How to become an ISO 27001 / ISO 22301 consultant

If you are thinking about a career change, becoming an independent consultant for ISO 27001 and/or ISO 22301 certainly sounds like an attractive option. But what do you need to know, and what do you need to have to start your own consultancy?

Focus on ISO 27001 or ISO 22301?

In my view, it should be and instead of or – these standards are very similar and very compatible, so it makes sense that you help your clients with both of them. Once you grasp one standard, it will be only a small step further to fully understand the other one.

What qualifications do you need?

It’s a funny thing, but there are no formal qualifications needed, at least not in most countries. This basically means anyone can become a consultant, with no qualifications whatsoever.

However, if you want to become a consultant respected by potential clients, you should have at least the following:

ISO 27001/ISO 22301 certificates – you should at least get the Lead Auditor or Lead Implementer certificate, but it would be better if you had both.

Project management certificate – since your work will be nothing but delivering projects, you should learn how to run them. For instance, you should get PMP, or some other similar certificate.

Experience – theoretical knowledge won’t be enough, so you should get experience through at least one of the following:

• Work as a certification auditor – performing certification audits will give you an excellent insight into the do’s and don’ts of ISO 27001 and ISO 22301 implementation, or
• Work for another consultant – this is the best way to learn about the implementation methods and how to get new clients, or
• Work as an information security or business continuity practitioner – working in a company is an excellent way to learn the client side of the story: What are the usual pains? What is the expert help needed for?

What else do you need?

Besides getting the knowledge already mentioned above, you will also need some other tools and sources of knowledge:

• Books – there are many books available on ISO 27001 and ISO 22301
• Documentation templates – when starting to work with your clients you will need templates of ISO 27001/ISO 22301 policies and procedures to speed up your work.
• Templates for proposals and presentations – what you show to potential clients must be very comprehensive and professional.
• Tools – besides a laptop and MS Office, you will also need some kind of customer relationship management (CRM) software or an online service, because you must track all the potential clients and in which phase you currently are with each of them.
• Social media skills – you will have to learn how to communicate through Twitter, Facebook and LinkedIn, since these will be important channels for getting new clients.
• Website development skills – if you decide to publish articles, you will need to know at least how to publish a blog.

How to find the clients

Believe it or not, this is by far the most difficult task – this is where most would-be consultants have failed, no matter how knowledgeable they were about ISO 27001 or ISO 22301.

There are several ways you should market your services:

• Use your contacts from previous jobs – for example, arrange a deal with the client even before you start your consultancy in order to avoid a gap once you start your new job; this is probably the best way to start your career, but you must be careful to stay within the ethical limits – you should not hurt your old employer because of this.
• Direct sales – you should spend at least 30% of your time dialing phone numbers and delivering presentations to potential clients – this is basically the best way to close the deal.
• Speaking at conferences – this is one of the best ways to build your credibility, and to get new contacts. Just make sure to practice your presentation skills, because otherwise, you may end up with even less credibility than you had previously.
• Writing expert articles – you should publish your articles in specialized magazines and on the Internet – this way, you will show your expertise to the whole world.
• Delivering courses – this is an excellent way to get new contacts and prove your expertise.
• Partnerships – perhaps you can find some vendors who are compatible (and not competing) with your service – in such cases, when they get a deal they may bring you a new client.

And remember – clients aren’t going to rush in on the first day you start your consultancy; on the contrary, in the beginning you will probably have fewer clients than you imagined – even in your worse-case scenario. This is because the sales cycle is very long – it usually takes a lot of time for a client to decide to go for a project.

I’m not saying that a good consultant must be more skilled in marketing than in ISO 27001 or ISO 22301 – I’m just saying that marketing skills and efforts should not be neglected, because without them your main expertise will never reach the clients.

Focus on what’s the best for the client

In this article I wanted to present the prerequisites for becoming a consultant – the methods for delivering the ISO 27001 or ISO 22301 project wouldn’t fit in this article.

But in the end, remember that reputation is what will bring you new clients. Make sure that everything you do, you do it in the best interest of a client – you shouldn’t recommend some new technology to a client only because you have a partner selling it; you shouldn’t hold back some information only to have your client use your services later on. What you should do is protect your client’s interest and exceed their expectations.

Once clients realize your integrity and capability, they will start recommending you – and this is where your career will take off.