> ./exec Infosec.sh — ARTICLE

ISO 27001 Without a Consultant? Risks, Costs, and an Honest Comparison

Clara — Documentation Lead ClaraFrance · Documentation Lead 06-06-2026 6 min read INFOSEC

The question comes up regularly: "Can't we do ISO 27001 ourselves?" The answer is almost always the same: technically yes, strategically rarely advisable. CISOs at SMEs who approach ISO/IEC 27001 without prior experience in management systems systematically underestimate three factors: the time investment, the interpretive latitude built into the standard, and the cost of a failed audit.

This article gives an honest breakdown of what both paths cost, uses concrete before/after examples to show where DIY projects fail, and identifies the one condition under which self-implementation is defensible.

What the Standard Actually Requires

ISO/IEC 27001:2022 defines requirements for an Information Security Management System (ISMS). The standard is structured across ten clauses plus Annex A, which contains 93 controls.[1] The key point: the standard does not prescribe how a company implements security, only that it has a demonstrably managed process.

That is exactly where many SMEs take a wrong turn. They read "93 controls" and start implementing technical controls. What gets overlooked: before a single control is put in place, the standard requires a documented risk assessment, a defined scope, and information security objectives established by top management.[1]

The BSI describes a methodologically analogous approach in its Standard 200-2: structure analysis first, protection requirements next, then control selection.[2] Anyone who reverses this sequence is building on sand and will be told so at the Stage 1 audit at the latest.

The Cost Myth

"With a consultant it costs 50,000 euros. We'll do it ourselves." This calculation contains a logical flaw.

Before: internal DIY approach (example company: 120 employees)

Item Assumption Cost (EUR)
CISO as project lead (internal) 400 hours at 100 EUR 40,000
IT staff for documentation 200 hours at 70 EUR 14,000
External training 3 people, 2 courses each 9,000
Initial certification audit Stage 1 and 2 Certification body 12,000
Remediation after Stage 1 80 hours and measures 11,000
Total approx. 86,000

After: with an experienced consultant (same company)

Item Assumption Cost (EUR)
Consulting fees 300 hours at 150 EUR 45,000
Internal effort (reduced) 150 hours at 100 EUR 15,000
Initial certification audit Stage 1 and 2 Certification body 12,000
Total approx. 72,000

The consultant costs less here than the DIY route. Not because their hourly rate is lower, but because they prevent mistakes that become expensive internally. A failed initial audit pushes the go-live back three to six months and generates renewed internal effort. That is still the more favorable scenario. According to IBM Security, a data breach at a company of this size costs an average of USD 4.45 million.[5]

The Three Most Common DIY Mistakes

1. Scope Defined Too Broadly

Defining the scope too broadly means auditing more than necessary and failing on sheer volume. The standard explicitly allows a narrow scope definition.[1] A consultant with project experience knows the line between "audit-ready" and "overambitious." That reference frame is almost always missing internally because there is no baseline for comparison.

2. Documentation as an End in Itself

The Diátaxis framework distinguishes four documentation types: tutorial, how-to guide, explanation, and reference.[6] In ISO 27001 projects, internal work almost exclusively produces reference documentation: policies, records, and registers. What is missing are operational how-to guides for the people who actually carry out the work.

Before (typical DIY output):

"Passwords must be at least 12 characters long and contain special characters. Passwords must be changed every 90 days."

That is a policy. No auditor will reject it. But when a helpdesk employee needs to reset a password, they have no idea which system to open, which procedure applies, or who needs to be notified.

After (operational how-to guide as a complement):

"Password reset: 1. Log in to the IT portal at https://it.intern. 2. Select 'User Management'. 3. Search for the affected account. 4. Click 'Reset Password' and choose 'Temporary'. 5. Notify the user by phone of the temporary password and remind them of the mandatory change on first login."

This difference is not cosmetic. Without operational process documentation, no auditor will accept "implemented" as the status for operational controls. Policies describe the goal; how-to guides describe the path to get there.

3. Risk Assessment Without Methodology

The standard requires a documented risk assessment but leaves the methodology open.[1] DIY approaches frequently produce tables that name risks but contain no traceable scoring logic. ENISA recommends a simplified but methodologically consistent approach for SMEs, with clearly defined likelihood and impact scales.[4] Without consistency, the assessment cannot be defended in an audit. The question "Why does this risk score 12 and that one score 6?" must be answerable at any time.

What a Good Consultant Actually Delivers

A good consultant does not primarily bring documents. They bring three concrete things.

Auditor language. They know which phrasing an auditor will accept as sufficient and which will trigger a non-conformity request. This experience cannot be read out of the standard. It comes from repeated involvement in audits on both sides of the table and cannot be replaced by training courses.

Scope experience. They have run comparable implementations at similar companies and know the typical pitfalls for a 150-person manufacturing business or an 80-person IT services firm. This experience substantially compresses the internal learning curve and prevents the project from failing at well-known sticking points.

Project discipline. ISO 27001 rarely fails at SMEs due to a lack of technical knowledge. It fails due to priority conflicts with day-to-day operations. TeleTrusT identifies missing management support as one of the most common causes of failed SME certification projects.[3] An external consultant creates external accountability that is nearly impossible to enforce internally when operational demands compete.

What a good consultant does not deliver: finished documents the company does not understand after the project closes. Any policy the internal team cannot explain becomes a problem at the surveillance audit. The decisive quality criterion for a consulting engagement is whether the internal team can operate the ISMS independently after the project ends.

When DIY Is Defensible

DIY is defensible under exactly one condition: the CISO or the person responsible has demonstrable prior experience with ISO 27001 projects at comparable companies.

This means: active personal involvement in a certification as internal project lead, not as an observer. An ISO 27001 Lead Implementer certificate does not substitute for this experience.

Additional favorable conditions: the company already operates an established quality management system under ISO 9001, management is actively involved, and the project has a dedicated budget for an external readiness review by an independent Lead Auditor before the Stage 1 audit.

If these conditions are not met, a hybrid approach is often more sensible than full self-implementation. In practice: an experienced consultant handles scope definition, risk assessment methodology, and auditor briefing; the internal team handles documentation and operational implementation. This reduces consulting effort to 100 to 150 hours while keeping the critical junctures in professional hands.

Conclusion

ISO 27001 consulting for SMEs is not a luxury, nor a sign of insufficient competence. It is a risk decision. In practice, the DIY route costs more than the consulting option, takes longer, and ends more often with audit non-conformities.

Anyone who wants to start without a consultant needs at minimum a clearly bounded scope, a documented and consistent risk assessment methodology, and an external readiness review before the Stage 1 audit. Everyone else should treat the investment in external consulting for what it is: an insurance premium against avoidable mistakes in a project that forms the foundation for every future security attestation.

Sources

[1] ISO/IEC 27001:2022. Information security, cybersecurity and privacy protection. Information security management systems. Requirements. International Organization for Standardization, Geneva, 2022.

[2] Bundesamt für Sicherheit in der Informationstechnik (BSI). BSI Standard 200-2: IT-Grundschutz Methodology. Version 1.0. BSI, Bonn, 2017. https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Grundschutz/BSI_Standards/standard_200_2.pdf

[3] TeleTrusT -- Bundesverband IT-Sicherheit e.V. Information Security Guide for SMEs. TeleTrusT, Berlin, 2024. https://www.teletrust.de/publikationen/leitfaeden/

[4] ENISA. Cybersecurity guide for Small and Medium-sized Enterprises. European Union Agency for Cybersecurity, Athens, 2021. https://www.enisa.europa.eu/publications/cybersecurity-guide-for-smes

[5] IBM Security / Ponemon Institute. Cost of a Data Breach Report 2023. IBM Corporation, Armonk, NY, 2023. https://www.ibm.com/reports/data-breach

[6] Procida, Daniele. Diátaxis: A systematic framework for technical documentation. 2017 (continuously updated). https://diataxis.fr

Clara — Documentation Lead

ClaraFrance

Documentation Lead

Technical documentation, API docs, guides, ADRs, i18n.

Need help with Infosec?

Free initial consultation, fixed price after audit.

INIT_CONSULTATION() →