What criteria should consider for choosing ISO 27001 Consultant?

While implementing ISO 27001 for first time, you must hire a consultant for helping. A consultant should take minimum time for implementation – he should provide you all the know-how for the implementation of ISO 27001, and help to avoid numerous risks during the project. An ISO 27001 consultant should lead you step by step throughout project, and give you a precise idea of what the ISO 27001 certification auditors will be looking for.

If arrangement includes on-site consulting, an ISO 27001 consultant can make all the necessary analysis, recommend the best solutions, write the documentation, train your employees, etc.

Following are the criteria should choose to hire ISO 27001 consultant:

1. Experience & skills: you should research about the consulting company as well as about the person who would do the consulting job – does he/she has certificates such as ISO 27001 Lead Auditor Course? There are also matters about job performance of that consultant and also how long has he/she been in this business? Etc.
2. Reputation: The best thing is to call the clients the consultant claims she has worked with – very often you'll be surprised that the job she was working on was far smaller in scope than you were led to believe, and sometimes the customers won't speak favourably about the service they received. Also, if an ISO 27001 consultant has published some books or articles on a subject, or if she is a frequent speaker at conferences, the sure chances are that you'll make a good choice.
3. Customized service: Avoid the "copy-paste" type consultants – they will bring you finished templates and contribute nothing to them. There would be better off doing the ISO 27001 implementation by ISO 27001 Documentation Toolkit. Actually, you'll learn quite a lot about the willingness of a consultant to tailor the service for your specific required during the negotiation period.
4. Language: Choosing a consultant that doesn't speak the local language or we can say speaks can't speak poorly because it leads to disaster probably. And even don't expect that a translator will help to deal with this problem – the job of a consultant is to understand all the nuances of operations, and that cannot be done via a third person.
5. Conflict of interest: Hire a consultant who sells only consulting services. And should avoid those who offer other security or IT solutions, unless want to complete sell related items that target.

Also there are also some risks for hiring an ISO 27001 consultant, too:

The ISO 27001 consultant will be able to see your most critical information, including the areas where you are mostly in risk.

If a consultant is selling some software, you can expect he/she will use knowledge of your company to convince that his solution is just what your requirement.

If a consultant is doing all the analysis and documentation writing by themselves then probably two things will happen: (1) the documentation will not reflect the real requirements of company, and (2) once the consultant is gone, your employees won't know how to maintain the documentation.

There are many people claiming to be consultants, but in fact they have very little knowledge about the job.

Source: 27001securitycertification.wordpress.com

Dacey Lyle has published so many articles regarding ISO Certification Documentation. As ISO Consultant profession since last many years Dacey has rich experience in preparing such certification documents within ISO guideline to her global clients to