ISO 27001 Consultancy: The Ultimate Guide

Home / ISO 27001 / ISO 27001 Consultancy: The Ultimate Guide

Not hired an ISO 27001 Consultant yet? Oh sh*t, you’re screwed! 

I jest.

If you’re a small business and you handle data, getting ISO 27001 certification is probably up there on your to-do list. Who doesn’t want to impress clients and win bigger business, right?

So, you might’ve started researching hiring a consultant to do the job for you… Before you go any further, read this blog. You’ll be glad you did.

I’m Stuart Barker: The ISO 27001 Ninja and Founder of High Table – the fastest growing ISO 27001 company, globally. I’ve been in your shoes, and I’m about making ISO 27001 accessible to everyone. Ready for some life-changing information?


Want to know everything there is to know about hiring an ISO 27001 Consultant (including the stuff the industry doesn’t want you to know)? Keep reading.

In this article, we’ll tackle ISO 27001 Consultancy Services. We’ll explore what an ISO 27001 Consultant is, the benefits of hiring one, how much it’ll cost you, and whether you really need one.

And don’t worry, we’ll cut to the chase. We’re not a faceless ISMS platform bursting with complicated jargon you don’t understand, with about as much personality as a pencil.

We’re the ISO 27001 people, here to support small businesses like yours in the information security space. We’re honest experts, and we’ll tell you how it really is – good or bad. We simplify ISO 27001 and all of the topics surrounding it, giving you a human, user-friendly experience like no other.

We’re your trusted ISO 27001 resource, so dip in and out as you wish, friend! Don’t know where to start when it comes to ISO 27001 Consultancy? You’ve come to the right place.

What is ISO 27001?

ISO 27001 is the leading international standard for information security. In simple terms, it’s a set of guidelines and best practices required to create and maintain an effective information security management system (ISMS).

What is an Information Security Management System (ISMS)?

An ISMS is a framework of policies, procedures and controls designed to monitor and protect your organisation’s sensitive data.

By implementing an ISMS, you can better protect your information and assets from cyber threats, data breaches, and other security risks.

What is ISO 27001 Certification?

You can’t reach ISO-maestro status without your certificate. ISO 27001 certification is an independent verification that confirms that your organisation’s ISMS aligns with the ISO 27001 standard.

 An accredited certification body conducts an audit of your organisation’s ISMS. Here, they check whether the correct risk assessments, policies and controls are being implemented and developed. If all requirements are met, your ISO 27001 accreditation is issued and your organisation is all set to impress.

By achieving certification, existing and potential clients, partners and stakeholders can see that you are committed to continual improvement by implementing an ISMS that adheres to global best practices.

Who needs ISO 27001 Certification?

Do you handle confidential information, financial data or intellectual property? Then you need to get certified. Big or small, when it comes to ISO 27001 certification, the size of your company doesn’t matter. You could be a one-man-band trying to win a meaty client, or a brand-new start up eager to bid for a lucrative tender, whatever your situation – clients and stakeholders need assurance that their information is safe.

Most organisations expect their suppliers to be ISO 27001 certified, so, if you’re not, the end is nigh. ISO 27001 certification is your information security badge of honour. Without it, you’re missing your chance to showcase your commitment to protecting your clients’ information, and are more likely to lose new business to a certified competitor.

What are ISO 27001 Consultancy Services?

ISO 27001 consultancy services are a collection of professional services offered by consultants to support companies to implement, maintain, and achieve certification for the ISO 27001 standard. These services are designed to aid organisations to effectively manage their information security risks and ensure compliance with the ISO 27001 framework.

What is an ISO 27001 Consultant?

An ISO 27001 Consultant is a professional who’s brought into an organisation specifically to implement ISO 27001 and get it ready for accreditation.

What will an ISO 27001 Consultant do for my business?

Here are some of the key activities a consultant should perform:

  1. Gap Analysis: Consultants should assess the company’s current information security practices and measure them against the requirements of ISO 27001. This analysis identifies gaps and areas that need improvement.
  2. Risk Assessment: Consultants should work with companies to conduct in-depth risk assessments to uncover and evaluate potential threats and weaknesses. This determines the likelihood and impact of security incidents, and pinpoints vulnerabilities that must be addressed.
  3. Development of Policies and Procedures: Consultants should assist in creating and updating information security policies and procedures that align with ISO 27001 criteria. They ensure these policies are tailored to the company’s specific needs and supply clear instructions for managing information security.
  4. Controls Implementation: Consultants should advise organisations on how to implement the relevant security controls specified in ISO 27001. The aim is to support with creating and implementing technical, operational, and managerial controls to tackle identified risks and protect information assets.
  5. Training and Awareness: Consultants should offer training programs designed to educate employees about information security best practices, policies, and procedures. The purpose of this is to raise awareness of security risks, promote a security-conscious culture, and ensure that employees understand their roles and responsibilities.
  6. Internal Auditing: Consultants should counsel organisations to carry out internal audits of their ISMS. This includes verifying compliance with ISO 27001 requirements, spotting discrepancies, and providing recommendations for improvement.
  7. Certification Preparation: Consultants should show organisations how to prepare for ISO 27001 certification. This incorporates the development of mandatory documentation, establishing processes, and ensuring the company’s readiness for the certification audit.
  8. Continuous Improvement: Consultants should set up processes to enable constant monitoring, evaluation, and improvement of the organisation’s ISMS. Theis should give guidance on maintaining compliance with ISO 27001 and adapting the system to confront evolving risks and changes within the business.

Overall, a consultant is a qualified advisor who is hired by a company to install a robust information security management system, reduce risks, comply with the ISO 27001 standard, and prepare for certification.

What are the benefits of hiring an ISO 27001 Consultant?

Here are some of the benefits you should experience when engaging a consultant:

  1. Expert Guidance: Consultants are proficient in the requirements of the standard and the certification process. Their extensive information security knowledge and experience should be valuable when navigating complex conditions, interpreting standards correctly, and make informed decisions.
  2. Streamlined Process: Certification involves a series of steps, including gap analysis, risk assessment, controls implementation, documentation preparation, and audits. A consultant is there to provide a structured approach and a clear roadmap, streamlining the process. They can help you prioritise activities, allocate resources efficiently, and get you certification ready.
  3. Accelerated Timeline: With their experience in implementation and certification, consultants should be able to get you certified quickly and seamlessly. Unfortunately, this isn’t always the case – but more on that later.
  4. Comprehensive Assessments: Consultants perform thorough gap analysis and risk assessments to evaluate your current information security practices. They identify weaknesses that need to be resolved in order to be fully compliant with he standard. These assessments should strengthen your security measures and align them with the standard’s requirements.
  5. Documentation Support: ISO 27001 requires a ridiculous amount of documentation, including policies, procedures, risk assessments, and records. Consultants are there to develop and polish these documents, to make sure they meet the standard’s criteria. 
  6. External Perspective: Hiring a consultant offers an external perspective to the certification process. Their unbiased analysis of your company’s ISMS and practices helps identify areas for improvement as well as a more impartial evaluation of your readiness for certification.
  7. Readiness for Audit: The certification process includes an external audit carried out by a certification body. Consultants prepare your business for this audit, making sure you’re ready for action and confident in your compliance. They should be able to address auditor queries and offer support during the audit.
  8. The Aftermath: Even after you’ve got your certificate, your consultant should be all about continuous improvement. Your ISMS should be constantly monitored and developed in order to maintain compliance, mitigate risks, and continuously enhance your information security practices.

By hiring an ISO 27001 consultant, your company should benefit from their expertise, efficient processes, and comprehensive support. They are there to increase your chances of achieving successful certification, boost your security posture, and help you showcase your commitment to safeguarding sensitive information.

How much will an ISO 27001 Consultant cost?

Trigger warning: you’ve reached the part that’ll make your ears bleed.

Hiring a consultant isn’t cheap. In fact, some are notorious for charging the earth and taking longer than necessary to get their sticky mitts on as much of your heard-earned cash as possible. (We did say we’d be honest!)

You might want to sit down… the average cost of hiring a consultant to help you get accredited is between £6,000 and £25,000.

Is it worth investing in ISO 27001 Consultancy Services?

It really depends on whether you do your research and find an honest expert who’ll charge your fairly and get you certified without dragging things out.

So, there you have it. The complete lowdown on ISO 27001 Consultancy Services.

You’re probably feeling a little deflated and confused now, aren’t you? You know you want to get certified, but you don’t want to spend a fortune. Accurate?

There is another way.

High Table is the answer to your prayers. By booking a free consultation with the ISO Ninja, it might be that you don’t need to hire a (greedy) consultant after all. After 25+ years of offering expert advice in the information security space, we can help you find the right ISO 27001 certification solution for you. (And it certainly won’t bankrupt you.)

ISO 27001 certification made easy

“After just one call with Stuart, the game changed for my tech start up. I’d been quoted tens of thousands for consultancy services, and it turned out that I didn’t even need one. Talk to High Table first, that’s the best advice I could give to any small business.”

Jay Field, Founder, Boxtech

ISO 27001:2022 requirements

Organisational Controls - A5

ISO 27001 Annex A 5.1 Policies for information security

ISO 27001 Annex A 5.2 Information Security Roles and Responsibilities

ISO 27001 Annex A 5.3 Segregation of duties

ISO 27001 Annex A 5.4 Management responsibilities

ISO 27001 Annex A 5.5 Contact with authorities

ISO 27001 Annex A 5.6 Contact with special interest groups

ISO 27001 Annex A 5.7 Threat intelligence – new

ISO 27001 Annex A 5.8 Information security in project management

ISO 27001 Annex A 5.9 Inventory of information and other associated assets – change

ISO 27001 Annex A 5.10 Acceptable use of information and other associated assets – change

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.11 Return of assets

ISO 27001 Annex A 5.13 Labelling of information

ISO 27001 Annex A 5.14 Information transfer

ISO 27001 Annex A 5.15 Access control

ISO 27001 Annex A 5.16 Identity management

ISO 27001 Annex A 5.17 Authentication information – new

ISO 27001 Annex A 5.18 Access rights – change

ISO 27001 Annex A 5.19 Information security in supplier relationships

ISO 27001 Annex A 5.20 Addressing information security within supplier agreements

ISO 27001 Annex A 5.21 Managing information security in the ICT supply chain – new

ISO 27001 Annex A 5.22 Monitoring, review and change management of supplier services – change

ISO 27001 Annex A 5.23 Information security for use of cloud services – new

ISO 27001 Annex A 5.24 Information security incident management planning and preparation – change

ISO 27001 Annex A 5.25 Assessment and decision on information security events 

ISO 27001 Annex A 5.26 Response to information security incidents

ISO 27001 Annex A 5.27 Learning from information security incidents

ISO 27001 Annex A 5.28 Collection of evidence

ISO 27001 Annex A 5.29 Information security during disruption – change

ISO 27001 Annex A 5.31 Identification of legal, statutory, regulatory and contractual requirements

ISO 27001 Annex A 5.32 Intellectual property rights

ISO 27001 Annex A 5.33 Protection of records

ISO 27001 Annex A 5.34 Privacy and protection of PII

ISO 27001 Annex A 5.35 Independent review of information security

ISO 27001 Annex A 5.36 Compliance with policies and standards for information security

ISO 27001 Annex A 5.37 Documented operating procedures 

Technology Controls - A8

ISO 27001 Annex A 8.1 User Endpoint Devices

ISO 27001 Annex A 8.2 Privileged Access Rights

ISO 27001 Annex A 8.3 Information Access Restriction

ISO 27001 Annex A 8.4 Access To Source Code

ISO 27001 Annex A 8.5 Secure Authentication

ISO 27001 Annex A 8.6 Capacity Management

ISO 27001 Annex A 8.7 Protection Against Malware

ISO 27001 Annex A 8.8 Management of Technical Vulnerabilities

ISO 27001 Annex A 8.9 Configuration Management 

ISO 27001 Annex A 8.10 Information Deletion

ISO 27001 Annex A 8.11 Data Masking

ISO 27001 Annex A 8.12 Data Leakage Prevention

ISO 27001 Annex A 8.13 Information Backup

ISO 27001 Annex A 8.14 Redundancy of Information Processing Facilities

ISO 27001 Annex A 8.15 Logging

ISO 27001 Annex A 8.16 Monitoring Activities

ISO 27001 Annex A 8.17 Clock Synchronisation

ISO 27001 Annex A 8.18 Use of Privileged Utility Programs

ISO 27001 Annex A 8.19 Installation of Software on Operational Systems

ISO 27001 Annex A 8.20 Network Security

ISO 27001 Annex A 8.21 Security of Network Services

ISO 27001 Annex A 8.22 Segregation of Networks

ISO 27001 Annex A 8.23 Web Filtering

ISO 27001 Annex A 8.24 Use of CryptographyISO27001 Annex A 8.25 Secure Development Life Cycle

ISO 27001 Annex A 8.26 Application Security Requirements

ISO 27001 Annex A 8.27 Secure Systems Architecture and Engineering Principles

ISO 27001 Annex A 8.28 Secure Coding

ISO 27001 Annex A 8.29 Security Testing in Development and Acceptance

ISO 27001 Annex A 8.30 Outsourced Development

ISO 27001 Annex A 8.31 Separation of Development, Test and Production Environments

ISO 27001 Annex A 8.32 Change Management

ISO 27001 Annex A 8.33 Test Information

ISO 27001 Annex A 8.34 Protection of information systems during audit testing