ISMS Accelerator
Implementation·March 23, 2026·7 min read

Can You Get ISO 27001 Without a Consultant? (Yes, Here's How)

You called three consulting firms. They all quoted between $60,000 and $150,000 for ISO 27001 implementation. Your CFO nearly fell out of their chair.

Now you're wondering: Can we actually do this ourselves?

Short answer: Yes.

Longer answer: Yes, but not the way most people try. Let me explain.

I certified an 800-attorney law firm without a consultant

In 2019, I was the Information Security Manager at an Am Law 100 firm.

The partners wanted ISO 27001 certification. Why? Enterprise clients were putting "ISO 27001 required" in RFPs. We were losing deals we never knew we lost.

Budget: $20,000. Timeline: 12 months. Team: Me.

I interviewed three consulting firms. Quotes ranged from $60K to $120K. The partners said no. I had to figure it out myself.

Result: We got certified in 11 months, 3 weeks. Stage 2 audit: 2 minor findings, fixed in 2 weeks. Total cost: under $20K (mostly certification body fees).

The key insight:

ISO 27001 isn't hard because the standard is complicated. It's hard because nobody tells you the sequence.

Why consultants are expensive (and what they actually do)

Let's be honest: $60K-$150K isn't a scam. You're paying for real work. Here's what a consultant gives you:

1. Project management

They create the timeline, chase stakeholders, run meetings, track deliverables. If you have zero bandwidth, this is valuable.

2. Document creation

They write most of the policies, procedures, and templates. This saves you time but costs you knowledge—you won't understand your own ISMS.

3. Internal audit

ISO 27001 requires an internal audit before Stage 2 certification. Consultants run this. It's helpful, but you can also train someone internally or hire a one-time auditor for $2K-$5K.

4. Audit preparation

They coach you through Stage 1 (document review) and Stage 2 (on-site audit). They know what auditors look for. This reduces risk of failure.

The hidden cost: When the consultant leaves, you can't maintain the ISMS. You don't know how it works. You become dependent on them for surveillance audits (Years 2-3) and recertification (Year 3).

When consultants make sense

Consultants aren't always overkill. Hire one if:

  • You're targeting Fortune 500 clients and need perfect documentation (consultant polish matters)
  • You have 500+ employees and complex multi-cloud infrastructure (enterprise-level rigor required)
  • You have zero IT/security bandwidth and can't dedicate 5-8 hours/week internally
  • Your CFO approved the $100K budget and wants external validation
If you check 3+ of these boxes, hire the consultant. The $100K is worth it for risk reduction.

When DIY makes sense (and why it usually fails)

DIY makes sense if:

  • You're a 10-500 employee company (SMB sweet spot)
  • You have an IT Manager or Security lead who can dedicate time
  • Your CFO said "absolutely not" to $60K+
  • You want to actually understand your ISMS (not outsource it)
But here's why most DIY attempts fail:

The template trap

You download a "complete ISO 27001 toolkit" for $500-$2,000. It has 230 Word files.

You open the first one: placeholders everywhere.

[COMPANY NAME] is committed to [INSERT SECURITY OBJECTIVES]...

You have no idea what "security objectives" should be. The template doesn't explain.

Six months later: You have a folder of half-finished documents. No idea if you're on track. No idea what to do next.

The sequence problem

ISO 27001 Clauses 4-10 are the implementation order:

1. Clause 4: Understand context (scope, stakeholders, processes) 2. Clause 5: Get leadership buy-in 3. Clause 6: Assess risks, select controls 4. Clause 7-8: Implement controls, train staff 5. Clause 9: Audit and review 6. Clause 10: Fix what breaks

Most people skip straight to Clause 8 (controls) because that's the "security" part. Then they backfill Clauses 4-6. Auditors fail them at Stage 1.

The #1 DIY failure mode: Implementing controls before completing the risk assessment. You can't prove which controls address which risks. Instant Stage 1 failure.

The structured middle ground

Here's what worked for me (and what I built into ISMS Accelerator):

1. Follow the sequence

10 modules that map to ISO 27001 Clauses 4-10. You work through them in order. No skipping ahead. No backfilling.

2. Use context-specific templates

Not generic placeholders. Templates with instructions. "Your security objectives should include [X, Y, Z] because auditors look for [specific evidence]."

3. Build evidence from Day 1

Auditors want proof your ISMS is operational, not just documented. Start collecting evidence (logs, meeting minutes, training records) from Month 1.

4. Run an internal audit before Stage 2

Catch your own mistakes. ISO 27001 requires this anyway. Do it 3-6 months before your certification audit.

5. Know what auditors actually ask

I've completed 12+ ISO 27001 audits as a Lead Auditor. Here's what they check:

  • Is your risk assessment yours or generic? (Show documented decisions)
  • Do controls trace back to risks? (Risk Treatment Plan must link risks → controls)
  • Is the ISMS operational? (Need 3-6 months of evidence: logs, audits, reviews)
  • Have you done internal audits + management reviews? (Required for continual improvement)
If you nail these 4 things, you pass.

The real cost comparison

| Option | Cost | Time | Knowledge | |--------|------|------|-----------| | Consultant | $60K-$150K | 12-18 months | Low (they do it for you) | | Templates only | $500-$2,000 | 18-24 months (if you finish) | High (trial by fire) | | Structured system | $1,497-$12,000 | 12 months | High (you build it) |

ISMS Accelerator is the middle ground: Structured sequence + audit-tested templates + optional coaching. Not consultant-level hand-holding. Not template chaos.

What you actually need to do this yourself

Let's be realistic. DIY ISO 27001 requires:

  • 5-8 hours/week for 12 months (from your IT/Security lead)
  • Executive sponsorship (CEO or board approval before you start)
  • Delegation (you can't do everything—risk assessment needs CTO, policies need legal, training needs HR)
  • A system (templates alone aren't enough—you need sequence + guidance)
If you don't have 5-8 hours/week, you need a consultant. Full stop.

If you do have the time but no system, you'll waste 6 months working in the wrong order.

The certification guarantee

Here's the risk with DIY: you spend 12 months implementing, fail Stage 2, and have to hire a consultant anyway. Now you've wasted a year and you're paying $60K.

That's why ISMS Accelerator includes a certification guarantee.

If you follow the system and fail Stage 2, I'll personally review your ISMS, identify gaps, and help you fix them—no extra charge.

Why? Because I've been on both sides of the audit table. I know what causes failures. The system prevents them.

Bottom line

Can you get ISO 27001 without a consultant? Yes.

Should you? Depends.

  • Hire a consultant if: You're 500+ employees, targeting Fortune 500 clients, or have $100K approved and zero bandwidth.
  • Go DIY with a system if: You're 10-500 employees, have 5-8 hours/week to dedicate, and want to own the ISMS (not outsource it).
  • Don't go DIY with templates alone. You'll waste 6 months and probably fail.
I did it without a consultant. You can too. But not with templates and hope—with a structured system.

---

Ready to get certified without a consultant?

[See the 10-module system →](/sales)

[Download free cheat sheet →](/resources#cheat-sheet)

Working on your own ISO 27001 implementation?

ISMS Accelerator is a structured 11-module course with 40+ done-for-you templates. Built by a practicing consultant who's done this 40+ times.

See the full program →
← All posts