Occasionally, I’m shocked at what companies spend on ISO 27001 certification.. An MD recently told me he had been quoted £1500 a day for implementing an ISO 27001 Information Security System, with a minimum of 14 days consultancy required, a total cost of £21000. Nice work if you can get it.
In contrast, I recently implemented such a system for a local business for less than £6000, including certification by one of the World’s leading independent bodies. Was it the same? Yes. Did I leave anything out? No. So why the difference ?
And, just one more time, what is ISO 27001? It’s an International Standard intended to establish an IT and Information Security System in a business.
And “Why ISO 27001?” Hacking, spoofing, virus attacks, and all kinds of cybercrime are a hot topic. Threats to your business are no longer from local criminals, but may come from another continent, and a burglar alarm won’t keep them out. Certain organisations will insist on it as a minimum requirement before even contemplating doing business with your company.
So, why such a difference in cost for an identical ISO 27001 certification service?
First I deliver the system myself, so nobody is taking large commissions for passing it onto people with the right skills. No brokers, middle-men, agencies. I am the actual person with the skills and experience, a strong background in telecommunications and IT, and promise to deliver a fully compliant system first time. Full stop. I’ll even offer you a guarantee that if you don’t pass first time I’ll work for you for free until you do. I don’t have a large expensive office or employ an army of expensive sales and marketing staff.
I’m based in The East Midlands, close to Derby, Nottingham, and Leicester, rather than Central London, so I’m not paying big city overheads, yet can reach all the major business centres of the UK within a few hours. All this means I can bring you an excellent service with the minimum of overheads, the essence of effective consulting but without the superfluous corporate trappings.
But is this “low cost ISO certifcation”, that is, “approval-lite”? Not at all. I used to be an auditor with a world leading certification body, which gives both you and me some significant advantages – I understand ISO systems and certification requirements intimately, sometimes better than those who audit them. I’ve worked for a number of major corporate bodies as head of quality, which involved high levels of security clearance, so I bring experience gained in some of the UK’s most prestigious corporates, but without those associated costs. It also means I have read systems by many world leading companies including those which feature heavily documented procedures and systems which appear to be generated by consultants paid per word.
I’ve had to endure them, and I don’t want my customers to do so. They waste time, and hence money. I write concise, easy to understand ISO 27001 Certification documents where they are truly necessary, and educate and train your staff where the requirement is simply one of competence.
This means I can be quicker and more relevant than many, with simpler systems and hence with fewer areas of potential failure. Now, if you are a World Leading Bank or Insurance Company and have lots of other people’s money to spend, you are welcome to engage someone in from a world famous consultancy with a double-barrelled name and pay them £1500 a day.
On the other hand, if you need a working ISO 27001 Information Security System your staff can easily use, certified to the same standard by the same independent certifiers but for a fraction of the cost, I’d love to hear from you.
Colin Brown
IAIS Ltd
Written by Colin Brown of ISO Consultants