Many SMEs face the same situation: a customer asks about ISO 27001 certification, a tender requires information security management, or management wants better control over security risks. Then comes a practical question quickly: is it better to do the work internally or bring in an external expert, and if so, how do you choose the right partner?
A good ISO 27001 consultant does not simply deliver ready-made document templates but helps build a functioning information security management system for your company. This article covers what you should expect from a consultant, how to compare different options, and the practical steps to find the right solution for your business without unnecessary extra work or consultant dependency.
What should you really expect from an ISO 27001 consultant?
ISO 27001 is not just about documents written for audits. The standard guides you in creating a systematic method to identify risks, define responsibilities, manage access rights, handle incidents, and continuously improve operations.
Therefore, a good consultant helps at least with the following:
- defining the scope, i.e., which parts of your business, services, and systems the management system will cover
- conducting a risk assessment that identifies typically 3–10 key risks at the beginning
- selecting appropriate controls rather than just copying the entire standard annex into use
- building practices your company can realistically maintain on, for example, a quarterly or monthly basis
- preparing your organization for internal audits and certification audits
So ask yourself: do you just need to finish the project, or do you need a partner who helps make information security part of everyday business? For SMEs, the latter is usually the more valuable option.
Note
ISO 27001 does not mean you have to build everything from scratch. A good consultant uses ready-made models but tailors them to your company's operations so that they withstand both audits and everyday use.
When is a consultant a sensible choice?
Not all companies need a heavy consulting project. If your organization has an experienced information security or quality manager, ISO 27001 can be advanced significantly internally. Still, an external expert often speeds up the work considerably.
Hiring a consultant is usually justified if any of the following apply:
- your goal is certification within 6–12 months
- your own team has not previously carried out an ISO 27001 project
- customers require rapid proof of information security management
- you want to avoid a situation where documentation is done once, but practices don’t stick
- internal resources are limited to only 2–4 hours per week
A practical example: in a 40-person software company, the CTO can dedicate only one afternoon per week to the project. An experienced consultant can easily save dozens of work hours per month by preventing delays caused by interpretation questions or document structure.
Use these criteria to compare consultants
Not all ISO 27001 consultants offer the same service, even if their pitches sound similar. One may focus on delivering the certification project, another brings in a continuous maintenance model, and a third mainly sells consulting days.
Make your comparison based on at least the following criteria:
| Criterion | What to ask | Good sign | Risk sign |
|---|---|---|---|
| Experience | How many ISO 27001 projects have you completed? | Clear number, industry-specific examples | Vague, general answers |
| Approach | What do you actually do during the first 30 days? | Concrete phased plan and responsibilities | Unclear "starting with a survey" |
| Documentation | Do we get editable documents for our own use? | Yes, ownership stays with client | Materials remain in consultant’s system |
| Resource Needs | How much time do you need from us weekly? | Realistic estimate, e.g. 2–3 h/week | Unable to estimate |
| Audit Preparedness | Do you train for internal audits and certification? | Yes, including practice and checklists | Support ends at document delivery |
| Continuous Maintenance | How is the management system maintained after the project? | Clear annual schedule and follow-up model | No model for ongoing work |
| Pricing | What does the fixed price include and exclude? | Clear scopes and extra work explained | Day rate without overall estimate |
Always request quotes in the same format. If one provider offers a fixed project and another only hourly work without scope, you cannot compare fairly.
Cheap or good? How to assess price correctly
Consulting prices for ISO 27001 can vary widely. For SMEs, costs often range from a few thousand euros up to €15,000–30,000, depending on scope, starting point, and whether software, training, or audit support is included.
However, the lowest price does not reveal the total cost. A cheap project can become expensive if:
- your internal team must spend an extra 50–100 hours fixing missing elements
- documents do not reflect actual operations
- many nonconformities appear during certification audits
- maintenance is left entirely to you after the project ends
Consider the price through these three questions:
- what will be completed by the end of this project?
- how much of our own time does the project require?
- will we have a workable model also for the next 12 months?
Warning
A common mistake is choosing a consultant who promises certification readiness exceptionally quickly without proper risk assessment and practice implementation. This often shows during audits as gaps in evidence, responsibilities, and follow-up.
Software or traditional consulting?
Many companies today compare two models: traditional consulting or a combination of software with expert support. This is an important distinction because ISO 27001 does not end at certification; the management system must also be maintained.
In the traditional model, you typically get expert time and documents. In the software-based model, you also get a structure where risks, controls, incidents, audits, and the annual cycle live on.
| Model | Best suited for | Advantage | Challenge |
|---|---|---|---|
| Traditional consulting | Companies with a strong internal owner | Flexible expert work | Maintenance can become fragmented |
| Software + expert support | SMEs wanting a continuous model | Work stays in one place | Requires commitment to a shared operating model |
| Fully internal implementation | Organizations with existing ISO expertise | Lower external cost | Slower progress and greater interpretation risk |
Tietoturvapankki is designed exactly for this gap: you get an application and expert support so your work doesn’t remain disjointed files or depend on a single consultant’s memory. The same approach is reflected in solutions by Softapankki Oy and QMClouds Oy as well as in the Laatupankki brand for quality management, where ISO 9001 systems are implemented in a controlled manner.
Ask these 10 questions before deciding
A good quotation meeting is not a sales pitch but a clarifying discussion. The better you ask, the easier it is to distinguish an experienced partner from a generic provider.
At least cover these questions:
- What concrete activities happen during the first 2 weeks of the project?
- Who will actually do the work, a senior consultant or a junior team?
- How many similar SME projects have you completed in the past 24 months?
- How is the risk assessment conducted in practice?
- What documents and evidence must we produce ourselves?
- How much time is needed from our management monthly?
- How are access rights, supplier risks, and incident handling managed?
- Is internal audit or its preparation included in the price?
- How do you support us in correcting observations from the certification audit?
- What happens during the following 12 months after the project?
If answers are vague, that is already a signal. A good consultant can describe their work step by step.
Define your goal before comparing providers
First, note why you are seeking ISO 27001 support: is the goal certification, a customer requirement, improving risk management, or all of these? At the same time, define a preliminary scope and target schedule, e.g., certification readiness in 9 months. This lets you get comparable offers and avoid buying services that are too broad or too light.
Request quotes from 3–4 providers with the same question framework
Send all the same background info: number of personnel, industry, current practices, goal, and desired timeline. Ask for at least project phases, estimated workload, division of responsibilities, total price, and what is excluded. When the format is consistent, differences become clear immediately.
Evaluate the approach in a demo, not just expertise
Book a 45–60 minute meeting where the provider shows how the project progresses in practice. Request examples of a risk register, action list, management review, and audit preparation. If the demo stays theoretical without a concrete model, the daily implementation may be equally unclear.
Check ownership and continuity before signing
Ensure that documents, risk data, and management system contents remain under your company’s control even after the collaboration ends. Agree on maintenance rhythm, e.g., a risk review quarterly, management review 1–2 times per year, and access removals within 24 hours of employment termination. This makes the project a permanent way of working.
Common mistakes when choosing a consultant
Most failures don’t result from an incompetent consultant. They come from unclear expectations, responsibilities, and practical action.
Avoid especially these errors:
- choosing only by price
- assuming the consultant handles everything without management involvement
- leaving post-project maintenance unsettled
- accepting generic documents without company-specific customization
- forgetting to check who actually does the work
A practical rule of thumb: if the provider can’t present a plan for the first 90 days, they probably cannot lead the project to a controlled finish.
How to quickly spot a good partner?
A good ISO 27001 consultant makes complicated matters clear. They don’t hide behind the standard but know exactly what you need to do next week, next month, and before the audit.
You can often recognize a good partner by these signs:
- they talk about business goals, not just clauses of the standard
- they can limit the scope and don’t propose everything for everyone
- they clearly explain what you must do yourself
- they show a model for continuous maintenance
- they are brave enough to say what should not be done yet
Tip
Ask the provider to describe the project progression week-by-week for weeks 1–12 on one page. This quickly reveals if it’s the right delivery model or just a generic consulting promise.
Summary
- Choose an ISO 27001 consultant based on how well they help build a working management system, not just audit documents.
- Compare providers with the same questions and request phased plans, responsibilities, workload, and total price.
- Always check how risk assessment, internal audit, and post-project maintenance are practically carried out.
- The cheapest option is not the most economical if your team spends excessive additional time or if there are nonconformities in audits.
- The best partner makes information security continuous and tailored to your company—not consultant-dependent.
Need help with information security management?
Our experts are here to assist you.