The international standard ISO 27001, also known as ISO/IEC 27001, covers an organisation’s Information Security Management System (ISMS). It is framed in very general terms, in order to extend its coverage to every type and size of organisation. However, this lack of specificity can at the same time be an obstacle when applying the standard to a particular situation. This is where ISO 27001 consultants can remove a great deal of the burden of interpreting and applying this comparatively new standard.
Published in 2005, the ISO 27001 standard is part of the ISO/IEC 27000 family of standards related to information security. For example, ISO 27002 comprises the code of practice for information security management, and can readily be used in conjunction with ISO 27001 when setting up an ISMS. Since these are formal published standards, it is possible for an organisation to be certified as compliant with them. In order to achieve this, an organisation needs to call on the services of ISO 27001 consultants.
There are two possible roles for consultants: either they can advise the organisation on the changes to implement in order to comply with the standard, or else they can act as auditors to carry out the certification itself. The two roles are mutually exclusive, as an ISO 27001 consultant cannot subsequently certify an organisation that he or she has previously advised.
The published standard gives comparatively little detail. Hence it is important that the ISO 27001 consultants should have significant business experience, ideally in a senior information security role, as well as a very wide breadth of experience in several different companies. This will furnish them with the insight needed to apply the general clauses of the ISO 27001 standard to the specific situation of the organisation in question.
When selecting ISO 27001 consultants, there are certain questions that can usefully be asked, as follows:
What qualifications does the consultant have? Relevant certifications are: CISSP (awarded by ISC2), CISM (awarded by ISACA) and the new CGEIT (also from ISACA).
How much experience does the consultancy as a whole have with ISO 27001 or similar standards? The ISO 27001 standard is essentially the same as section 2 of the old British Standard BS 7799 ISO 27001 Danışmanlığı, published in 2002. A firm of ISOS 27001 consultants should be able to demonstrate extensive experience with these standards, and with ISO 27002 (formerly ISO 17799).
What references are available from past clients for this kind of service? If a consultancy cannot supply testimonials, then it is probably safest to avoid them.
If an organisation is engaging ISO 27001 consultants to advise on a roadmap towards certification, then it is fair to ask them what proportion of firms thus advised in the past were successful in attaining accreditation against ISO 27001. If the proportion is quite low, then it is best to select a competing tender, even at a substantial cost penalty, since making a second attempt at accreditation would be very expensive in terms of fees and staff time.
In summary, specialist ISO 27001 consultants can be indispensable when seeking to achieve compliance with the standard. However, it is important to select carefully, as not all consultants and advisers have the requisite skills and experience.