ISO 27001 Consultant: What Matters When Selecting, Mandating, and Verifying

ISO/IEC 27001:2022 has been the current ISMS standard since October 2022. Anyone pursuing certification today or transitioning an existing certificate to the new version faces a structured implementation effort: 93 controls, risk analysis under Clause 6.1, Statement of Applicability (SoA), and a two-stage audit process. An experienced ISO 27001 consultant can compress this timeline significantly — provided the mandate is structured correctly and documented in an audit-proof manner.

This guide explains the distinction between consultant and Information Security Officer (ISB), the minimum qualifications to require, typical scope and cost ranges, and how consulting and a compliance platform complement each other.

An ISO 27001 consultant delivers project-based services: gap assessment, documentation, training, and audit preparation. They bear no ongoing responsibility for the ISMS and are not formally appointed as an officer. Their mandate ends when the project concludes.

An Information Security Officer (ISB), by contrast, is a permanently appointed function with ongoing operational ISMS responsibility. ISO/IEC 27001:2022 requires both: consulting services for the build phase, and a permanently responsible ISB role in ongoing operations. Many SMEs underestimate this distinction — and discover at the Stage 2 audit that no one has formally assumed responsibility.

Minimum qualifications an ISO 27001 consultant should demonstrate: First, ISO/IEC 27001 Lead Auditor or Lead Implementer certification (accredited under ISO/IEC 17024 or by a recognised body such as IRCA, BSI-UK, TÜV). Second, verifiable project references — at least two to three completed ISO 27001 certifications in comparable organisations, with contact details for references. Third, documented knowledge of the 2022 revision (not just the 2013 version): Annex A restructuring, new controls such as 5.7 Threat Intelligence, 8.8 Management of Technical Vulnerabilities, and the revised Clause 6.1 requirements.

Additional qualifications worth verifying: CISA, CISSP, or sector-specific expertise (healthcare, finance, critical infrastructure).

A complete consulting mandate for initial certification typically covers: gap assessment against ISO/IEC 27001:2022 Annex A (all 93 controls), creation or review of core ISMS documents (scope, policy, risk methodology, SoA, risk register), support through risk analysis and treatment, preparation of required records (Clause 9.1 Monitoring, 9.2 Internal Audit, 9.3 Management Review), Stage 1 audit preparation (document review) and Stage 2 audit support (on-site audit accompaniment), and post-audit non-conformity remediation.

Not included in most mandates: ongoing ISMS operations after certification, maintenance updates for new control versions, or day-to-day security incident handling — these fall within the ISB function.

ISO 27001 consultants in Germany charge daily rates between €1,200 and €2,200 (net), depending on qualifications, sector focus, and geographic location. For a complete initial certification engagement (gap assessment through Stage 2 audit), typically 15 to 35 consultant days are required, resulting in total costs of €18,000 to €77,000.

Fixed-price projects are more budget-predictable for SMEs than pure daily-rate models. Insist on a detailed breakdown by phase and milestone — this protects against scope creep and enables meaningful comparison between providers.

Four common mistakes in ISO 27001 consultant selection. First: qualifications not verified. A consultant who lists ISO 27001 on their website is not necessarily a Lead Auditor. Request the certificate number and issue date. Second: no reference check. Speak with at least one reference client from a comparable project — not just with the consultant. Third: 2013 knowledge only. Verify explicitly that the consultant knows the 2022 revision: new control structure, new controls, and revised clause requirements. Fourth: no platform integration. A consultant who works only with Office documents creates a documentation backlog the ISB must later maintain — without tool support.

The transition period from ISO/IEC 27001:2013 to ISO/IEC 27001:2022 ended in October 2025. Organisations still certified under the old version must switch to the new standard at their next recertification. An ISO 27001 consultant supporting the transition must understand the structural differences: reorganisation of Annex A controls from 114 to 93, introduction of 11 new controls, and revised requirements under Clause 6.1 (risk treatment options). A delta assessment identifies the actual transition effort before rework begins.

ISO/IEC 27001:2022 Clause 9.2 requires an internal audit programme. The internal audit can be performed by internal auditors or external consultants — impartiality is the key requirement: the auditor must not review their own work.

For SMEs without internal auditor capacity, external consultants are the standard solution. The consultant performing the internal audit should not be the same person who created the documentation being audited. For small projects, a second external auditor for the internal audit is recommended.

An ISO 27001 consultant working with a compliance platform creates audit-proof documentation throughout the process: risk register, SoA, audit records, and training certificates all reside in the same system, are interlinked, and exportable at any time. This is structurally superior to the classic consultant model, where deliverables exist as Word documents and Excel files that the ISB must manually update after project completion.

CIVAC integrates the consulting methodology directly into the platform: 37 audit templates, 93 control checklists, and an integrated risk register that generates the SoA automatically. The consultant can work within the client's CIVAC environment — all documentation remains in the platform after the project ends.

A qualified ISO 27001 consultant and a structured compliance platform are not alternatives — they complement each other. The consultant provides methodology and the auditor's perspective; the platform generates audit-proof documentation in ongoing operations. CIVAC combines both: 37 audit templates, 93 control checklists, and an integrated risk register that automatically generates the SoA. Consultants who work with CIVAC create documentation that the ISB can continue operating independently after project completion.

Book a CIVAC demo and find out how certification preparation and ongoing ISMS operations can run within the same platform.