The short answer is yes — many organisations achieve ISO 27001 certification without engaging an external consultant, and some of them do so efficiently. The longer answer is that whether you should depends on what you already have in-house, how much time your team can commit, and what you are willing to learn as you go.
This guide gives you an honest assessment: what is genuinely achievable without external help, where a consultant adds the most value, and what a realistic self-led implementation looks like in practice.
Who Does This Successfully
Organisations that achieve ISO 27001 certification without a consultant tend to share certain characteristics. They are not necessarily large or technically sophisticated — what they have is capacity and internal knowledge.
A competent ISMS lead with time to commit. The single biggest factor in a successful self-led implementation is having someone who can own the project and dedicate meaningful time to it — typically 20 to 40 per cent of their working week across the implementation period. This person does not need to have previously achieved ISO 27001 certification, but they need to be comfortable reading and interpreting the standard, building documentation, and driving engagement across the organisation.
Existing security practices to build on. Organisations that are starting from a reasonable baseline — documented policies, access controls that are actually followed, some form of incident process — have significantly less to build than those implementing from scratch. The gap assessment stage is where you discover how much you actually have.
Engaged senior leadership. ISO 27001 requires a management review, visible commitment from the top of the organisation, and resource allocation. Without senior buy-in, implementation stalls regardless of whether you have a consultant.
A realistic timeline. Self-led implementations typically take longer than consultant-supported ones — not because the work is harder, but because the ISMS lead is learning as they go and doing the work alongside other responsibilities. Factoring in 12 to 18 months for a first certification is realistic for most self-led small organisations.
ISO 27001 Without a Consultant: What You Can Do Yourself
Honest assessment of where internal effort is sufficient and where external help pays off
What You Can Do Yourself
A significant proportion of the ISO 27001 implementation process is perfectly achievable without specialist help, provided you invest time in understanding the standard properly.
Understanding the Standard
ISO 27001:2022 is available for purchase from ISO or BSI. It is a relatively short document — the normative requirements occupy fewer than 30 pages — and it is written to be implementable by practitioners rather than read exclusively by academics. Reading the standard carefully, clause by clause, is the essential first step. ISO 27002:2022 provides detailed implementation guidance for the Annex A controls and is a valuable companion document.
Writing Policies and Procedures
ISO 27001 does not require particularly elaborate documentation. What it requires is that your documented information covers the areas the standard specifies, reflects how your organisation actually operates, and can be shown to staff who need it. Writing clear, practical policies — an Information Security Policy, an Access Control Policy, an Incident Response Procedure — is work that an informed ISMS lead can do without external help. The risk is producing policies that look comprehensive but do not match practice. The test is always: if we walk someone through this procedure, does it describe what they would actually do?
Conducting the Risk Assessment
The risk assessment methodology is yours to define. ISO 27001 requires that you establish a methodology, apply it consistently, and document the results — it does not mandate a specific approach. A structured spreadsheet identifying information assets, threats, vulnerabilities, likelihood, and impact is sufficient. Many organisations use a simple 1–5 scoring approach. The risk register does not need to be a sophisticated tool — it needs to be honest and maintained.
Where this becomes difficult is in identifying threats and vulnerabilities that are genuinely relevant to your environment. Generic risk templates are a starting point, but a credible risk assessment reflects the specific nature of your business, your systems, and your sector. An organisation processing medical records has a different threat landscape from a software development company.
Building the Statement of Applicability
The Statement of Applicability is the document that records which of the 93 Annex A controls are applicable to your ISMS, why each applicable control has been selected (or why inapplicable controls have been excluded), and the implementation status of each control. Building the SoA is detailed work but not technically complex. Going through each control category in ISO 27002, assessing whether it applies, and documenting your rationale is time-consuming but straightforward.
Running the Internal Audit
Internal auditing is an area where many self-led organisations underinvest. The internal audit must be conducted by someone independent of the processes being audited — which typically rules out the ISMS lead auditing their own work. If your organisation has two or more people with enough understanding of the standard, one can audit the other’s areas. Alternatively, a peer at another organisation can sometimes fulfil this role on a reciprocal basis.
Audit checklists mapped to the standard’s clauses are available from multiple sources and provide a practical framework for a first-time internal auditor.
Preparing for the External Audit
Understanding what a certification auditor is actually looking for — evidence of a functioning system, not just documentation — is crucial preparation. Stage 1 is largely a documentation review. Stage 2 involves staff interviews and evidence sampling. Briefing your staff on what to expect, ensuring your evidence packs are organised, and walking through your procedures before the audit are activities that require effort but not specialist expertise.
Where External Help Genuinely Adds Value
Being honest about where a consultant adds the most value helps you make a better decision about where — if anywhere — to use external support, even in a largely self-led implementation.
Interpreting the Standard in Edge Cases
The standard’s requirements are clear at a high level but can be ambiguous in specific applications. Does your small development team constitute a “separation of duties” concern? Is your informal monthly security discussion sufficient as a “management review”? An experienced consultant has seen how certification bodies interpret these requirements in practice and can give you a faster, more confident answer than spending time researching alone.
Gap Assessment
A structured gap assessment — comparing your current state against the standard’s requirements — is one of the highest-value activities in any implementation. An experienced practitioner can conduct a gap assessment in a day or two and produce a prioritised list of what needs to be built. Doing this yourself is possible, but the risk is systematically missing gaps in areas where you do not know what you do not know.
Independent Internal Audit
If your organisation does not have two people capable of conducting a credible mutual audit, engaging an external auditor for the internal audit is one of the most targeted uses of external resource in a self-led implementation. It satisfies the independence requirement, is typically a one-off engagement, and is significantly cheaper than full implementation support.
Pre-Stage 2 Health Check
Having an experienced practitioner review your documentation and evidence packs before the Stage 2 audit catches the gaps that are obvious to an experienced eye but easy to miss when you are too close to the material. A one-day engagement at this stage is often very high-value — it takes far less time to fix a documentation gap before the audit than to respond to a nonconformity after it.
Specific Technical Domains
Certain control areas — cryptography, network security, secure development — involve technical depth that some ISMS leads do not have. Where controls in these areas are significant to your ISMS, brief specialist input can improve the quality of your control design and documentation substantially.
The Self-Led Implementation Toolkit
A successful self-led implementation relies on the right resources. These are the materials and tools that support the process most effectively.
The standard itself. ISO 27001:2022 is non-negotiable. ISO 27002:2022 is highly recommended alongside it. Some certification bodies also publish guidance documents that are publicly available.
A gap assessment template. Structured spreadsheets that map current state against each clause of the standard. Many are available freely online; quality varies but they are a useful starting framework.
Policy templates. Template policies provide a starting point and help ensure common requirements are not missed. They should be treated as starting points, not finished products — policies that clearly have not been adapted to your organisation are identifiable and do not reflect well.
A risk register framework. A structured approach to recording assets, threats, vulnerabilities, risk scores, treatment decisions, and residual risk. Whether this is a spreadsheet or a dedicated tool is a matter of preference and scale.
A corrective action register. For tracking internal audit findings, nonconformities, and improvement actions — with status, owner, and target date.
ISMS calendar. A forward-looking calendar tracking when reviews are due: policy reviews, risk assessment review, internal audit, management review, access reviews, training. This is the most practical tool for keeping the ISMS operational between audits.
Certification body guidance. Most accredited certification bodies publish guidance on what they expect at Stage 1 and Stage 2. Reading your chosen body’s specific expectations is worth doing before you start.
The Self-Led ISO 27001 Toolkit
Resources and milestones for a structured implementation without external consultancy
Common Self-Led Mistakes
Producing documentation that does not reflect practice. The temptation in a self-led implementation is to write policies first and implement them later. Auditors ask staff whether they are aware of policies, follow procedures, and what they would do in specific scenarios. Documentation that staff have never seen or do not follow fails Stage 2 regardless of how well it is written.
Underestimating the time required. First-time implementors consistently underestimate the time required to build a compliant ISMS from scratch. The documentation itself is manageable; the implementation — ensuring controls are actually operating — takes longer and requires engagement from people beyond the ISMS lead.
Conducting the internal audit too close to Stage 2. The internal audit should be completed at least eight weeks before Stage 2, with enough time to address findings. An audit completed in the week before the external audit cannot serve its purpose.
Interpreting requirements too narrowly or too broadly. Some self-led implementors interpret requirements more restrictively than necessary, building elaborate processes where simpler ones would suffice. Others interpret them too loosely and miss genuine requirements. The standard’s requirements are designed to be proportionate to the organisation’s size and complexity.
Letting the momentum stall. Self-led implementations without external accountability tend to slow down when competing priorities arise. Building a realistic project plan and tracking progress against it is as important as the technical implementation work.
ISO 27001 Full Document Toolkit
Every document your auditor
expects to see.
130 Word & Excel templates, ready to edit. Policies, risk register, Statement of Applicability, audit pack, staff communications — all updated for ISO 27001:2022.
130 templates
Instant download
Written by practising consultant
ISO 27001:2022
A Realistic Timeline for a Self-Led Implementation
Months 1–2: Foundation Purchase and read ISO 27001:2022 and ISO 27002:2022. Conduct a gap assessment. Define your scope. Establish your ISMS framework. Assign a management sponsor.
Months 3–5: Core documentation Write or adapt your core policies. Complete the risk assessment and risk treatment plan. Build the Statement of Applicability. Draft the corrective action and ISMS improvement process.
Months 6–9: Control implementation Implement the controls required by your risk treatment plan and SoA. This is where the actual security work happens — access reviews, training, supplier assessments, incident process testing. This stage often takes longer than planned because it requires engagement from staff outside the ISMS function.
Month 10–11: Internal audit and management review Conduct a full internal audit. Hold the management review with appropriate inputs. Address internal audit findings. Close corrective actions.
Month 12+: External audit Book Stage 1. Address any Stage 1 observations. Book Stage 2. Conduct Stage 2. Respond to findings. Receive certificate.
Common Mistakes
Choosing a certification body before you are ready. Booking a Stage 2 date while your ISMS is not operational creates pressure to produce documentation quickly rather than implement controls properly. Choose your certification body early — to understand their expectations — but do not book Stage 2 until your internal audit has been completed and its findings addressed.
Ignoring the human factors controls. Self-led implementations often focus heavily on technical controls and underinvest in people-related Annex A controls: security awareness training, acceptable use, HR security procedures, physical security. These are frequently where audit findings occur.
Treating certification as the end point. The ISMS needs to operate continuously after certification. An ISMS built to achieve certification but not designed for ongoing operation will produce findings at the first surveillance audit.
FAQs
Is there a minimum standard of knowledge required to lead a self-led implementation?
Not formally — ISO 27001 does not specify the qualifications of the ISMS lead. Practically, the lead needs to be able to read and interpret the standard, understand information security concepts at a working level, and have the organisational standing to drive engagement across the business. Many successful ISMS leads are IT managers, compliance officers, or operations leads who invest time in learning the standard rather than coming from a specialist information security background.
Is it cheaper to implement without a consultant?
It depends on how you account for internal time. Consultant fees are avoided, but the ISMS lead’s time — often a senior or specialist resource — has a real cost. A full consultant-led implementation for a small organisation might cost £15,000–£30,000 in fees; a self-led implementation might cost an equivalent amount in internal time, spread over a longer period. The financial advantage of self-led implementation is primarily in cash flow and in building internal capability that persists after certification.
Can we use freely available templates?
Yes — freely available policy templates, SoA templates, and risk register frameworks are useful starting points. They save time and help ensure common requirements are captured. They should always be adapted to reflect your actual organisation; submitting obvious off-the-shelf documentation that has not been tailored is noticeable and does not inspire confidence.
What if we get to Stage 2 and receive a major nonconformity?
A major nonconformity delays certification but does not necessarily prevent it. You will have a defined window — typically 30 to 90 days — to remediate the finding and provide evidence of closure. Most organisations with a single major finding can still achieve certification in the same cycle after remediation. The risk in a self-led implementation is that a major finding delays a timeline that is already longer than a consultant-supported one.
Should we certify with a consultant or get there first and then maintain independently?
Some organisations use a consultant for initial certification and then maintain the ISMS independently once the framework is in place. This is a reasonable approach — the initial implementation is the most complex phase, and the ongoing maintenance is more routine once the system is operating. The risk is that an ISMS designed by a consultant and then handed over may not be fully understood by the internal team responsible for maintaining it.
