools for ISO 27001/ISO 22301 and when to avoid them.
So, which option to choose?
You should implement the standard using your own employees if you have employees who already have experience in the implementation, if you have some very confidential data, and if your budget is very low.
On the other hand, if you’re in a hurry, and are not afraid that some company secrets might be exposed, then you should use a consultant. Of course, you’ll need a good budget for this option.
Finally, choose the Do-It-Yourself implementation option if you want your employees to learn how it’s done, if you are not in too much of a hurry, and if your project manager can dedicate a couple of hours per day for this project. And, of course, if your budget is not too high.
Check out Conformio compliance software to help you complete the implementation of the ISO standard.
Dejan holds a number of certifications, including Certified Management Consultant, ISO 27001 Lead Auditor, ISO 9001 Lead Auditor, and Associate Business Continuity Professional. Dejan leads our team in managing several websites that specialize in supporting ISO and IT professionals in their understanding and successful implementation of top international standards. Dejan earned his MBA from Henley Management College, and has extensive experience in investment, insurance, and banking. He is renowned for his expertise in international standards for business continuity and information security – ISO 22301 & ISO 27001 – and for authoring several related online tutorials, documentation toolkits, and books.