How to Build an ISMS Without a Consultant

The quote from the consultancy lands in your inbox, and the number has five digits. That's normal: an ISO® 27001 consulting project typically costs between $10,000 and $40,000, depending on scope and experience - for many SMBs, more than every other cost of certification combined. And the proposal hides a second price: when the project ends, the knowledge leaves with the consultant. Your team operates a system someone else designed, and at the next surveillance audit you may need to hire them again.

There is another way - most consultancies just won't mention it. For a typical SMB with a clear scope, self-implementation is realistic. Many SMBs achieve ISO® 27001 certification without external consultants - on one condition: the platform you use must carry the structure a consultant would otherwise provide.

In this Valiido guide, we break down what a consultant actually does for you, how software replaces each of those functions, when hiring a consultant genuinely is the better call, and what the do-it-yourself path looks like in practice.

What a Consultant Actually Provides

Strip away the day rates and the deliverables list, and an ISO® 27001 consultant provides four things:

• Structure: a project plan that tells you what to do, in what order, and when you're done. Without it, most teams stall in the first month because they don't know where to start.
• Interpretation of the standard: ISO® 27001 is written in standards language, not in plain instructions. A consultant translates each requirement into "here's what this means for a company like yours."
• Examples: consultants arrive with policies, risk entries, and process descriptions from past projects, so you adapt instead of writing from a blank page.
• Review: before the certification audit, the consultant checks your work against the standard and flags what an auditor would flag.

Add a fifth, informal one - answers: someone to ask when you're stuck. None of these is magic. Each one is a function - and functions can be carried by software.

How Software Replaces Each Function

Structure and Interpretation: A Guided Path Through the Standard

The first two functions - structure and interpretation - are exactly what the Valiido Guide provides. It walks you chapter by chapter through every ISO® 27001 and TISAX® requirement, in the right order, and explains each one in plain language: what the requirement means, why it exists, and what you concretely need to do. Your team always knows what comes next, and you see precisely how far you are from audit-ready.

That's the difference between a platform and a document storage tool. A blank workspace still leaves you doing the consultant's job yourself.

Examples: Never Start from a Blank Page

Writing policies and process descriptions from scratch is slow and error-prone - it's the single biggest reason ISMS projects drag. Valiido's 1-Click Examples cover this function: 200+ pre-mapped entries across every module, from policies to risk entries to process descriptions. You copy them with one click and adapt them to your organization, exactly as you would with a consultant's templates - except they're built into the platform where they belong.

Review: Automated Checks Before the Auditor Arrives

The review function is where most self-implementations historically failed: nobody checked the work until the auditor did. AuditMagic closes that gap. It checks every object in your ISMS instantly against Valiido best practices, ISO® 27001, and TISAX®, and delivers a full audit report every Monday - sorted by severity, grouped by the resource it touches. Gaps surface while you can still fix them, not in the certification audit.

Unlike a consultant's review, this check doesn't happen once before the audit. It runs continuously - which also covers the years after certification, when surveillance audits come around and the consultant is long gone.

Answers: Unlimited Support from Real Experts

No software anticipates every question. Standards have edge cases, auditors ask unexpected things, and sometimes you just want a second opinion. That's why Valiido includes unlimited expert support via video call or chat in every plan - no ticket limits, no hourly billing. It's the "someone to ask" function of a consultant, without the day rate attached to every conversation.

When You DO Want a Consultant

Honesty matters here: there are situations where hiring a consultant is the right decision, and pretending otherwise would be bad advice.

• Complex or multi-entity scope: if your certification spans multiple legal entities, countries, or business units with conflicting requirements, experienced project leadership pays for itself.
• Mergers and acquisitions: integrating or separating management systems under deal pressure is specialist work with hard deadlines.
• Heavily regulated environments: if you operate under additional regimes - financial supervision, critical infrastructure, medical devices - a consultant who knows how those frameworks interact with ISO® 27001 reduces real risk.
• No internal owner: if nobody in your organization can take ownership of the ISMS, software alone won't fix that. Neither will a consultant, long-term - but one can bridge the gap while you build the role.

If that's your situation, our guide on how to hire an ISO® 27001 consultant for your ISMS covers what to look for, what consultants cost, and how to evaluate them. And the two paths aren't mutually exclusive: plenty of teams run their ISMS on a platform and bring in a consultant for a few focused days, rather than a full-service engagement.

The DIY Path: From Zero to Certified

Self-implementation follows the same path a consultant would walk you through. Compressed, it looks like this:

• Define your scope and appoint an owner. Decide what the ISMS covers - a narrow, well-defined scope is easier to certify. Name an information security officer or equivalent owner with the authority and time to drive the project.
• Run a gap analysis. Compare your current security posture against the standard's requirements. The output is a prioritized list of gaps - your roadmap.
• Build your risk assessment. Identify your information assets, assess threats and impact, and set up a risk register with clear acceptance criteria.
• Write policies and implement controls. Core security policies, access control, asset inventory, supplier management, incident response, business continuity. This is where pre-built examples save the most time.
• Finalize risk treatment and required documents. Decide how you handle each risk and complete the documentation the standard requires.
• Internal audit and management review. Check your own ISMS formally, fix what you find, and have leadership review the system - both are required before the certification audit.
• Certification audit. An accredited auditor reviews your documentation, then verifies the ISMS actually operates as described. Pass both parts and you're certified.

With a focused team and a guided platform, this is achievable in twelve weeks. The full week-by-week version is in our guide to ISO® 27001 certification in 12 weeks.

The Platform Requirements Checklist

The whole argument rests on the platform actually carrying the consultant's functions. Before you commit to any ISMS software for self-implementation, check that it offers:

• A guided, step-by-step path through the standard - not an empty workspace you have to structure yourself
• Plain-language interpretation of every requirement, so you don't need to decode standards language
• Coverage of the standards you actually need - ISO® 27001, and TISAX® with the VDA® ISA catalogue if the automotive supply chain is in your future
• Pre-built examples for policies, risks, and processes, ready to adapt on day one
• Automated checks that review your entries against the standard's requirements before the auditor does
• Unlimited human support - a question you can't ask is a gap a consultant would have caught
• Flat, predictable pricing with everything included, so the cost case against consulting actually holds
• A free trial so you can verify all of the above yourself before paying

For a deeper evaluation framework, see our guide on how to choose ISMS software: 8 questions to ask before you buy.

Valiido is built to be exactly this: the software to pass ISO® 27001 yourself. The Guide carries structure and interpretation, 200+ 1-Click Examples carry the templates, AuditMagic checks your work against Valiido best practices, ISO® 27001, and TISAX®, and unlimited expert support answers everything in between - from 149 €/month, with a 98.7% first-attempt pass rate among our customers. You can try it in your browser for free, no credit card required.

Frequently Asked Questions

Can you really get ISO® 27001 certified without a consultant?

Yes. The standard doesn't require one, and certification bodies don't expect one. Many SMBs achieve certification without external consultants by using structured ISMS software that guides them through the process. Consultants add value in complex environments, but they're not a requirement.

How much does a consultant cost compared to ISMS software?

ISO® 27001 consulting projects typically range from $10,000 to $40,000 depending on scope. Guided ISMS software like Valiido starts at 149 €/month with unlimited expert support included - over a full certification year, that's a fraction of a consulting engagement, and the capability stays in-house afterward.

How long does self-implementation take?

Twelve weeks is achievable for a focused SMB team with a clearly defined scope and a guided platform. Larger or more complex organizations typically take six to twelve months. The 12-week timeline breaks the fast path down week by week.

Do auditors care whether you used a consultant?

No. The certification audit assesses your ISMS - whether it meets the standard and actually operates as documented - not who built it. What auditors do notice is whether your team understands its own system. A self-implemented ISMS often scores well here, because the people who built it are the people running it.

What if I get stuck on a requirement during self-implementation?

This is the scenario to plan for before it happens. Choose a platform with unlimited human support, so a tricky requirement costs you a conversation instead of a consulting invoice. With Valiido, expert support via video call or chat is included in every plan, with no limit on questions.

Will an auditor accept policies based on pre-built examples?

Yes, provided you've adapted them to your organization. Auditors don't penalize you for starting from a template - consultants use templates too. What fails an audit is a generic policy that doesn't match how your organization actually works. Adapt every example to your real processes, and you're on solid ground.

Can I combine software and a consultant?

Absolutely. A common pattern is running the ISMS on a platform and bringing in a consultant for a few targeted days - for example, for the internal audit or a complex scoping question. Because the platform carries the structure, you buy expertise by the day instead of funding a full-service project.

The consultant's value was never mystery knowledge. It was structure, interpretation, examples, review, and answers - functions a well-built platform now carries for a fraction of the cost, and ones that stay with your team after the audit is passed.

Valiido gives you all five, so you can build your ISMS yourself - and own it afterward.