ISO certification without a consultant
ISO certification without a consultant works with senior ownership, audit literacy and board commitment.
Mid-market saves external days but invests line hours (often 40–120 days).
ISO Ready supports registers and evidence — not a CB replacement.
When to choose which route
Self-led: narrow scope, existing IAM/logging, internal audit experience.
External: first ISO, complex scope, no capacity.
Costs and total cost of ownership
Internal hours + CB + tooling; cheap document packs create audit rework.
See ISO 27001 costs.
Decision criteria
Document risk acceptances with board decision and date.
| Criterion | Without consultant | With consultant |
|---|---|---|
| Cost | Lower external, higher internal | Faster pace |
| ISO Ready | Actions/evidence structure | Follow-up after project |
Netherlands and EU context
Dutch/EU CB, Annex A 2022, GDPR/NIS2 where relevant.
Common mistakes
Stage 2 before internal audit. Scope too wide. No surveillance reserve.
Practical steps
Scope → risk → SoA → implement → internal audit → MR → stage 1 → stage 2.
Use ISMS tool or Excel.
Next step with ISO Ready
Self-implementation needs discipline — ISO Ready bundles actions. Run the readiness scan on iso-ready.nl.
Depth for leadership and ISMS lead
Name ISMS manager with mandate.
Weekly steering months 3–6.
Related guides
- ISO certification software
- ISO consultant or software
- ISO 27001 costs
- ISMS tool or Excel
- ISO 27001 readiness scan
Implementation and governance
Document who may change scope, how evidence ages, and which KPIs the board sees — neither software nor consultants replace governance.
Internal audit dry-run before stage 1 with CB sampling logic; close findings in writing with owner and deadline.
For ISO certification without a consultant, internal audit independence shows up often in Dutch B2B and SaaS programmes. Leadership wants predictable timelines, security wants demonstrable evidence, and operations refuses a parallel Excel world beside the tool. Record internal audit independence with owner, review cadence, acceptance criteria and risk ID linkage — auditors sample consistency between policy, tickets and logs.
In practice for ISO certification without a consultant: test internal audit independence in a four-week pilot with real control owners. Measure hours, error rate and export quality; extrapolate to surveillance and document assumptions in the board paper so finance is not surprised after go-live.
For ISO certification without a consultant, management review decisions shows up often in Dutch B2B and SaaS programmes. Leadership wants predictable timelines, security wants demonstrable evidence, and operations refuses a parallel Excel world beside the tool. Record management review decisions with owner, review cadence, acceptance criteria and risk ID linkage — auditors sample consistency between policy, tickets and logs.
In practice for ISO certification without a consultant: test management review decisions in a four-week pilot with real control owners. Measure hours, error rate and export quality; extrapolate to surveillance and document assumptions in the board paper so finance is not surprised after go-live.
For ISO certification without a consultant, scope change CB notice shows up often in Dutch B2B and SaaS programmes. Leadership wants predictable timelines, security wants demonstrable evidence, and operations refuses a parallel Excel world beside the tool. Record scope change CB notice with owner, review cadence, acceptance criteria and risk ID linkage — auditors sample consistency between policy, tickets and logs.
In practice for ISO certification without a consultant: test scope change CB notice in a four-week pilot with real control owners. Measure hours, error rate and export quality; extrapolate to surveillance and document assumptions in the board paper so finance is not surprised after go-live.
For ISO certification without a consultant, surveillance budget shows up often in Dutch B2B and SaaS programmes. Leadership wants predictable timelines, security wants demonstrable evidence, and operations refuses a parallel Excel world beside the tool. Record surveillance budget with owner, review cadence, acceptance criteria and risk ID linkage — auditors sample consistency between policy, tickets and logs.
In practice for ISO certification without a consultant: test surveillance budget in a four-week pilot with real control owners. Measure hours, error rate and export quality; extrapolate to surveillance and document assumptions in the board paper so finance is not surprised after go-live.
For ISO certification without a consultant, mock interviews shows up often in Dutch B2B and SaaS programmes. Leadership wants predictable timelines, security wants demonstrable evidence, and operations refuses a parallel Excel world beside the tool. Record mock interviews with owner, review cadence, acceptance criteria and risk ID linkage — auditors sample consistency between policy, tickets and logs.
In practice for ISO certification without a consultant: test mock interviews in a four-week pilot with real control owners. Measure hours, error rate and export quality; extrapolate to surveillance and document assumptions in the board paper so finance is not surprised after go-live.
For ISO certification without a consultant, evidence index turnover shows up often in Dutch B2B and SaaS programmes. Leadership wants predictable timelines, security wants demonstrable evidence, and operations refuses a parallel Excel world beside the tool. Record evidence index turnover with owner, review cadence, acceptance criteria and risk ID linkage — auditors sample consistency between policy, tickets and logs.
In practice for ISO certification without a consultant: test evidence index turnover in a four-week pilot with real control owners. Measure hours, error rate and export quality; extrapolate to surveillance and document assumptions in the board paper so finance is not surprised after go-live.
For ISO certification without a consultant, risk acceptance log shows up often in Dutch B2B and SaaS programmes. Leadership wants predictable timelines, security wants demonstrable evidence, and operations refuses a parallel Excel world beside the tool. Record risk acceptance log with owner, review cadence, acceptance criteria and risk ID linkage — auditors sample consistency between policy, tickets and logs.
In practice for ISO certification without a consultant: test risk acceptance log in a four-week pilot with real control owners. Measure hours, error rate and export quality; extrapolate to surveillance and document assumptions in the board paper so finance is not surprised after go-live.
For ISO certification without a consultant, weekly steering shows up often in Dutch B2B and SaaS programmes. Leadership wants predictable timelines, security wants demonstrable evidence, and operations refuses a parallel Excel world beside the tool. Record weekly steering with owner, review cadence, acceptance criteria and risk ID linkage — auditors sample consistency between policy, tickets and logs.
In practice for ISO certification without a consultant: test weekly steering in a four-week pilot with real control owners. Measure hours, error rate and export quality; extrapolate to surveillance and document assumptions in the board paper so finance is not surprised after go-live.
For ISO certification without a consultant, post-internal-audit rework shows up often in Dutch B2B and SaaS programmes. Leadership wants predictable timelines, security wants demonstrable evidence, and operations refuses a parallel Excel world beside the tool. Record post-internal-audit rework with owner, review cadence, acceptance criteria and risk ID linkage — auditors sample consistency between policy, tickets and logs.
In practice for ISO certification without a consultant: test post-internal-audit rework in a four-week pilot with real control owners. Measure hours, error rate and export quality; extrapolate to surveillance and document assumptions in the board paper so finance is not surprised after go-live.