Two Big Reasons To Choose Your ISO 27001 Consulting Firm Carefully

June 13, 2018

Last Updated on January 17, 2024

Editor’s Note: This post was originally published in August 2013 and has been updated for accuracy and comprehensiveness.
The other day one of our Lead Implementers was told a very interesting story by an ISO-27001 Lead Auditor who performs certification audits for a number of registrars (certification bodies). The auditor was performing a certification audit; the following story came out during a lunch conversation(details have been altered to protect the innocent):
“I was onsite conducting Stage 2 of the certification audit when I discovered that the client had not done a management review of their ISMS. When I let them know that I would be issuing a major nonconformity, they got very upset and called a well-known ISO 27001 consulting firm that had prepared them. When the consultant realized there was indeed a problem, he hung up and called the registrar I was conducting the certification audit for to plead his case. A few minutes later my cell phone rang and it was the President of the registrar I was working for asking me why I was going to issue a major nonconformity. When I explained that they had no evidence a management review of the ISMS had been conducted, the President simply said, ‘OK, thanks.’ and hung up. I was hopeful that would be the end of the situation. The client continued to insist that since the consultant hadn’t told them they needed to conduct a management review of the ISMS to comply with the standard, they shouldn’t be issued a major nonconformity. I found out later that the client had called the registrar and insisted they send a different auditor (not me) for the follow-up audit.”
It was interesting to us how much this auditor stressed the importance of the implementer’s role in this context. Despite most peoples’ contention that all auditors want to issue findings, he insisted 27001 auditors really don’t want to issue nonconformities… they increase the costs of certification for organizations, consume the registrar’s time and stress the client-registrar relationship. A good implementer reduces the costs and burden associated with nonconformities by preventing them whenever possible and simplifying the corrective action process when they do occur.
At Pivot Point Security, we try to prevent nonconformities by performing a gap assessment in Phase 1, an internal audit and pre-certification audit consultation in Phase 2, and annual internal audits in Phase 3 of our implementation roadmap. We simplify the corrective action process by recommending corrective actions, drafting corrective action plans that will be acceptable to registrars (we have many ISO 27001 Certified Lead Auditors that manage ISO 27001 consulting engagements) and acting as a liaison to reduce any unnecessary back-and-forth between client and registrar.
If you’re thinking about pursuing ISO 27001 certification, there are two potential lessons in the auditor’s story:

More important in many ways than the resume of an ISO 27001 consulting firm are the resumes of the lead implementer and engagement manager for your specific engagement. Many consulting firms hire consultants as contractors rather than employees to reduce their costs for ISO 27001 consulting. At Pivot Point Security, all of our consultants are full-time employees and ISO 27001 Certified Lead Implementers. This is why we have a 100% success rate on certification and surveillance audits with very few nonconformities on our record.
Having your ISO 27001 consultant onsite for the certification audit is usually a good idea if the certificate is business-critical. While no consultant would have been able to resolve a nonconformity of the magnitude described above, it is often possible to minimize nonconformities or address minor nonconformities in near real-time to ensure that your certification effort is successful.

Need answers regarding ISO 27001 certification requirements?

Learn about the audits you will face to achieve and maintain certification, what's involved, and the cost you can expect to pay to achieve and maintain certification.
Download our NEW ISO Certification and Cost Guide now!

Download Now!

What's Next?

To hear this practical, best-practice oriented show with Temi Adebambo

Click Here

Pivot Point is now part of CBIZ. Click Here for more information.

Blog

Two Big Reasons To Choose Your ISO 27001 Consulting Firm Carefully

Need answers regarding ISO 27001 certification requirements?

What's Next?

What do you think? Is Digital Business Risk Management the Future of Attack Surface Management?

Search our Blogs

How Much Does ISO 27001 Certification Cost in 2024?

What is Distributed Ledger Technology (DLT) and How Can It Simplify Privacy Compliance?

Virtual CISOs and Community Banks—Perfect Together

What is Hedera Hashgraph and How Does It Solve Blockchain Privacy Issues?

Data Privacy Compliance in Higher Ed: Now is the Time

What is a TISAX Simplified Group Assessment and Who Can Use It?

CMMC Proposed Rule Changes: What’s Changing and How to Prepare

What is Kubescape and Why Should We (as Cloud-Native Developers) Care?

Container and Kubernetes Security: A Nontechnical Introduction

What is a Container and Why are They So Popular with Developers?

What is the New Jersey Data Privacy Law, and How Can We Streamline Compliance?

The EU AI Act: 9 Top Questions Answered

SOC 2 Reports – Which Trust Services Criteria Do You Need?

6 Key Takeaways from the 2023 SOC Benchmark Study

CMMC Proposed Rule: New Guidance on CMMC Level 3

The New CMMC Proposed Rule—Answers to Your Top 9 Questions

ISO 27001 Accreditation: Why It Matters for Cloud Service Providers

How to Measure the Value of Information Security

2 Principles to Revolutionize Security Awareness Training

What is Cyversity and How Can It Improve Diversity on My Cybersecurity Team?

How can we help you?

Services

Compliance

Insights

Pivot Point Security