How to select an ISO27001 Implementation partner?

While choosing ISO27001 consultant or implementation partner, usually companies do not know the basis on which they should select the right vendor. Below guidelines may help in making a constructive and strategic decision in this regards. Due to lack of adequate awareness and hence as a common practice, organizations choose to select ISO27001 Consultant Company purely based on cost.

This actually puts them in a trouble spot over the period, because there are many elements to be considered in terms of the vendor’s credibility than just the cost aspects. We are going to use the word “ISO 27001 implementation partner” here, instead of vendor. This is because any compliance ownership is necessarily a strategic partnership and not just a onetime contract. The partner selection parameters are as below.


ISMS Partner personnel’s credibility

Is established in the industry for at least 10 years demonstrating credibility?

Is having ISO 27001 implementation experience for multiple industry domains?

Are the implementing personnel to be deployed, certified as ISO 27001 Lead Auditors?

Are the implementing personnel to be deployed, having at least some experience in your industry sector? (should not only be IT experience)


ISMS Partner’s Firms credibility

Is the firm itself aware of your industry domain’s latest risks by virtue of their clientele?

Is the firm itself certified with ISO 27001, demonstrating the due diligence toward infosec?

Is the firm certified with other relevant certifications such as HIPAA, GDPR, SOC2 , ISO9001?


ISMS Partner’s Approach

Do they know the meaning of overall business risk and not just info security risk?

Is their approach very practical to gauge risk, as opposed to being only bookish?

Is their risk assessment approach, a process based?

Do they conform to start the project with a gap analysis audit?

Do they wish to understand your business first, instead of directly jumping to policy creation?

Do they want to find as many non-conformities (NC) as possible?


ISMS Partner’s Operations

Is the partner’s firm ready to operate in safe and agile manner?

Is the partner’s firm offering reduced cost just to win the contract? (which may reduce quality)

Is the partner’s firm going to write policies and procedures from scratch, or copy-paste?

Is the partner’s firm capable of operating without a prejudice or influence?


Selecting an ISO27001 ISMS implementation partner can be a complex and time consuming process. The real focus must not be only on the cost. This is because doing so is also a long term risk for the organization by selecting a vendor who cuts costs as well as corners in the service delivery. Tips above can help purchase or sourcing department to answer the simple question "how to select ISO27001 vendor company"?


Our Culture

Valency Networks is a very agile, friendly and fun loving atmosphere and yet we maintain a cutting edge technical vibrant work environment.