No, an external consultant is not mandatory. ISO 27001 does not prescribe who builds the Information Security Management System (ISMS). You can achieve certification entirely with internal resources. The only thing that matters is a clear separation: consulting, implementation, and the internal audit may be carried out by your own team or by consultants. The external certification audit, however, must always be performed by an independent, accredited certification body. For reasons of independence, that body is not allowed to also act as your consultant.
Do it yourself or get support?
| Approach |
Advantages |
Challenges |
| Fully in-house |
Lower external costs, full build-up of internal knowledge, full control |
High time investment, requires knowledge of the standard, mistakes often extend the project |
| External consultant |
Experience, faster implementation, avoidance of typical mistakes |
Cost, dependency, knowledge may leave the company once the project ends |
| Hybrid (platform plus experts) |
Automation of routine work, expert knowledge where it counts, knowledge stays in-house |
Requires choosing the right provider |
When external support is worth it
External support is particularly worthwhile when one or more of the following apply:
- Limited time: an upcoming customer contract or audit date calls for speed.
- Lack of experience with the standard: no one on the team has built an ISMS before.
- Limited internal capacity: the team cannot take on the work on top of day-to-day operations.
- First-time certification: the requirements are hardest to gauge the first time around.
A purely in-house approach works well when sufficient time, existing security maturity, and internal knowledge of the standard come together. If one of these factors is missing, experience shows the project tends to take considerably longer.
How Kertos combines the best of both worlds
Kertos dissolves the either-or question: you do not have to choose between expensive consulting and laborious do-it-yourself work. Kertos combines an agentic compliance platform (KAIA) with accredited in-house experts who work alongside your team:
- Platform for the routine work: gap analysis, risk assessment, the SoA, and evidence collection are automated rather than created manually.
- Experts where it counts: the Kertos specialists support questions of interpretation, the internal audit, and preparation for the external audit, including external CISO mandates.
- Knowledge stays with you: instead of dependency on a consultant, you end up with a lasting, lived ISMS you can keep using.
- Independence preserved: Kertos prepares you for the audit, while the external certification audit is still carried out by an independent body.
The outcome is reflected in Kertos's track record: a 100% audit pass rate, roughly 80% less manual compliance effort, a customer satisfaction of 98%, and customers like AskUI reaching ISO 27001 certification in just 8 to 10 weeks. This keeps control in-house without you having to shoulder the entire effort alone.
