Win 1 year's access to Information Security E-Learning at our 50th Cyberzone(register)
In this second part, we'll discuss the different types of company you may encounter, and the different types of support available.
Didn't see the first part of this article? Click here!
In reality, choosing an independent consultant not backed by a network is not the ideal choice.
Opting for an independent consultant or a small company to support an ISO 27001 certification project can have certain disadvantages. While individualized expertise and a personalized approach are advantages, companies may come up against limitations in terms of resources and availability. An independent consultant, managing several clients at the same time, may not be able to offer the ongoing responsiveness and attention that this project requires.
What's more, if the consultant's expertise is broad but shallow, he or she may lack the specialist knowledge needed for complex or industry-specific cases (legal or cybersecurity). There is also the risk that a single consultant may not have an extensive network of contacts to support the project, unlike consulting firms which can offer a multidisciplinary team and access to a wider range of skills and experience. Finally, continuity of service may be jeopardized if the consultant falls ill or decides to change career.
What's more, the question of costs is counter-intuitive, since for the same service, the independent consultant will be more expensive, and above all without commitment. We've found that some projects cost in excess of €60/80K without delivering any real results.
Choosing a training company that only provides training for ISO 27001 project managering can have certain disadvantages that deserve careful consideration. A training company may focus primarily on the theoretical aspects of ISO 27001. As such, it may offer a robust understanding of the principles and requirements, but may sometimes lack the practical implementation experience needed to truly integrate the standard into a company's processes.
This can lead to a gap between learned theory and practical applications, complicating the implementation phase. What's more, training firms can sometimes adopt a standardized approach. This approach fails to take into account the particularities and specific needs of each company. As a result, it can be less effective for organizations with unique requirements.
The group training provided by these firms can also dilute the individualized attention that a dedicated consultant could offer. Finally, the costs associated with hiring a training firm to provide support can be significantly higher, particularly when additional training sessions are required to cover all aspects of the standard and its application. It is therefore essential to ensure that the firm chosen offers a balance between theoretical training and practical support, adapted to the operational realities of the company.
Opting for an ISO 27001 consulting firm that offers both training and operational support is a strategic choice rich in advantages. One of the main benefits lies in the integrated approach offered by these firms, which combines the transmission of essential theoretical knowledge with personalized practical support. This model enables companies not only to understand the requirements of ISO 27001, but also to know how to implement them concretely and effectively within their day-to-day operations.
A consulting firm usually offers the expertise of a multidisciplinary team that can bring a diversity of perspectives and skills, enriching the implementation process and increasing the chances of successful certification. In addition, ongoing operational support ensures that information security practices are not only in line with international standards, but also adapted and evolving in line with innovations.
Last but not least, investing in a project managering firm can prove economically advantageous in the long term, by avoiding costly mistakes and optimizing internal processes, leading to improved risk management and greater organizational resilience.
Outsourcing the implementation of ISO 27001, including training and operational support via a software solution, offers several strategic advantages for a company. Firstly, it provides access to specialized expertise and advanced technological resources without the costs and long-term commitments associated with hiring in-house. Outsourced service providers offer tailor-made training programs that can be adapted to the company's specific needs, ensuring that staff understand the requirements of the standard and know how to apply them effectively.
In addition, the use of a dedicated software solution facilitates the monitoring, management and continuous improvement of information security processes, making ISO 27001 compliance more accessible and less prone to human error. This type of service also offers greater flexibility, enabling companies to adapt quickly to changes in the standard or new regulatory requirements. Finally, outsourcing through a software solution can provide a centralized platform for documenting, managing and reporting security measures, simplifying auditing and certification, while offering a coherent overview of the organization's security posture.
First of all, we need to understand what it means to be ISO 27001 competent. Here are the key points of comparison, drawn from hundreds of ISO 27001 projects.
You need a company that has accompanied many certifications in recent years. Because today's certifications have evolved considerably over the past 3 years. Standards and regulations have evolved, and certifiers' requirements have changed. It is not uncommon for certain service providers to remain anchored in outdated practices or requirements.
Security and regulations require constant updating, so it's important to choose a service provider with knowledge of organization, cybersecurity documentation and legal issues.
What's more, this service provider should be able to offer you a cybersecurity monitoring service.
These projects often require comprehensive expertise in safety and quality standards, and certification processes. This certification expertise will give you full control over the final certification outcome.
This is a criterion often overlooked when choosing a service provider. Some companies think they have the skills required to implement security measures, or already have a partner in this field.
Why is it important to have a firm with cybersecurity expertise?
This enables us to advise you on the simplest and most cost-effective solutions to put in place to ensure the highest level of security. It also enables you to check the technological solutions put in place by your current partners, and get an outside, unbiased view.
Your support company must also have the necessary legal skills to advise you on contractual regulatory aspects linked to the GDPR or linked to information security regulations.
Find out more about information security and regulation on our blog.
There are some areas that can be misleading. The choice of speaker is one of the most common errors.Experience is important, as is the associated knowledge, but above all you need someone with a flair for teaching and the ability to support change. The typical expert with 20 years' experience will be able to speak like an encyclopedia, but will not necessarily be able to support you properly. Of course, this type of consultant can benefit from in-house support in terms of expertise (mainly cyber or legal).
The methods used are of crucial importance. Even if you can't judge them easily, a good method will help you to succeed in the project, and a complex method will drag you into a lengthy project. Trust your perception when service providers present you with the method: Is it clear? Is it simple? Ask several people in the company to see if they have the same information. Is the method based on principles that fit in with your culture?
A project without tools and solutions will force you to use office tools like Excel and Word, or spend a lot of time developing your own solution.
In our experience, no company has really succeeded in implementing a management system solution on its own. That's why it's important to rely on commercially available software. Really up-to-date and useful software costs no more than €5,000 a year. But it's software that's structured enough to be able to maintain your management system over time, to benefit from the bullets of knowledge bases included and up to date, as well as the possibility ofautomating your management system and thus saving time each year in setting up safety actions and maintaining it.
As with any choice of solution, you could have individual assets that are linked to your previous experiences or those of your partners. It was important to take a step back, so as not to hold on to preconceived ideas or false beliefs.
Among these false beliefs are the following:
I can only recommend that you compare the different approaches and remain open to the most factual arguments.
The company must have 3 types of certification:
It's also important to check the real capabilities of the companies you're working with.
The overall budget for an ISO 27001 project just for external purchases is around €50,000 minimum. For companies that don't have this budget, you'll need to consider a slightly different approach. If you would like more information on this specific subject, please contact us: our Oversecur solution.
If you want to understand the costs of accompaniment, we've put together a FAQ and videos on the subject.
The cost is always made up of in-house time, support time and costs, maintenance costs, security solution costs and certification costs.
It's important to know that if you are well supported by a company, this will not only reduce your internal costs, but also your maintenance and certification costs.
What's more, some companies like Feel Agile can help you put together grant applications and guide you in the best strategy for building your project financially.
Good advice on technical security can save you a lot of money. In particular, by choosing the solutions best suited to your cybersecurity context.
The items on which savings can be made are :
If you're well advised, you'll be able to get the most optimized systems, sometimes with open source solutions.
Why choose ISMS management software? This software will cost you around €5,000 a year. But it will save you an enormous amount of time in setting up and maintaining your certification.
If you would like a demonstration of our partner solution, please contact the Oversecur team.
ISO 27001 requires you to carry out full internal audits in the first year, and annual internal audits for monitoring purposes.
It's important to carry out fairly comprehensive and detailed internal audits, so as to have a real, and it's under the same conditions as certification, but more exhaustive, guarantee of a project's success.
So it's important to have a certain duration and therefore a certain cost for internal audits.
Prices can vary significantly from one phase to the next, so it's important to seek advice from your certification body. It's also important to understand that the role of the certification body is solely to verify the implementation of a system. They can't be judge and jury, nor can they support or train you. So beware of certification companies that don't respect this minimum ethical standard, as it's generally not a good sign.
What's more, they can be highly biased, as they don't provide any real support or assistance, but focus solely on the project's purpose and not on the internal life of the company.
Managing the certification partner also represents a significant amount of time, so don't hesitate to ask your partner if his service includes managing the certification body and putting together the files. All the actions required for certification are included in the support services offered by our company.
Of course, proposals and quotations must be clear and detailed. That said, just because a service provider provides a fifty-page presentation doesn't mean it's a good sign.
Once again, the emphasis is on pedagogical skills, and therefore on the clarity and simplicity of the product documents, rather than the weight of the documentation.
Prefer presentations that are concise, but which present all the precise criteria of the support and the content of the services to be provided.
This is a very good sign, as is the presence of elements that specify that it is not included in the service, to avoid any misunderstanding.
Companies that are vague about their deliverables should be excluded, as should those who are unable to give you a precise price for a service.
In fact, a company that has mastered ISO 27001 support is perfectly capable of telling you precisely the scope of its support work to achieve a result with a company.
Companies who don't commit to a fixed price are in fact companies who haven't thought through the support process, and don't really have a methodical approach to change support.
The company's communication skills:
Over and above the service provider, it's best to choose a company with a real support team and account managers who will be able to contact you if you have any questions or difficulties. When you buy a service, you're also buying support. Choose a company that can offer you support during working hours by e-mail, telephone or videoconference.
If you are supported during the project, you will certainly need support in the years that follow, whether to keep up to date with regulations and standards, or to outsource certain security maintenance activities. It's a good idea to choose a company that can not only accompany you, but also support you over the long term in terms of cybersecurity, regulations and monitoring.
Of course, it's best to choose a service provider that's in tune with your corporate culture and values. It's important to understand that choosing a company that offers a lot of innovation, for example, may have an advantage in today's cybersecurity environment, when it comes to implementing simple, pragmatic and agile processes. What's more, the key criteria for today's companies could be rigor, but also a great deal of pedagogical and change management skills, which would be in phase with companies that want to remain agile and tailor-made. This part really needs to be thought through in relation to your own criteria.
One of the most important things to remember is to be transparent with your service provider, so that he can advise you properly. In fact, depending on the company, you may want to keep a certain number of activities in hand, such as project implementation, documentary editing, etc. A good service provider will adapt to your context and objectives, and will be able to advise you independently on exactly what is right for you.
There aren't many companies capable ofoutsourcing cybersecurity. FeelAgile is one of those companies able to outsource most activities related to cybersecurity, regulation and ISO 27001.
Even if these outsourcing services represent a significant cost for the company, they are a real competitive advantage. In fact, within 6 to 12 months, you'll be able to comply with all desired standards and regulations, and achieve certification results with certainty. What's more, these outsourcing services can be coupled with security and cybersecurity outsourcing, as well as all the time-consuming aspects of compliance for the company.
As a result, it's a good solution if you want to stay in a tight-knit team. With this solution, you won 't have to waste time building up your cybersecurity skills, while retaining complete control of your cybersecurity and compliance.
Outsourcing does not mean losing control. It means that you have a management system and resources outsourced via a service contract.
We have outlined the main criteria to consider when choosing an ISO 27001 support provider.
The key point to remember: it's essential to understand how the service provider will support you in concrete terms, and to check whether he has proven experience in similar projects.
Another decisive factor is the clarity of your objectives. To define them, we recommend starting with a self-diagnosis or gap analysis.
ISO 27001 is a structuring project, requiring time and a rigorous approach. It requires a wide range of skills: security organization, governance, legal and technical.
Effective support is based on a clear methodology, appropriate teaching methods, and an agile approach focused on the reality of your business.
Lastly, negative feedback on ISO 27001 certification is often the result of poor support, a project carried out alone, or an overly rigid approach. Surrounding yourself with the right partner can make all the difference.
2025 FeelAgile
