{"id":7434,"date":"2015-09-28T18:35:22","date_gmt":"2015-09-28T18:35:22","guid":{"rendered":"https:\/\/multiacademstg.wpengine.com\/27001academy\/?p=7434"},"modified":"2026-03-23T15:03:36","modified_gmt":"2026-03-23T15:03:36","slug":"3-phases-of-delivering-an-iso-27001iso-22301-consulting-job","status":"publish","type":"post","link":"https:\/\/staging.advisera.com\/27001academy\/blog\/2015\/09\/28\/3-phases-of-delivering-an-iso-27001iso-22301-consulting-job\/","title":{"rendered":"3 phases of delivering an ISO 27001\/ISO 22301 consulting job"},"content":{"rendered":"<p>If you\u2019re an independent consultant at the beginning of your career, you\u2019re probably wondering how to perform your first consulting job for <a href=\"\/27001academy\/what-is-iso-27001\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 27001<\/a>\u00a0or <a href=\"\/27001academy\/what-is-iso-22301\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 22301<\/a> implementation. But, don\u2019t worry \u2013 here\u2019s what you need to do.<br \/>\n<div id=\"middle-banner\" class=\"banner-shortcode\"><\/div><script>loadMiddleBanner();<\/script><div id=\"side-banner-trigger\" class=\"banner-shortcode\"><\/div><\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">Steps before you start the project<\/h2>\n<p>If this is really your first job, the chances are you don\u2019t have enough knowledge for the implementation of these standards \u2013 therefore, it is always a good thing to prepare as much as possible. This article will help you: <a href=\"https:\/\/staging.advisera.com\/27001academy\/blog\/2014\/07\/21\/how-to-become-an-iso-27001-iso-22301-consultant\/\" target=\"_blank\" rel=\"noopener\">How to become an ISO 27001 \/ ISO 22301 consultant<\/a>.<\/p>\n<p>Further, if you\u2019re doing this for the first time, you\u2019ll need templates for all the policies, procedures, and plans, as well as for your consulting work (project plan, consulting proposal, presentations, etc.) \u2013 see this <a href=\"https:\/\/staging.advisera.com\/27001academy\/consultants\/\" target=\"_blank\" rel=\"noopener noreferrer\">Consultant toolkit to get some ideas<\/a>.<\/p>\n<p>The next thing is to make sure you set the right expectations from the client \u2013 you have to clarify who is going to run the project, who organizes the meetings, who performs the interviews and analysis, who writes the documentation, etc. The best thing is to document all of these either as part of your consulting proposal, or as part of the consulting agreement. Also, when a question arises regarding how long the project will last, you can use this <a href=\"https:\/\/staging.advisera.com\/27001academy\/free-tools\/free-calculator-duration-of-iso-27001-iso-22301-implementation\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 27001 \/ ISO 22301 Implementation Duration Calculator<\/a>.<\/p>\n<p>I\u2019ll provide you some tips on who should do what in the next section, but let me emphasize here one crucial thing: you, as an external consultant, cannot run the project. The project manager needs to be someone from inside the company, someone who knows very well the people, processes, and the specific ways the things are done in that company; most importantly, this project manager needs to have enough authority to push the project when needed, and this is something the outside consultant cannot do. (See also: <a href=\"https:\/\/staging.advisera.com\/27001academy\/blog\/2014\/12\/01\/who-should-be-your-project-manager-for-iso-27001-iso-22301\/\" target=\"_blank\" rel=\"noopener\">Who should be your project manager for ISO 27001\/ISO 22301?<\/a>)<\/p>\n<p>Finally, a very important element for the success of the project is the support from the top management of the company \u2013 I don\u2019t mean here just theoretical support, but real support in terms of money, human resources, and willingness to eliminate the obstacles once they turn up (and, believe me, they will turn up.) To get this support, the project manager (probably with your assistance) needs to present the business benefits to the top management \u2013 see these articles: <a href=\"\/27001academy\/knowledgebase\/iso-27001-implementation-checklist\/#benefits\" target=\"_blank\" rel=\"noopener noreferrer\">Four key benefits of ISO 27001 implementation<\/a>\u00a0and <a href=\"https:\/\/staging.advisera.com\/27001academy\/knowledgebase\/iso-22301-benefits-how-to-get-your-managements-approval-for-a-business-continuity-project\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 22301 benefits: How to get your management\u2019s approval for a business continuity project<\/a>.<br \/>\n<div class=\"responsive-video-wrapper\"><iframe loading=\"lazy\" title=\"Conformio for Consultants: A Complete Guide to ISO 27001 GRC Software\" width=\"500\" height=\"281\" src=\"https:\/\/www.youtube.com\/embed\/jCOLVk5NrIA?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe><\/div><\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">Steps during the implementation<\/h2>\n<p>Of course, the formal start of the project should be the development of the project plan \u2013\u00a0<a href=\"https:\/\/staging.advisera.com\/27001academy\/free-downloads\/#project-plan-for-iso-27001-iso-22301-implementation-ms-word\" target=\"_blank\" rel=\"noopener noreferrer\">here you\u2019ll find a free template<\/a>.<\/p>\n<p>Basically, the steps in the implementation are determined by the standards themselves, since they are written in a sequential way \u2013 here you can see an overview of the main steps: <a href=\"https:\/\/staging.advisera.com\/27001academy\/knowledgebase\/iso-27001-implementation-checklist\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 27001 implementation checklist<\/a>\u00a0and <a href=\"https:\/\/staging.advisera.com\/27001academy\/knowledgebase\/17-steps-for-implementing-iso-22301\/\" target=\"_blank\" rel=\"noopener noreferrer\">17 steps for implementing ISO 22301<\/a>.<\/p>\n<p>But, let me emphasize the best practice on how the job should be divided between the consultant and the client:<\/p>\n<ul>\n<li>Project management \u2013 as mentioned earlier, this should be the client\u2019s part of the job.<\/li>\n<li>Who organizes the meetings \u2013 since this is part of the project management, again, it\u2019s the client\u2019s job.<\/li>\n<li>Who performs the interviews \u2013 this is normally done by you, because you need the input information for writing the documents.<\/li>\n<li>Who performs the analysis \u2013 again, your job; you have to know why particular controls are needed.<\/li>\n<li>Writing and reviewing the documents \u2013 you should write the documents; however, you should ask the client to actively participate in reviewing them. That way, you will get not only the most appropriate rules, but also the commitment of those employees who will work with you. (See also: <a href=\"https:\/\/staging.advisera.com\/27001academy\/knowledgebase\/seven-steps-for-implementing-policies-and-procedures\/\" target=\"_blank\" rel=\"noopener noreferrer\">Seven steps for implementing policies and procedures<\/a>.)<\/li>\n<li>Approving documents \u2013 this is obviously the top management\u2019s task.<\/li>\n<li>Making sure that the policies and procedures are implemented \u2013 this is something the client has to do, i.e., their project manager.<\/li>\n<\/ul>\n<p>Here are two more tips on how to make the implementation more successful:<\/p>\n<ul>\n<li>First, you should recommend that your client approve and implement the documents one by one, not all at the same time \u2013 a couple of times I\u2019ve seen companies approve 20 policies and procedures in the same day, only to find out later that the employees were both puzzled and negative towards such a large number of rules.<\/li>\n<li>Second, you should organize training and awareness sessions in parallel to publishing the documents \u2013 this way, the company will be able to explain to their employees not only how to perform certain security\/business continuity activities, but also why they are needed.<\/li>\n<\/ul>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">Steps after the implementation<\/h2>\n<p>At the very end of the project you should deliver a final presentation to the top management \u2013 the purpose of such presentation is to show how your contract has been (successfully) fulfilled, and how all the expectations have been met.<\/p>\n<p>And, if you see that the top management is satisfied with what they\u2019ve got for their money, you should ask them for a recommendation \u2013 they can do this in a formal way on their company letterhead, but lately the recommendations through LinkedIn have more and more significance.<\/p>\n<p>Of course, it would be nice if you could get some recurring revenue from the clients \u2013 therefore, you should offer to perform some jobs that need to be done repeatedly. If they don\u2019t have their own internal auditor, you can act as one; if they need training, you can always jump in; if they need help when the standard changes, you should be there for them. Therefore, be creative and think about what you can offer to get more revenue from past clients.<\/p>\n<h2 style=\"padding-top: 10px; padding-bottom: 10px;\">What to be most careful about<\/h2>\n<p>Many things can go wrong in a project like this. But, in my experience, there is one major cause for most unsuccessful projects: lack of top management commitment. If they don\u2019t understand this project well enough, they won\u2019t devote enough money or enough people to it; when the project gets stalled, they won\u2019t have the motivation to eliminate the problem.<\/p>\n<p>So, it is not enough to get a contract with your client \u2013 you have to sell the whole idea to their top management even before you start with the implementation.<\/p>\n<p><em>Click here to see a \u00a0<\/em><a href=\"https:\/\/staging.advisera.com\/27001academy\/consultants\/\" target=\"_blank\" rel=\"noopener\">ISO 27001 &amp; ISO 22301 Consultants White Label Toolkit<\/a><em>\u00a0that will help you with the detailed steps in the implementation project, as well as provide all the required templates.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"<p>If you\u2019re an independent consultant at the beginning of your career, you\u2019re probably wondering how to perform your first consulting job for ISO 27001\u00a0or ISO 22301 implementation. But, don\u2019t worry \u2013 here\u2019s what you need to do. Steps before you start the project If this is really your first job, the chances are you don\u2019t &#8230;<\/p>\n","protected":false},"author":26,"featured_media":7435,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[380,381,853],"class_list":["post-7434","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-blog","tag-iso-22301","tag-iso-27001","tag-iso-27001-consulting"],"acf":[],"_links":{"self":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/7434","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/users\/26"}],"replies":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/comments?post=7434"}],"version-history":[{"count":3,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/7434\/revisions"}],"predecessor-version":[{"id":105297,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/posts\/7434\/revisions\/105297"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media\/7435"}],"wp:attachment":[{"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/media?parent=7434"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/categories?post=7434"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/staging.advisera.com\/27001academy\/wp-json\/wp\/v2\/tags?post=7434"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}