ISO/IEC 27001 Consulting
ISO 27001 consulting: build, audit, and operate an ISMS
ISO 27001 helps organize information security in a structured and auditable way. This page explains typical phases, cost ranges, and provider selection - factual and without marketing.
When is an ISO 27001 introduction sensible?
- client requirements or tenders demand certification
- structured security organization is missing
- growth increases risk and complexity
- regulatory pressure rises
- existing processes are not documented
ISO 27001 is not an IT project - it is an organizational project with technical components.
Typical ISO 27001 consulting phases
- Gap analysis and scope definition
- ISMS build (policies, risk analysis, controls)
- Implementation of technical and organizational controls
- Internal audit
- Certification and follow-up
What is typically covered?
- scope and information assets
- risk analysis and treatment
- policies and documentation
- asset management
- access controls
- supplier management
- incident processes
- awareness
- audit preparation
The scope depends on company size, industry, and maturity.
Deliverables
- documented ISMS
- risk register
- action plan
- policy set
- audit-ready evidence
- management summary
- recommendations for improvement
Costs - rough orientation
ISO 27001 projects vary widely by starting point. Indicative ranges:
- gap analysis: approx. EUR 2,000-5,000
- full implementation (SME): approx. EUR 8,000-30,000
- audit support: from approx. EUR 3,000
Cost drivers:
- company size
- existing processes
- documentation level
- locations
- technical maturity
These figures are indicative; concrete offers depend on scope.
Selecting ISO 27001 providers
- experience with similar organizations
- pragmatic approach
- clear project structure
- audit experience
- knowledge of DACH/EU requirements
- realistic timelines
- clean documentation
Questions to ask consultants:
- How long does a typical project take?
- Which tasks remain internal?
- How much staff time is required?
- Do you have technical security background?
- How does audit support work?
Common mistakes
- scope too large
- documentation without lived processes
- lack of management support
- controls without technical implementation
- operations not planned
FAQ
How long does implementation take?
Typically several months, depending on scope and maturity.
Do we need external consulting?
Often useful to ensure structure and audit readiness.
Do all systems need to be certified?
No, scope can be limited.
How often are audits conducted?
Usually annually, depending on the certification body.
What does the certification body cost?
Costs are separate and vary by scope.
Can we start in phases?
Yes, a staged approach is common.
How much internal time is needed?
Depends on scope, typically several hours per week.
Is ISO 27001 useful without certification?
Yes, an ISMS brings structure even without certification.
Related services
Request ISO 27001 consulting
If you are unsure where you stand or how large the effort is, describe your situation briefly and we will help categorize it.