ISO 27001 for Consultancies: Implementation Guide for Professional Services Firms
ISO 27001 is the international standard for information security management systems. For professional services firms — particularly management consultancies, IT advisers, and strategic advisers handling sensitive client mandates — it signals the security maturity that enterprise clients increasingly demand before sharing confidential data. The certification process typically takes six to twelve months and requires documented controls across fourteen security domains. Here is what consultancies need to know.
ISO 27001 certification covers 93 controls across 4 themes — organisations, people, physical, and technology.
What ISO 27001 Requires
ISO 27001:2022 (the current version, which replaced ISO 27001:2013) requires organisations to establish, implement, maintain, and continually improve an Information Security Management System (ISMS). The standard requires:
- A documented information security policy approved by senior leadership
- A risk assessment process — identifying assets, threats, vulnerabilities, and controls
- A Statement of Applicability (SoA) — documenting which of the 93 controls apply and why
- A risk treatment plan — how identified risks will be addressed
- Defined roles and responsibilities for information security
- An internal audit programme and management review process
- Incident management procedures and a continual improvement cycle
The ISO 27001 Certification Process
Certification requires a two-stage audit by an accredited certification body (UKAS-accredited bodies include BSI, Bureau Veritas, and Alcumus). Stage 1 is a documentation review — the auditor checks your ISMS documentation is complete and compliant. Stage 2 is an implementation audit — the auditor verifies your controls are actually in operation. Surveillance audits occur annually; full recertification every three years. For a typical professional services firm of 20–100 staff, budget £15,000–£40,000 for the first year including consultancy support, tooling, and certification fees.
ISO 27001 vs Cyber Essentials: Which First?
Cyber Essentials is a technical baseline that many clients require and that ISO 27001 subsumes. For most professional services firms, the recommended path is: Cyber Essentials first (establishes technical controls and provides quick commercial wins), then ISO 27001 (adds the management system layer that enterprise clients and regulated-sector clients require). The two certifications are complementary — Cyber Essentials focuses on preventing common attacks; ISO 27001 covers governance, risk management, and the full information security lifecycle.
Frequently Asked Questions
How long does ISO 27001 certification take for a consultancy?
For a professional services firm with no existing ISMS, the realistic timeline from starting to receiving the certificate is nine to twelve months. This includes three to four months of documentation development, two to three months of controls implementation and evidence gathering, and the two-stage audit process. Firms with existing security policies and Cyber Essentials certification can compress this to six to nine months.
Is ISO 27001 or SOC 2 better for professional services firms?
ISO 27001 is the standard preferred by European and UK clients and procurement teams. SOC 2 is primarily a North American standard and is more relevant if you serve US clients or are a technology company. For UK-focused professional services firms, ISO 27001 will satisfy more procurement requirements. If you serve both UK and US enterprise clients, both certifications may ultimately be needed.
Book an ISO 27001 gap assessment
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.