How to become an ISO 27001 / ISO 22301 consultant

If you are thinking about a career change, becoming an independent consultant for ISO 27001 and/or ISO 22301 certainly sounds like an attractive option. But what do you need to know, and what do you need to have to start your own consultancy?

To become a respected ISO 27001/ISO 22301 consultant, you need:
  • ISO 27001/ISO 22301 certificates
  • Project management certificate
  • Experience

Focus on ISO 27001 or ISO 22301?

In my view, it should be and instead of or – these standards are very similar and very compatible, so it makes sense that you help your clients with both of them. Once you grasp one standard, it will be only a small step further to fully understand the other one. See also this webinar: ISO 27001 & ISO 22301: Why is it better to implement them together?

Industries consultants work with, and the jobs they do

So, what are ISO 27001/ISO 22301 consultant jobs, which industries do they work with, and what do they typically do? An ISO 27001 consultant, just like an ISO 22301 consultant, usually does implementation, training, and internal auditing. They can cover any industry or business that wants to become ISO 27001 and ISO 22301 compliant; usually, these are high-tech companies, financial organizations, service organizations, etc.

What qualifications do you need?

It’s a funny thing, but to become an ISO 27001 and ISO 23001 consultant, there are no formal qualifications needed, at least not in most countries. This basically means anyone can become a consultant, with no qualifications whatsoever.

However, if you want to become a consultant respected by potential clients, you should have at least the following:

ISO 27001/ISO 22301 certificates – you should at least get the Lead Auditor or Lead Implementer certificate, but it would be better if you had both. See also Lead Auditor Course vs. Lead Implementer Course – Which one to go for?

Project management certificate – since your work will be nothing but delivering projects, you should learn how to run them. For instance, you should get PMP, or some other similar certificate.

Experience – theoretical knowledge won’t be enough, so you should get experience through at least one of the following:

  • Work as a certification auditor – performing certification audits will give you an excellent insight into the do’s and don’ts of ISO 27001 and ISO 22301 implementation, or
  • Work for another consultant – this is the best way to learn about the implementation methods and how to get new clients, or
  • Work as an information security or business continuity practitioner – working in a company is an excellent way to learn the client side of the story: What are the usual pains? What is the expert help needed for?

ISO 27001 consultant / ISO 22301 consultant – How to become one?


What else do you need?

Besides getting the knowledge already mentioned above, to become an ISO 27001/ISO 22301 consultant you will also need some other tools and sources of knowledge:

  • Books – there are many books available on ISO 27001 and ISO 22301 (this author is proud to have published one – Becoming Resilient: The Definitive Guide to ISO 22301 Implementation)
  • Documentation templates – when starting to work with your clients you will need templates of ISO 27001/ISO 22301 policies and procedures to speed up your work.
  • Templates for proposals and presentations – what you show to potential clients must be very comprehensive and professional.
  • Tools – besides a laptop and MS Office, you will also need some kind of customer relationship management (CRM) software or an online service, because you must track all the potential clients and in which phase you currently are with each of them.
  • Social media skills – you will have to learn how to communicate through Twitter, Facebook and LinkedIn, since these will be important channels for getting new clients.
  • Website development skills – if you decide to publish articles, you will need to know at least how to publish a blog.

How to find the clients?

Believe it or not, this is by far the most difficult task – this is where most would-be consultants have failed, no matter how knowledgeable they were about ISO 27001 or ISO 22301.

There are several ways you should market your services:

  • Use your contacts from previous jobs – for example, arrange a deal with the client even before you start your consultancy in order to avoid a gap once you start your new job; this is probably the best way to start your career, but you must be careful to stay within the ethical limits – you should not hurt your old employer because of this.
  • Direct sales – you should spend at least 30% of your time dialing phone numbers and delivering presentations to potential clients – this is basically the best way to close the deal.
  • Speaking at conferences – this is one of the best ways to build your credibility, and to get new contacts. Just make sure to practice your presentation skills, because otherwise, you may end up with even less credibility than you had previously.
  • Writing expert articles – you should publish your articles in specialized magazines and on the Internet – this way, you will show your expertise to the whole world.
  • Delivering courses – this is an excellent way to get new contacts and prove your expertise.
  • Partnerships – perhaps you can find some vendors who are compatible (and not competing) with your service – in such cases, when they get a deal they may bring you a new client.

And remember – clients aren’t going to rush in on the first day you start your consultancy; on the contrary, in the beginning you will probably have fewer clients than you imagined – even in your worse-case scenario. This is because the sales cycle is very long – it usually takes a lot of time for a client to decide to go for a project.

I’m not saying that a good consultant must be more skilled in marketing than in ISO 27001 or ISO 22301 – I’m just saying that marketing skills and efforts should not be neglected, because without them your main expertise will never reach the clients.

Focus on what’s the best for the client

In this article I wanted to present the prerequisites for becoming a consultant – the methods for delivering the ISO 27001 or ISO 22301 project wouldn’t fit in this article. For the implementation steps you should read these articles: ISO 27001 implementation checklist and 17 steps for implementing ISO 22301.

But in the end, remember that reputation is what will bring you new clients. Make sure that everything you do, you do it in the best interest of a client – you shouldn’t recommend some new technology to a client only because you have a partner selling it; you shouldn’t hold back some information only to have your client use your services later on. What you should do is protect your client’s interest and exceed their expectations.

Once clients realize your integrity and capability, they will start recommending you – and this is where your career will take off.

To learn all the requirements for becoming an ISO 27001 consultant, visit this free online course: ISO 27001 Lead Implementer course.

To find out who should be your project manager for ISO 27001/ISO 22301, see this article.

Advisera Dejan Kosutic
Author
Dejan Kosutic
Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001 and NIS 2 expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.