Ga naar inhoud

ISO certification without a consultant

ISO certification without a consultant: commercial long-tail guide with concrete steps, pitfalls and a clear path to ISO Ready.

Book an informal conversation

ISO Ready helps you align policy, risk, and evidence — without endless document churn.

Get started with ISO Ready

ISO certification without a consultant

ISO certification without a consultant works with senior ownership, audit literacy and board commitment.

Mid-market saves external days but invests line hours (often 40–120 days).

ISO Ready supports registers and evidence — not a CB replacement.

When to choose which route

Self-led: narrow scope, existing IAM/logging, internal audit experience.

External: first ISO, complex scope, no capacity.

Costs and total cost of ownership

Internal hours + CB + tooling; cheap document packs create audit rework.

See ISO 27001 costs.

Decision criteria

Document risk acceptances with board decision and date.

CriterionWithout consultantWith consultant
CostLower external, higher internalFaster pace
ISO ReadyActions/evidence structureFollow-up after project

Netherlands and EU context

Dutch/EU CB, Annex A 2022, GDPR/NIS2 where relevant.

Common mistakes

Stage 2 before internal audit. Scope too wide. No surveillance reserve.

Practical steps

Scope → risk → SoA → implement → internal audit → MR → stage 1 → stage 2.

Use ISMS tool or Excel.

Next step with ISO Ready

Self-implementation needs discipline — ISO Ready bundles actions. Run the readiness scan on iso-ready.nl.

Depth for leadership and ISMS lead

Name ISMS manager with mandate.

Weekly steering months 3–6.

Related guides

Implementation and governance

Document who may change scope, how evidence ages, and which KPIs the board sees — neither software nor consultants replace governance.

Internal audit dry-run before stage 1 with CB sampling logic; close findings in writing with owner and deadline.

For ISO certification without a consultant, internal audit independence shows up often in Dutch B2B and SaaS programmes. Leadership wants predictable timelines, security wants demonstrable evidence, and operations refuses a parallel Excel world beside the tool. Record internal audit independence with owner, review cadence, acceptance criteria and risk ID linkage — auditors sample consistency between policy, tickets and logs.

In practice for ISO certification without a consultant: test internal audit independence in a four-week pilot with real control owners. Measure hours, error rate and export quality; extrapolate to surveillance and document assumptions in the board paper so finance is not surprised after go-live.

For ISO certification without a consultant, management review decisions shows up often in Dutch B2B and SaaS programmes. Leadership wants predictable timelines, security wants demonstrable evidence, and operations refuses a parallel Excel world beside the tool. Record management review decisions with owner, review cadence, acceptance criteria and risk ID linkage — auditors sample consistency between policy, tickets and logs.

In practice for ISO certification without a consultant: test management review decisions in a four-week pilot with real control owners. Measure hours, error rate and export quality; extrapolate to surveillance and document assumptions in the board paper so finance is not surprised after go-live.

For ISO certification without a consultant, scope change CB notice shows up often in Dutch B2B and SaaS programmes. Leadership wants predictable timelines, security wants demonstrable evidence, and operations refuses a parallel Excel world beside the tool. Record scope change CB notice with owner, review cadence, acceptance criteria and risk ID linkage — auditors sample consistency between policy, tickets and logs.

In practice for ISO certification without a consultant: test scope change CB notice in a four-week pilot with real control owners. Measure hours, error rate and export quality; extrapolate to surveillance and document assumptions in the board paper so finance is not surprised after go-live.

For ISO certification without a consultant, surveillance budget shows up often in Dutch B2B and SaaS programmes. Leadership wants predictable timelines, security wants demonstrable evidence, and operations refuses a parallel Excel world beside the tool. Record surveillance budget with owner, review cadence, acceptance criteria and risk ID linkage — auditors sample consistency between policy, tickets and logs.

In practice for ISO certification without a consultant: test surveillance budget in a four-week pilot with real control owners. Measure hours, error rate and export quality; extrapolate to surveillance and document assumptions in the board paper so finance is not surprised after go-live.

For ISO certification without a consultant, mock interviews shows up often in Dutch B2B and SaaS programmes. Leadership wants predictable timelines, security wants demonstrable evidence, and operations refuses a parallel Excel world beside the tool. Record mock interviews with owner, review cadence, acceptance criteria and risk ID linkage — auditors sample consistency between policy, tickets and logs.

In practice for ISO certification without a consultant: test mock interviews in a four-week pilot with real control owners. Measure hours, error rate and export quality; extrapolate to surveillance and document assumptions in the board paper so finance is not surprised after go-live.

For ISO certification without a consultant, evidence index turnover shows up often in Dutch B2B and SaaS programmes. Leadership wants predictable timelines, security wants demonstrable evidence, and operations refuses a parallel Excel world beside the tool. Record evidence index turnover with owner, review cadence, acceptance criteria and risk ID linkage — auditors sample consistency between policy, tickets and logs.

In practice for ISO certification without a consultant: test evidence index turnover in a four-week pilot with real control owners. Measure hours, error rate and export quality; extrapolate to surveillance and document assumptions in the board paper so finance is not surprised after go-live.

For ISO certification without a consultant, risk acceptance log shows up often in Dutch B2B and SaaS programmes. Leadership wants predictable timelines, security wants demonstrable evidence, and operations refuses a parallel Excel world beside the tool. Record risk acceptance log with owner, review cadence, acceptance criteria and risk ID linkage — auditors sample consistency between policy, tickets and logs.

In practice for ISO certification without a consultant: test risk acceptance log in a four-week pilot with real control owners. Measure hours, error rate and export quality; extrapolate to surveillance and document assumptions in the board paper so finance is not surprised after go-live.

For ISO certification without a consultant, weekly steering shows up often in Dutch B2B and SaaS programmes. Leadership wants predictable timelines, security wants demonstrable evidence, and operations refuses a parallel Excel world beside the tool. Record weekly steering with owner, review cadence, acceptance criteria and risk ID linkage — auditors sample consistency between policy, tickets and logs.

In practice for ISO certification without a consultant: test weekly steering in a four-week pilot with real control owners. Measure hours, error rate and export quality; extrapolate to surveillance and document assumptions in the board paper so finance is not surprised after go-live.

For ISO certification without a consultant, post-internal-audit rework shows up often in Dutch B2B and SaaS programmes. Leadership wants predictable timelines, security wants demonstrable evidence, and operations refuses a parallel Excel world beside the tool. Record post-internal-audit rework with owner, review cadence, acceptance criteria and risk ID linkage — auditors sample consistency between policy, tickets and logs.

In practice for ISO certification without a consultant: test post-internal-audit rework in a four-week pilot with real control owners. Measure hours, error rate and export quality; extrapolate to surveillance and document assumptions in the board paper so finance is not surprised after go-live.

Key takeaways

  • Start with scope and maturity — not document volume.
  • Link every control to evidence and an owner.
  • Use readiness/gap before locking budget.

Veelgestelde vragen

What does ISO certification without a consultant typically cost in time and money?
It depends on scope and maturity. Start with a readiness or gap assessment before presenting a fixed budget.
Can we certify without a consultant?
Yes, if you have senior ownership and audit literacy. Software helps execution and evidence, not scope governance.
How fast can we become audit-ready?
Limited scope and solid logging: a few months. Complex chains or legacy IT: often six months or more.
Gap analysis vs scan?
Scans prioritise quickly; gap analyses feed the implementation plan. Many teams scan first, then gap.
Why ISO Ready after reading this?
Because you need one place to track actions, evidence and risks — otherwise content does not turn into progress.

Run the ISO 27001 readiness scan

See where you stand before investing in documents or consultants.

Start the readiness scan