How to select an ISO 27001 consultant

Do you want to be richer, younger and thinner? Tell ya what I’m gonna do !!!!
I’m an ISO 17799 consultant, and I will implement that framework in your environment and get you certified. Today!!!! All for the low, low price of …………

Sound ridiculous? Good. But what is more ridiculous is that there are vendors out there actually making a living with this pitch. Impossible, you say! Nope. I heard one consultant use a pitch just like this (okay, not EXACTLY like this) just last week.

I’ve been making the rounds of the fall shows for the past few weeks, talking to booth monkeys and listening to presentations, and I had a conversation with a self-styled consultant that absolutely stunned me.

He had been making a presentation on prevalent regs and standards, and how to implement them in a target environment and maintain compliancy. Nope that’s not a typo – the pitch was about COMPLIANCY.

Anyway, I spoke with him afterwards, asking a few probing questions. [These are not direct quotes. It wasn’t a taped interview.]
Me: I notice that you aren’t talking about ISO 27001. Do you still find customers asking for ISO 17799? [yes, I know I should have said ISO 27002, but I was setting him up]

Him: Well, I don’t like ISO 27001 so much. It’s more focused on process, and my clients really respond to the ISO 17799 controls framework.
Ca-ching! He’d fallen into my trap. For those of you that read my last blog, you already know my rant about why ISO 17799 was converted to ISO 27002, and its proper use as a normative document for ISO 27001. PS – ISO17799/ISO27002 is not a controls framework; it is a set of best practices recommended for use in an Information Security Management System (ISMS).

The ISMS is the mainstay of the ISO 27001 standard. As my learned colleague quite rightly pointed out, albeit unknowingly, it focuses primarily on process, to which the controls are subordinate. To use ISO17799/ISO27002 rather than ISO 27001 to avoid the process is, well, like gobbling up the ketchup and throwing the French fries away. Anyway, to continue –

Me: Interesting. Interesting. By the way, where did you take your training? (Yes, another set up. I took mine through BSI.)
The Charlatan: I haven’t. You know, nobody in our shop has had the time to get trained in this. We were thinking about it though.
Me: Ah. Well it takes time, but its worth it.
The Dilettante: Well, we’re too busy making money to take time off for training.
Yes, indeed. Thank you for your time. Sorry to wake you.

You know, these ISO 17799 “experts” have nine lives. Eight years ago, they were Y2K expert consultants. After the change in millennium, they all became HIPAA experts. After the compliance deadlines passed, they all fell in love with 17799.

My point is this – these guys are selling snake oil. They are trading in expertise that they don’t possess. If you are considering working with an ISO 17799 “expert” -- don’t. If they don’t even refer to the standard correctly, doesn’t that tell you something?

Second, when working with a consultant on 27001, or any other ISO standard for that matter, ask a few simple questions before signing that contract.
1. Are you certified? While a certification is not absolutely necessary, you want to know that they have had at least some training. If they have had no training whatsoever in the standard, DO NOT WORK WITH THEM. You can buy a copy and read it for yourself. Much cheaper, and you have just as much chance at getting it right as they do.
2. Where did you take your training? Personally, I like the British Standards Institution training course, but there are other reputable companies out there. You just want to be certain that your “expert” has some expertise.
3. How many of these “implementations” have you done. Trick question. Too few, then they don’t have enough experience to claim expertise, so you shouldn’t pay top dollar. Too many, then they are doing it too quickly, and you probably shouldn’t work with them.

And finally, question 4, do you guarantee compliance. If the answer is anything other than “no” do not work with them. No vendor can guarantee compliance with any standard. Compliance is ultimately an opinion, and it is not the vendor’s to give.

Enough said? Please, I encourage any comments that want to debate or disagree with me. Bring it on!!
Now, I have a really great deal for you. There’s this bridge in New York …………

more

Information is an asset of the organization that has to be secured
Information can be stored in hard copy or soft

Like any other asset it can be damaged, lost or stolen from the vault during storage, during access, during transmission

Today most information is on the individual PC or on the server or on your website with restricted access
To secure this information you need to secure your hardware as well as your software
Hence you also need ISO 20000 experts to secure your information

Hence your consultant must be well versed in ISO 20000 too
If he is a certified ethical hacker too, it would be great
It is not possible for one man to be an expert in so many fields. Hence you need a consultancy firm with a team of consultants to design and implement your ISMS