A forum user recently posted the following question: “Can anyone recommend a company for the ISO 27000 series registration? There is a lot of information out there but I don’t know what to look out for.”
At IT Governance, we find that first-timers to ISO 27001 (and often the world of ISO standards) are regularly faced with this problem when sourcing a new consultancy.
The advice we offer our clients is to always take a careful look at a few different providers rather than going with a consultancy purely on the perceived price or other sweeteners being offered.
- Experience is key
With the global surge in demand for ISO 27001 registrations (registrations are growing at 14% a year), many companies have positioned themselves as experts. Without a doubt, experience is one of the major factors to consider when implementing an information security management system (ISMS). A consultancy with a respectable list of clients, case studies, and testimonials is always a good start.
- Supports independent registration
Another essential criterion is to find a provider that is principled about ‘independent registration’; in other words, a consultancy that is not affiliated to one registrar only. In our many years of ISO 27001 certifications, we are proud of our long-standing associations with a range of leading registrars to which we can confidently refer our clients, which has the added advantage of giving our clients the freedom to choose the registrar of their choice.
- Encourages accredited registration
A consultancy must be in a position to assist you right up to accredited registration, including providing assistance during the registration audit where necessary. I emphasise the ‘accredited’ part because some registrars offer unaccredited registration, which means that it is not recognised by ISO – another aspect to be aware of.
- Competent professionals
Clause 7.2 of ISO/IEC 27001:2013 highlights the importance of having the right level of competence, either internally or with assistance, to achieve the requirements of the Standard. A way of establishing whether the provider has the right level of expertise is to ask for evidence that their consultants possess the relevant implementation and audit qualifications. We advise that the consultancy team should hold both ISO 27001 Lead Implementer and Lead Auditor expertise.
- Proficient at interpreting and translating risks
An understanding of the current and evolving threat landscape is a critical part of the consultant’s skillset. If your consultant is able to translate these risks into real business terms, you will not only be well aware of the real risks your business faces, but you will also be in a much better position to develop a solid business case and secure the right budget for your implementation project.
- Not only focused on documentation
Avoid using consultancies that are mainly focused on delivering the documentation. Although documentation (policies and procedures) is an important part of an effective information security management system (and your consultant should be able to undertake this as part of your implementation project), implementing the Standard is much more involved than just writing up a set of policies and procedures.
Consultancies that are vendor-neutral and allow you the flexibility of using your own risk solution is an essential aspect to consider. The consultants should be prepared to work with your own software in assessing and advising you on your risk management framework.
- Knowledge transfer
An important and often overlooked role of the consultant is to provide the client with the appropriate knowledge to manage and maintain the ISMS beyond registration. In this way, your team is empowered to comply with the continual improvement aspects of ISO 27001:2013 and will be in a position to meet the audit requirements during the interim surveillance visits undertaken by your auditor.
- Integration with other management standards
A consultancy with experience of implementing a range of management standards – one that is not only limited to ISO 27001 – will be useful if you are planning to integrate your ISMS with other standards such as ISO 9001 or ISO 22301.
- A gap analysis that goes beyond pointing out the gaps
If you are new to ISO 27001, you may want to request a gap analysis or ‘health check’ as a starting point. This will offer you the opportunity to understand how your current information security regime stacks up against the requirements of the Standard.
The consultant should be able to offer you a prioritized roadmap with recommended activities that you should undertake, including an estimated budget to achieve registration, before you need to commit to that provider.
A key difference between using a consultancy and a registrar is that the registrar, as an independent entity that delivers the internal ISMS audit for registration, is not permitted to provide consultancy advice and guidance to enable its clients to close any ‘gaps’ identified during the gap analysis.
Having led ISO 27001 implementations since the inception of the Standard (our directors led the world’s first ISO 27001 implementation), IT Governance’s strong global cybersecurity presence gives us the knowledge and insight to provide valuable advice, tailored to meet any organization’s specific needs or budget. We have successfully helped over 150 companies achieve ISO 27001 registration, proving their compliance with one of the world’s most demanding management system standards.