Last Updated on November 25, 2019
Successfully achieving ISO 27001 certification for your IT systems can be relatively simple with proper due diligence, and sufficient preparation and planning. Part of this preparation should be selecting a qualified ISO 27001 consulting firm, which in and of itself, requires preparation and planning as well.
The “right” ISO-27001 consulting firm to partner with to successfully prepare your system for ISO 27001 certification will vary based on your particular business drivers, market niche, and industry. Over the last 6 years we have found that the following six factors are important to selecting an ISO 27001 consultant to support your firm:
What else are you trying to accomplish for your business that relates to ISO 27001 certification? There’s usually more to it than just “getting certified.” Are you considering SOC2/FedRAMP certification in the future? Looking to eventually get a better handle on Business Continuity? Want to someday move your Information Security Management System (ISMS) to a different platform?
Advancing these related objectives now can save you time, effort and money later. Also, once you clearly understand your objectives for the engagement, it becomes easier to determine whether a consulting firm’s approach, expertise and services match up with your needs.
The big issue here is to evaluate not just the firm as a whole, but also the individual consultants you’d be working with. Is Information Assurance (IA) their primary focus, or a sideline? Do they offer complementary services, like network/application penetration testing or SOC2 certification, as well? Have they worked much in your industry? (That’s a biggie…) Have they worked with deployment scenarios like yours (SaaS, managed hosting, on-premise, etc.)? How experienced are their consultants in providing ISO 27001 services specifically? Do they have certifications to prove they’re experienced? And does the firm have strong references you can call—and whose opinions you trust?
Notwithstanding the point made above about the relative importance of cost versus business- and time-criticality, a vendor’s approach can have significant impacts on total cost (and predictability of cost) for ISO 27001 certification. Is work done on a time-and-materials basis or at a fixed price? Are payments “front-loaded,” putting you at risk if the relationship doesn’t work out? And are the firm’s services—and your successful certification—“guaranteed”?
While cost is always an important factor; be sure to “contextualize” the cost to your specific situation. If you’re sure to lose a $10 million contract if your SAAS service is not certified ISO 27001 compliant in the next nine months, spending an extra $5,000 on the consulting firm with the greatest expertise and fit with your needs is likely a worthy investment. If ISO-27001 is a “nice to have” not a “need to have” taking a chance with a less expensive consultant is a risk that may be rationalizable.
Does it matter to you whether a consultant is geographically nearby? For some companies that might be really important; for others, virtually irrelevant. And what is “local” in this era of virtual organizations and multinational corporate footprints? But all things being equal, it’s worthwhile to sit across the table from people if you can.
Many ISO 27001 efforts are time-critical and/or time-constrained. If your project is on the fast track, then staffing can be critical. Many ISO 27001 firms use 1099 contractors, not full-time employees, to work with clients. This makes it harder to guarantee that it can exert the staffing control a tight deadline might demand. Similarly, some consultants might assign one person to a project while another might want to put several on the job. Can one person, especially if s/he’s a contractor, do all it takes to meet your deadline? And what if that person becomes ill or moves on? These are important risks to consider.
Six: Cultural “fit”
Ideally, you’ll be working collaboratively with your ISO 27001 consulting firm and its consultant(s). A broad cross-section of your organization (HR, legal, operations, development, etc.) will likely be involved. So it’s important that a consultant’s project approach, communication style and “corporate personality” aligns with your corporate culture. Can they communicate effectively with stakeholders from your data center to your boardroom? Is their approach flexible enough to embrace your staff’s idiosyncrasies?
Want to learn more “insider tips” to help ensure you choose the right ISO 27001 consulting firm? Click here to download Considerations for Choosing an ISO 27001 Consulting Company, a free eGuide from Pivot Point Security that includes a sample RFP and vendor scoring spreadsheet.