Working with External Consultants: How to Make Your ISMS Project a Success

When Does External Support Make Sense?

Not every company needs an external consultant to build an ISMS. But many companies benefit significantly from one, especially when certain conditions apply.

The most obvious case: you're building an ISMS for the first time and nobody in the company has done it before. The learning curve with ISO 27001 and NIS2 is steep, the standards texts are abstract, and translating them into practice requires experience that can only be gained through projects. An experienced consultant has guided dozens of ISMS projects and knows which approaches work in practice and which only look good on paper.

The second typical case: you have the competence in-house but not the capacity. The ISO handles the topic alongside their actual job, the IT department is tied up in daily operations, and there simply aren't enough hours for a dedicated ISMS project. An external consultant can create capacity here by taking over certain tasks or guiding the internal team so efficiently that the effort remains manageable.

The third case is certification preparation. When an ISO 27001 certification is approaching, an external perspective is almost always worthwhile. A consultant who knows certification audits can prepare documentation so the auditor can review it efficiently, and they can identify weaknesses that may have been overlooked internally due to operational blindness.

When is a consultant less worthwhile? When you're a small company with manageable complexity and are willing to learn the material yourself. When you already have experience with management systems (e.g., ISO 9001) and know the methodology. Or when you simply aren't prepared to actively participate — because then even the best consultant will fail.

Three Consulting Models Compared

Consulting is not one-size-fits-all. There are fundamentally different approaches that vary significantly in effort, cost, and outcomes. Choosing the right model is one of the most important decisions at the start of the project.

Model 1: Full Consulting

In full consulting, the consultant leads the ISMS project. They create the documentation, conduct risk analyses, develop policies, and prepare the company for certification. The internal team is involved, but the consultant drives the project.

Advantages: Fast results, low burden on the internal team, high quality of outcomes if the consultant is good.

Disadvantages: High costs, strong dependency on the consultant, risk that the ISMS doesn't fit the company ("consultant's ISMS"), and the most critical problem: when the consultant is done, often nobody in the company can continue running the ISMS.

Suitable for: Companies with very little internal capacity and high time pressure — e.g., when certification must be in place within six months and there's no dedicated ISO internally.

Model 2: Coaching

In the coaching model, project leadership lies with the internal team. The consultant serves as a sparring partner, reviews results, provides methodological guidance, and helps with difficult topics. The actual work — writing policies, conducting risk analyses, implementing processes — is done by the internal team.

Advantages: Significantly cheaper than full consulting, knowledge stays in the company, the ISMS is shaped by the people who will also operate it, and internal competence grows with the project.

Disadvantages: Requires significant internal capacity, takes longer than full consulting, and the internal team must be willing to dive deep into the subject matter.

Suitable for: Companies with a dedicated ISO or IT security manager who is given the necessary time and is willing to learn the topic. This is the most recommended model in most cases.

Model 3: Targeted Support

In targeted support, the consultant is brought in only for specific, clearly defined tasks. This could be a gap analysis, a documentation review before the certification audit, conducting an internal audit, or support with a particularly complex risk analysis.

Advantages: Most affordable, very flexible, targeted deployment where it adds the most value.

Disadvantages: Requires that the company already has basic ISMS competence and knows where it needs help. No overall perspective from the consultant, so there's a risk of overlooking gaps.

Suitable for: Companies that already operate an ISMS and want to develop it further, or companies with an experienced ISO who need a second opinion on specific topics.

Finding the Right Consultant

Choosing the consultant is crucial for project success. A good consultant can make the difference between an ISMS that's in place within six months and is actually lived, and a project that drags on for two years and ends up in a drawer.

Qualifications That Matter

Certifications. An ISO 27001 Lead Auditor or Lead Implementer certificate is a good indicator of methodological competence. It's no guarantee of good consulting, but it shows the person has systematically engaged with the topic. Additionally relevant certifications: CISM (Certified Information Security Manager), CISSP (Certified Information Systems Security Professional), or BSI IT-Grundschutz Practitioner.

Industry experience. A consultant who primarily advises large corporations will struggle to design a pragmatic ISMS for an SME with 80 employees. Conversely, an SME consultant may not know the requirements of regulated industries like finance or healthcare. Specifically ask about experience with companies of your size and industry.

References. Ask for concrete reference projects, ideally with the option to check with a previous client. A reputable consultant will be able to offer this. References don't need to be named specifically (confidentiality), but the consultant should be able to name at least the industry, size, and scope of their projects.

Red Flags: How to Spot a Bad Consultant

Unrealistic timeline promises. "We'll make your ISMS certification-ready in four weeks" sounds tempting but is unrealistic in the vast majority of cases. Building an ISMS typically takes six to twelve months for an SME, even with intensive consultant support. Anyone promising otherwise either delivers a superficial paper solution or doesn't understand the requirements.

One-size-fits-all solution. If a consultant brings a ready-made document package to the initial meeting and says "You just need to fill this in," proceed with caution. An ISMS must fit the company, not the other way around. Templates are a good starting point, but they must be individually adapted. A consultant who only sells templates doesn't deliver a functioning ISMS.

No interest in your company. A good consultant asks many questions in the initial meeting: about your business processes, your IT landscape, your industry, your risk appetite, your internal capacities. A consultant who mainly talks about themselves and presents their own framework without understanding where you stand won't deliver a tailored solution.

Dependency as a business model. Some consultants have an interest in maximizing the client's dependency because it secures recurring revenue. Pay attention to whether the consultant actively promotes knowledge transfer and works toward making themselves unnecessary, or whether they create structures that permanently require their involvement.

No opinion of their own. A consultant who says yes to everything and doesn't voice uncomfortable truths isn't a consultant — they're a contractor. You're paying for expertise and an outside critical perspective. If the consultant isn't willing to tell you that your approach won't work, you're wasting your money.

The Initial Meeting: What You Should Ask

Prepare well for the initial meeting with a potential consultant. The following questions help you separate the wheat from the chaff:

• How many ISMS projects of our size have you supported in the last three years?
• What does your typical project approach look like? What do you expect from us?
• How do you ensure we can operate the ISMS independently after the project ends?
• What are the most common reasons ISMS projects fail?
• Can you give an example where you advised a client against a particular measure?
• How do you handle it when we disagree with your recommendations?
• What's included in your offer and what isn't?

Structuring the Collaboration

An ISMS project isn't a one-time consulting engagement — it's a collaboration that spans months. For this collaboration to remain productive, clear structures are needed from the start.

Defining Roles Clearly

Who does what? This question must be answered at the start of the project — in writing and binding. Typical role distribution:

The consultant provides methodology, templates, reviews, and best practices. They facilitate workshops, evaluate results, and give recommendations. They don't make decisions about measures — that's the company's responsibility.

The ISO / internal project lead coordinates implementation, gathers information from business departments, creates drafts based on the consultant's templates, and ensures decisions are made and implemented.

Executive management approves the budget, makes strategic decisions, participates in management reviews, and ensures the project gets the necessary priority.

Business departments provide input for risk analyses, implement measures in their areas, and participate in training.

Milestones and Deliverables

Define clear milestones with measurable deliverables at the start of the project. A typical milestone plan for an ISMS build project:

Months 1-2: Assessment and foundations. Gap analysis, scope definition, information security policy, ISMS organization (roles, responsibilities). Deliverables: gap analysis report, scope document, policy.

Months 3-4: Risk management. Asset inventory, risk analysis, risk treatment plan, Statement of Applicability. Deliverables: asset register, risk assessment, SoA.

Months 5-6: Policies and measures. Creation of operational policies (password, access control, backup, incident response, etc.), implementation of prioritized measures. Deliverables: policy package, action plan with status.

Months 7-8: Training and awareness. Security awareness training for all employees, role-specific training for IT and management. Deliverables: training materials, attendance records.

Months 9-10: Internal audit and review. Conducting the internal audit, management review, corrective actions. Deliverables: internal audit report, management review minutes, corrective action plan.

Months 11-12: Certification preparation. Finalize documentation, close open measures, pre-audit (optional). Deliverables: certification-ready documentation, audit readiness report.

Regular Coordination

A fixed coordination rhythm keeps the project on track. Recommended:

Weekly status call (30 minutes). Brief exchange between consultant and internal project lead: what was done, what's coming up, where are there obstacles?

Monthly steering meeting (60 minutes). With an extended group of participants (executive management, department heads): progress report, milestone review, decisions on open items.

Quarterly review (half day). Strategic assessment: are we on the right track? Do we need to adjust the plan? Are there new requirements to consider?

Ensuring Knowledge Transfer

Knowledge transfer is the area where most ISMS consulting projects fail. Not because the consultant does poor work, but because the transfer isn't consciously planned. If the consultant finishes the project and the internal team can't operate the ISMS independently, the project was just an expensive paper tiger.

Transfer from Day One

Knowledge transfer isn't an event at the end of the project — it's a continuous process. The consultant should explain with every activity why they're doing something a certain way and not differently. The internal team should actively participate in every workshop, every review, and every analysis — not as spectators but as participants.

A proven approach: for each deliverable, the consultant creates the first draft together with the internal team. The second time, the internal team creates the draft and the consultant reviews. The third time, the internal team can do it independently. This "demonstrate, participate, do it yourself" principle ensures competence is systematically built.

What Must Be Documented

Beyond the ISMS documents themselves, the consultant should document or convey the following in training:

• Methodology and decision rationale (Why was the risk analysis conducted this way? Why were certain measures prioritized?)
• ISMS operations manual (What activities must be performed regularly? When? By whom?)
• Review cycles and KPIs (How do you measure maturity? How do you recognize when something isn't working?)
• Escalation paths (What to do when a situation arises that the consultant hasn't covered?)

Agreeing on an Exit Strategy

Agree on a clear exit strategy with the consultant from the beginning. This means: at what point should the internal team be able to fully operate the ISMS independently? What criteria must be met? Is there a transition phase with reduced consultant support?

A proven structure: after the main project concludes, there's a three-month transition phase during which the consultant is available on demand and provides support as needed. This phase reveals whether the knowledge transfer was successful. After that, the engagement can be reduced to an annual review.

Common Mistakes in the Collaboration

From practice, a number of mistakes can be identified that cause ISMS projects with external support to fail or at least significantly delay.

Letting the consultant work alone. If you commission the consultant and then sit back, you'll get an ISMS that the consultant understands but your company doesn't. Active participation of the internal team isn't a friendly recommendation — it's a prerequisite for project success.

No internal project owner. Someone in the company must own the project. Not the consultant, but an internal person who can make decisions, has access to all relevant information, and drives implementation within the company. Without this internal anchor, the project remains a consulting engagement instead of an internal initiative.

Perfectionism in documentation. Some teams spend months perfecting a single policy instead of moving forward with a solid 80% draft and improving the policy during operations. A good consultant will put the brakes on here and push for pragmatism. If they don't, they may be driving up their fees.

Too little management attention. When executive management delegates the project to the ISO and the consultant and then disappears, the project lacks the necessary backing. Measures aren't implemented because nobody prioritizes them. Budgets aren't approved because the topic isn't a management priority. The consultant can't replace executive management.

No realistic resource planning. An ISMS project requires internal capacity. If the team is supposed to build an ISMS alongside daily operations without dedicated time, the project will inevitably be delayed. Plan realistically: an ISO needs at least 40-60% of their working time for the ISMS during the build phase, and business departments must be available for workshops and interviews.

Scope creep. The project starts with the goal of building an ISMS for core processes. Then comes the requirement to also include production OT. Then TISAX should be done at the same time. And data privacy gets integrated too. Each individual expansion may be sensible, but in total, the scope can grow to the point where the project becomes unmanageable. Keep the initial scope tight and expand deliberately in later phases.

Estimating Costs Realistically

Consulting costs are a topic people prefer not to discuss. Here's a realistic overview for mid-market companies:

Daily Rates

Experienced ISMS consultants charge between 1,200 and 2,000 euros per day (net), depending on experience, specialization, and region. Highly specialized consultants (e.g., for regulated industries like finance or healthcare) may charge more. Consultants below 1,000 euros per day aren't necessarily bad, but experience shows that very low daily rates often indicate a lack of experience, or the consultant compensates for the lower rate by billing more days.

Total Costs by Consulting Model

Full consulting for an SME (50-250 employees): 50,000 to 120,000 euros, depending on complexity and scope. Typically 40 to 80 consultant days over a period of 9 to 15 months.

Coaching model: 25,000 to 60,000 euros. The consultant is on-site or in calls fewer days (typically 20-40 days), while the internal team does more work themselves. Generally the best value for money.

Targeted support: 5,000 to 20,000 euros, depending on scope. Gap analysis: 3-5 days. Internal audit: 3-5 days. Document review: 5-10 days. Pre-audit check: 2-3 days.

Additional Costs

Beyond consultant fees, there are additional costs that are often forgotten:

• Internal personnel costs (the ISO works significantly on the ISMS for 6-12 months)
• Software/tools (ISMS software, risk management tool, training platform)
• Training for the internal team (e.g., ISO 27001 Lead Implementer course: approx. 2,500-3,500 euros per person)
• Certification costs, if pursued (initial certification: 8,000-25,000 euros for an SME)

Optimizing Costs

The most effective way to optimize consulting costs: good preparation. The better you're prepared for the consulting engagement, the more efficiently the consultant can work. Specifically, this means:

• Collect all relevant documents in advance (org chart, IT landscape, existing policies, contracts with IT service providers)
• Ensure the right contacts are available for workshops
• Complete agreed tasks between consultant appointments
• Use consultant time for topics you can't solve yourself, not for tasks you could handle with a good template

A well-prepared company can reduce consultant days by 20-30%. At daily rates of 1,500 euros, that's quickly 10,000 to 15,000 euros in savings. Tools like ISMS Lite provide a structured framework with practical implementation guidance, AI-assisted policy creation, and guided workflows, so you can prepare much of the work yourself and use consultant time for strategic questions rather than documentation busywork.

The investment in a good consultant generally pays off when you choose the right consulting model and structure the collaboration well. The most expensive mistake isn't the consulting itself, but a failed project that has to be started over from scratch.

Further Reading

• Building an ISMS: The Complete Guide for Companies with 50 to 500 Employees
• ISO: External or Internal?
• What Does an ISMS Cost?
• ISO 27001 Certification: Process
• ISMS Documentation Overview