How to Compare ISO 27001 Consultants (Easy Guide)

In 7 years auditing and consulting, I've seen businesses choose consultants based on price, word of mouth, LinkedIn profiles, or whoever called back first. Then watched them fail Stage 2 audits or get functional systems that no one actually uses.

Choosing ISO 27001 consultant isn't complicated, but it matters.

Wrong consultant costs you 6 months and $40K for documentation theatre. Right consultant builds ISMS that passes audit and actually protects your information assets.

TL;DR: Choose based on: credentials, experience, methodology, technical capability, commercial terms, and communication fit.

Here's how to compare consultants properly.

What ISO 27001:2022 Consultants Actually Do

Consultants help implement Information Security Management System (ISMS) that satisfies ISO 27001:2022 requirements. This includes:

Gap analysis - Assess current security posture against 93 controls in Annex A

Risk assessment - Identify information security risks, determine treatment approach

Statement of Applicability - Document which controls apply, which don't, justifications

Policy and procedure development - Write ISMS documentation

Control implementation - Deploy technical, administrative, physical security controls

Staff training - Educate team on ISMS requirements and their responsibilities

Internal audit - Test ISMS effectiveness before certification audit

Management review - Leadership assessment of ISMS performance

Audit preparation - Ready business for Stage 1 and Stage 2 certification audits

How much they do versus how much you do varies dramatically between consultants. This is first comparison point.

Service Level: Full-Service vs Hybrid vs Coaching

Full-service consultants (80-90% consultant work):

They write policies, implement controls, prepare documentation, conduct internal audit, train staff. You provide information, review outputs, make decisions, participate in audits.

Cost: $25K-$80K depending on business size Timeline: 4-6 months Best for: Resource-constrained businesses, first-time certification, complex technical environments

Example: Consultant drafts 40-page Information Security Policy, implements threat intelligence feeds, configures web filtering, writes 15 procedures, conducts internal audit, prepares Stage 2 audit schedule. You review, approve, adopt.

Hybrid consultants (50-50 split):

They provide templates, frameworks, training, regular reviews. You write policies using their templates, implement controls with their guidance, manage project timeline. They review work, provide expert input, correct gaps.

Cost: $10K-$30K Timeline: 6-9 months Best for: Businesses with internal security capability, smaller budgets, experienced teams

Example: Consultant provides policy templates and training on how to customise them. You write policies. Consultant reviews monthly, identifies gaps, provides feedback. You implement controls. Consultant validates implementation quality.

Coaching consultants (20% consultant work):

They train your team, answer questions, review outputs, provide expert validation. You do 80% of work—risk assessments, documentation, control implementation, internal audit.

Cost: $5K-$15K Timeline: 9-12 months Best for: Experienced internal teams wanting expert review, DIY approach with safety net

Example: Consultant runs 2-day workshop on ISO 27001:2022 requirements. You implement independently. Consultant available for monthly review calls, validates your Statement of Applicability, observes internal audit.

First comparison question: "What percentage of work do you do versus our internal team, and what specifically does that include?"

Match service level to your capability and budget.

Credentials That Actually Matter

Must-have credentials:

IRCA, PECB or Exemplar Global Lead Implementer certification for ISO 27001 This certifies formal training and examination on implementing 27001 systems. Not just "I've worked in IT security." Specific qualification for ISMS implementation.

Ask: "What's your IRCA or Exemplar Global certificate number for ISO 27001 Lead Implementer?" Verify on IRCA website (irca.org) or Exemplar Global (exemplarglobal.org).

Bonus credentials:

Lead Auditor certification - Understands what auditors assess, prepares you better for certification audit CISSP, CISM, or similar - Strong for implementing 27001:2022's technical controls (Threat Intelligence, Secure Coding, Cloud Security) Industry-specific experience - Healthcare consultant understands HIPAA alignment, finance consultant knows APRA requirements

Experience benchmarks:

5+ ISO 27001:2022 implementations minimum. Standard published October 2022, so consultants claiming "15 years 27001:2022 experience" are lying. They might have 15 years 27001:2013 experience, but 2022 has 11 new controls requiring different expertise.

Ask: "How many ISO 27001:2022 implementations have you completed since October 2022? Can you provide three client references who achieved certification with your support?"

Speak to references. Ask:

• Did consultant deliver what they promised?
• Was timeline realistic or did it blow out?
• Did you pass Stage 2 first time?
• How was communication and availability?
• Would you use them again?

Technical Capability for 2022's New Controls

ISO 27001:2022 added 11 new controls. Some require genuine technical security expertise:

Control 5.7 - Threat Intelligence: Establishing threat feeds, analysis capability, integration to risk assessment process

Control 8.9 - Configuration Management: Security baselines, hardening standards, change control

Control 5.23 - Cloud Services Security: Shared responsibility model, cloud-specific risk assessment

Control 8.28 - Secure Coding: Secure development lifecycle, code review processes

Control 8.20 - Web Filtering: Implementation, monitoring, bypass prevention

Generic ISO consultants without security architecture background struggle with these controls. They write policy that says "we shall implement threat intelligence" but can't actually help you set up STIX/TAXII feeds or integrate them to risk management.

Test consultant technical capability:

Ask: "How would you approach implementing Control 5.7 Threat Intelligence for a 100-person SaaS company?"

Weak answer: "Subscribe to threat intelligence feed and review it regularly."

Strong answer: "First assess what threats are relevant to your business—are you targeted industry, what's your attack surface, what's your risk appetite. Then select feeds appropriate to those threats—STIX/TAXII commercial feeds like Recorded Future or AlienVault, free feeds like CISA, industry ISACs. Establish analysis workflow—who reviews feeds, how often, what triggers escalation. Link threat intel to risk register—new threats trigger risk reassessment. Document in Threat Intelligence Procedure with defined roles and review schedule."

Detailed, practical answer = technical capability. Vague checkbox answer = documentation theatre.

If you're tech company, SaaS provider, or have complex IT environment, consultant's technical depth matters more than traditional ISO consultants.

Implementation Methodology

Ask: "Walk me through your implementation process week-by-week."

Strong methodology includes:

Weeks 1-2: Discovery and scoping

• Business environment assessment
• Stakeholder workshops
• ISMS scope definition
• Project plan with milestones

Weeks 3-6: Risk assessment and control selection

• Information asset identification
• Risk assessment workshops
• Control selection against 93 Annex A controls
• Statement of Applicability development

Weeks 7-12: Documentation and implementation

• Policy and procedure writing
• Technical control implementation
• Security awareness training
• Process integration

Weeks 13-16: Testing and validation

• Internal audit
• Management review
• Gap remediation
• Documentation finalisation

Weeks 17-20: Certification preparation

• Stage 1 readiness assessment
• Corrective actions
• Evidence gathering
• Stage 2 audit support

Timeline varies by business size and complexity, but methodology should be structured, logical, and realistic.

Red flags:

"We'll have you certified in 6 weeks" - Impossible unless you already have mature ISMS from previous certification

"We follow agile methodology" - ISO implementation isn't agile software development. Trying to sound modern but unclear what this actually means for ISMS implementation.

No structured methodology, just "we work with you to get certified" - Vague, no clarity on deliverables or timeline.

Commercial Terms Comparison

Pricing models:

Fixed price: Total project cost agreed upfront. Clarity but limited flexibility if scope changes. Example: $35,000 fixed price for full-service implementation, 50-person business, single site, ISO 27001:2022 only.

Hourly rate: $150-$300/hour depending on consultant seniority. Flexible but budget uncertainty. Example: Senior consultant $250/hour, estimate 120-160 hours. Could be $30K-$40K but might run over.

Milestone-based: Payment tied to deliverables. Balanced risk. Example: $5K gap analysis, $12K documentation phase, $8K implementation support, $6K audit preparation, $4K audit attendance. Total $35K across 5 milestones.

What should be included:

• Gap analysis
• Risk assessment facilitation
• Policy and procedure documentation (specify how much consultant writes vs you write)
• Control implementation guidance (specify level of hands-on support)
• Internal audit
• Management review support
• Stage 1 and Stage 2 audit preparation
• Reasonable email/phone support throughout project

What's usually extra:

• Travel and accommodation (if consultant not local)
• Post-certification annual support
• Scope expansions (adding sites, standards, or major control areas mid-project)
• Additional training sessions beyond agreed scope
• Expedited timeline requests

Questions to ask:

"Is this quote inclusive of all costs to get us to Stage 2 certification audit, or are there additional costs?"

"What's included in post-certification support? Is annual surveillance audit preparation included or extra?"

"If we need to add an office location mid-project, what's the cost impact?"

"What are your payment terms?" (Watch for: 100% upfront is red flag, 25-50% deposit is normal, milestone payments are balanced)

Cost Benchmarks (Australian Market 2025-2026)

Full-service implementation:

• Small business (under 50 staff): $15K-$35K
• Medium business (50-200 staff): $30K-$70K
• Large business (200+ staff): $60K-$150K+

Hybrid implementation:

• Small: $8K-$20K
• Medium: $15K-$40K
• Large: $35K-$80K

Coaching/review only:

• Small: $3K-$10K
• Medium: $8K-$25K
• Large: $20K-$50K

Premium pricing indicators:

• Extremely tight timeline (compressed from 6 months to 3 months)
• Complex technical environment (multi-cloud, extensive custom development)
• Multiple integrated standards (27001 + SOC2 + Essential Eight simultaneously)
• High-risk industry (defence, critical infrastructure, banking)
• Big 4 firm brand premium

Don't choose purely on price. $15K consultant who delivers documentation that fails Stage 2 costs you $15K + reconsultation costs + delayed certification. $30K consultant who delivers first time is cheaper.

But also don't overpay. $80K Big 4 consultant for 40-person service business is overkill.

Red Flags to Avoid

1. Consultant is also certification body or auditor Consultants consult. Auditors audit. Cannot be both for same client. Massive conflict of interest.

2. Guarantees certification outcome No consultant can guarantee certification decision. Certification body makes that decision independently. Consultant can guarantee quality of preparation, not audit outcome.

3. Pushes specific certification body Consultant should be certification body-agnostic. If they insist you use particular certification body, commercial relationship likely exists.

4. No client references Every legitimate consultant with 5+ projects has clients willing to provide reference. No references = no track record.

5. Vague about credentials "15 years ISO consulting experience" isn't credential. IRCA/Exemplar Global certificate number is credential.

6. Offshore delivery with no Australian presence 27001 must align with Australian legal requirements, threat landscape, industry context. Offshore consultants using generic documentation fail Australian audits.

7. All templates, no customisation "We'll give you our proven templates and you just fill in your company details." Templates are starting point, not end product. Every business needs customised ISMS.

8. Cookie-cutter approach Manufacturing company and SaaS company have completely different information security risks. Consultant using identical approach for both doesn't understand risk-based standard.

Questions to Ask Every Consultant

Before engaging consultant, ask these questions. Compare answers across 3-5 consultants:

Credentials: "What's your IRCA/Exemplar Global certificate number? Can I verify this?" "How many ISO 27001:2022 implementations have you completed?" "Can you provide three references from clients who achieved certification with your support?"

Approach: "What percentage of work do you do versus our team?" "Walk me through your week-by-week implementation methodology." "How do you handle the 11 new controls in the 2022 version specifically?"

Commercial: "What's included in your quoted price and what costs extra?" "What are your payment terms and milestone schedule?" "What's included in post-certification support?"

Technical: "How would you approach implementing Control 5.23 Cloud Services Security for our environment?" (Insert control relevant to your business) "What tools or platforms do you use for risk assessment and documentation?"

Compatibility: "How do you communicate—weekly calls, email, Slack, in-person?" "What's your typical response time for questions between scheduled meetings?" "How do you handle disagreements about control implementation approaches?"

Compare answers across consultants. Choose based on: credentials, experience, methodology, technical capability, commercial terms, communication fit.

How CertBetter Helps Compare Consultants

CertBetter is a trusted directory of ISO consultants where you:

Search consultants by location, standard (ISO 27001:2022), service type (full-service/hybrid/coaching), industry specialisation

View verified credentials - Background-checked consultants with confirmed IRCA/Exemplar Global qualifications, insurance verified, client references validated

Compare experience - See number of 27001:2022 implementations, client reviews, specialisations, typical project timelines

Request quotes directly - Send RFQ to 3-5 consultants simultaneously, they respond directly to you with proposals

Read verified reviews - Client feedback from businesses who've used these consultants

What CertBetter doesn't do:

• Provide quotes on consultants' behalf (consultants respond directly)
• Take commission or markup consultant fees (free for businesses)
• Guarantee consultant performance (you do due diligence)
• Recommend specific consultants (you choose based on your requirements)

Think of CertBetter as: Verified consultant directory that eliminates the background-checking work. Instead of calling 10 consultants from Google and verifying credentials individually, CertBetter pre-verifies them so you compare ISO 27001 consultant quotes in no time.

Visit certbetter.com, create account, search ISO 27001:2022 consultants, compare profiles, request quotes from consultants matching your requirements. Compare proposals, check references, select best fit.

Platform helps you find and compare consultants efficiently. You make final selection based on which consultant best matches your needs, budget, and environment.

Final Comparison Framework

Create spreadsheet comparing consultants across these dimensions:

Comparison table shows trade-offs clearly. Consultant B is cheapest but less experienced and longer timeline. Consultant C is most expensive but most experienced and fastest. Consultant A is balanced middle option.

Choose based on your priorities: speed, cost, technical capability, or experience depth.

Bottom Line

Comparing ISO 27001:2022 consultants properly requires:

1. Verify credentials (IRCA/Exemplar Global certificates)
2. Assess 2022 experience (minimum 5 implementations)
3. Understand service level (full-service vs hybrid vs coaching)
4. Test technical capability (how they'd implement new controls)
5. Review methodology (structured approach with clear deliverables)
6. Compare commercial terms (total cost, payment schedule, inclusions)
7. Check references (speak to past clients)
8. Evaluate fit (communication style, availability, approach)

Don't choose first consultant you find. Don't choose purely on price. Don't skip reference checks.

Use CertBetter to identify verified consultants, request quotes from 3-5, compare thoroughly using framework above, select best fit for your business.

Right consultant difference between ISMS that protects your business versus documentation that sits in drawer unused.