ISO 27001/ISO 22301 documents, presentation decks and implementation guidelines


Free_Downloads
 

Have a question on ISO 27001 or ISO 22301?

Ask an Expert
 

Free eBook

Free eBook 9 Steps to Cybersecurity
 
Becoming Resilient: The Definitive Guide to ISO 22301 Implementation
 
Newsletter
 
Sign up for our free Newsletter and as bonus you'll receive my tips on how to launch an information security and business continuity project.
 
 
 
 
 
 
 
    

UPCOMING FREE WEBINAR

    

 
ISO 22301: An overview of BCM implementation process

    

Wednesday
September 10, 2014

    Register_now_green
    
 
 
 

Do you really need a consultant for ISO 27001 / BS 25999 implementation?

'By 'Dejan Kosutic on December 06, 2011

I’ve met quite a few companies considering how to start their ISO 27001 / BS 25999 project, with quite different approaches – some are convinced they can do it completely on their own (with no prior ISO 27001 knowledge), while others thought they can do it with the help of a consultant only.

They are both wrong.

Road map for ISO 27001 / BS 25999 implementation

There is one thing you definitely need for the implementation – knowledge. By knowledge I mean the know-how of the implementation process, so that you don’t get stuck and  waste time on irrelevant issues, while forgetting the important ones. What you need are the guidelines for implementation, as well as knowledge on how to implement all the pieces of the puzzle.

This is why it isn’t possible to implement these standards with just your existing knowledge base, and it is very rare to find companies who already have experienced ISO 27001 / BS 25999 implementers.

Of course, one way to get around this is to hire a consultant. But this is not the only way – I’ll address that later.

Hiring an ISO 27001 / BS 25999 consultant – pro’s and con’s

The biggest benefit of a consultant is that he/she is going to get you through the implementation process much quicker than if you did it on your own (provided that the consultant has sufficient knowledge). A consultant should provide you with tips & tricks for each step in the implementation process, check the documentation, train your employees, etc. He/she could also run interviews with your employees, write the documentation, and process the results (e.g. during risk assessment).

A major drawback of hiring a consultant is that most small (but also medium-sized) organizations cannot afford one – consultants tend to charge large fees and cannot guarantee the successful implementation. Besides, the more work is done by a consultant, the less will be done by your employees, therefore less knowledge and skills will be passed on to your organization.

Then there is also the issue of confidentiality – the consultant will learn everything you do from the inside (including your vulnerabilities and controls that are in place), so if you didn’t check this person thoroughly, he/she could become quite a significant threat.

Finally, there is the question of quality – too many times I met “experts” who claimed they implemented these standards many times, but didn’t know e.g. how to run the risk assessment; or what is the purpose of business impact analysis.

Implementation without a consultant

Consultants are not the only source of knowledge – you can also choose the option to implement the standards with your employees by providing them appropriate training and support.

Here are some ideas on how to obtain the knowledge:

  • Send your employees to trainings – read How to learn about ISO 27001 and BS 25999-2 for more info
  • Get the best practices through documentation templates
  • Purchase the literature – there are various books and other publications available on the Internet

If you start implementing the standards on your own, it is probably going to take longer than if you did it with a consultant. But, it is going to be cheaper, and most probably your employees will learn better what certification entails, and what their responsibilities will be – because they will be forced to consider every step very carefully.

So, the answer to the initial question is: no – a consultant is not mandatory for your implementation (although quite often it is the best solution). However, the implementation knowledge is mandatory – without it, don’t expect to finish your ISO 27001 / BS 25999 project soon, if at all.

You can also check out our online mentoring service called Guidance & Review (commercial service).