Do you actually need a consultant?
Before evaluating consultants, it is worth asking whether you need one at all. The honest answer depends on three factors: your internal expertise, the complexity of your data processing, and the tools you have available.
| Situation | Consultant likely needed | Platform likely sufficient |
|---|---|---|
| Internal privacy expertise | No dedicated DPO or privacy lead; privacy knowledge is limited | Experienced DPO or compliance manager who can interpret the standard |
| Data processing complexity | Multiple jurisdictions, sensitive data categories, complex processor chains | Single jurisdiction, straightforward processing activities |
| Management system maturity | No existing management system; starting from scratch | Existing ISO 27001 or other structured management system in place |
| Timeline pressure | Must certify within 3 months for a specific contract or tender | 12+ months to implement at a sustainable pace |
| Integration complexity | Need to integrate ISO 27701 with multiple existing management systems across different teams | Single management system or standalone ISO 27701 implementation |
Many organisations fall somewhere in between. A common approach is to use a compliance platform like ISMS.online for the structured framework, templates and day-to-day implementation, and engage a consultant for specific tasks like the initial gap analysis or a pre-audit readiness review.
What should you look for in an ISO 27701 consultant?
Not all consultants are equal, and the wrong choice can cost you more than doing it yourself. These criteria separate effective consultants from those who will slow you down:
Essential criteria
- Specific ISO 27701:2025 experience — The 2025 edition is fundamentally different from 2019. A consultant who has only worked with the 2019 edition will need to learn the standalone structure, new Annex A controls and revised management system requirements alongside you, which defeats the purpose of hiring expertise.
- Privacy domain knowledge — ISO 27701 sits at the intersection of information security and data protection. Your consultant should understand both, not just one. Look for a combination of ISO management system auditing experience and practical knowledge of GDPR, UK DPA 2018 and relevant sector-specific regulations.
- Implementation track record — Ask for case studies or references from organisations that achieved certification with this consultant’s support. Specifically ask about the audit outcome: how many nonconformities were raised, and were any major?
- Industry relevance — A consultant who understands your sector will grasp your data processing context faster. Healthcare, financial services and technology each have distinct privacy challenges that a generalist may overlook.
Desirable criteria
- Lead auditor qualification — A consultant who has audited ISO 27701 (or ISO 27001) as a lead auditor understands what certification bodies look for. This perspective helps you prepare for audit in a way that a consultant without auditing experience cannot.
- Knowledge transfer approach — The best consultants build your team’s capability rather than creating dependency. Ask how they plan to upskill your internal team so you can maintain the PIMS after their engagement ends.
- Tool agnosticism — Be cautious of consultants who insist you use a specific platform (especially their own). Good consultants work with whatever tools you choose.
Start your free trial
Want to explore?
Sign up for your free trial today and get hands on with all the compliance features that ISMS.online has to offer
What are the red flags?
These warning signs suggest a consultant may not deliver the value you need:
- Guaranteeing certification — No consultant can guarantee you will pass. Certification is awarded by an independent certification body, not the consultant. A credible consultant will prepare you thoroughly and be confident in the outcome, but will never guarantee it.
- Vague scope of work — If the proposal does not clearly define deliverables, milestones and the boundary between consultant work and your internal effort, you will end up with scope creep and unexpected costs.
- No reference to the 2025 edition — If the consultant’s proposal references “ISO 27701:2019” structures, Clause 7/8 controller/processor additions, or the old Annex B/C/D framework, their knowledge is out of date.
- Building dependency — A consultant who writes all your policies, manages your risk register and runs your audits is building a recurring revenue stream, not a sustainable PIMS. You should own your management system; they should help you build it.
- No interest in your existing work — A good consultant starts by understanding what you already have in place. If they propose a full implementation without assessing your current maturity, you will pay for work you do not need and risk repeating common implementation mistakes.
- Conflicts of interest — A consultant who also works for a certification body cannot consult on the same engagement they audit. This is an ISO accreditation requirement. If a consultant offers both consulting and certification, ask how they manage the separation.
What do consultants typically charge?
| Engagement Type | Typical UK Cost | What you get |
|---|---|---|
| Gap analysis only | £3,000 – £8,000 | Assessment of your current state against ISO 27701:2025 requirements, with a prioritised action plan |
| Gap analysis + implementation support | £10,000 – £30,000 | Gap analysis plus hands-on support: policy templates, risk assessment guidance, SoA development, audit preparation |
| Full implementation (consultant-led) | £25,000 – £50,000+ | End-to-end implementation including documentation, training, internal audit and audit preparation |
| Pre-audit readiness review | £2,000 – £5,000 | A focused review before your certification audit to identify any remaining gaps |
| Day rate (advisory) | £800 – £1,500/day | Ad-hoc support on specific questions, document reviews or workshops |
Most consultants price based on organisation size and complexity. Always request an itemised proposal that separates gap analysis, implementation support and audit preparation so you can compare quotes fairly.
Manage all your compliance, all in one place
ISMS.online supports over 100 standards and regulations, giving you a single platform for all your compliance needs.
How does a compliance platform change the equation?
A significant portion of what consultants charge for is work that a pre-built compliance platform handles out of the box:
- Framework setup — A platform like ISMS.online comes with ISO 27701:2025 requirements and Annex A controls pre-mapped. A consultant would spend days building this structure manually.
- Policy templates — Pre-built, customisable policy templates aligned to the standard eliminate the need for a consultant to draft them from scratch.
- Risk register structure — A privacy-specific risk register with scoring methodology and treatment plan templates replaces consultant-built spreadsheets.
- Statement of Applicability — Automated SoA generation from your control selections saves consultant time and reduces errors.
- Guidance notes — Implementation guidance for each clause and control helps your team understand what is required without needing a consultant to interpret the standard.
The practical result: many organisations use a platform to handle 70–80% of the implementation and only engage a consultant for the remaining 20–30% — typically the initial gap analysis and a pre-audit readiness check. This can reduce consultant spend from £25,000–£50,000 to £5,000–£13,000. For a full breakdown of all certification costs, see our dedicated guide.
Why choose ISMS.online for ISO 27701:2025?
- Reduces or eliminates consultant dependency — Pre-built frameworks, templates and guidance cover the majority of implementation work
- Works alongside consultants when you need them — Consultants can work directly in the platform, reviewing your progress and providing targeted input
- Builds internal capability — Your team learns the standard through guided implementation, not by watching a consultant do it for you
- Faster implementation — Start with a pre-configured framework rather than waiting for a consultant’s availability and project plan
- Predictable cost — Annual subscription with no scope creep, unlike consultant engagements that can expand as complexity reveals itself
- Ongoing value — A consultant’s engagement ends; the platform supports your PIMS through surveillance audits, recertification and continuous improvement
- Multi-framework support — If you also manage ISO 27001, GDPR or other standards, the platform handles shared controls without additional consulting fees
Ready to see what you can achieve without a consultant — or with less consultant time? Book a demo and explore how ISMS.online supports your ISO 27701:2025 certification.
Frequently Asked Questions
Can the same person consult and audit my organisation?
No. ISO accreditation rules require separation between consulting and certification auditing. A consultant who helps you implement cannot audit you for certification purposes. Some consulting firms have partnerships with certification bodies, but the individual consultants must be different people working independently.
How do I verify a consultant’s credentials?
Ask for evidence of lead auditor certification (e.g. ISO 27701 or ISO 27001 Lead Auditor), IAPP certifications (CIPP/E, CIPM), or equivalent privacy qualifications. Request references from organisations of similar size and sector who achieved certification with their support. Check that they can speak specifically about the 2025 edition, not just the 2019 version.
Should I hire a consultant before or after choosing a platform?
Choose your platform first. A pre-built platform significantly reduces the scope of work a consultant needs to cover, which means lower fees and a more focused engagement. If you hire a consultant first, they may build a bespoke framework that then needs to be migrated into your platform, duplicating effort and cost.
What should a consultant proposal include?
A credible proposal should include: a clear scope of work with defined deliverables, a timeline with milestones, itemised pricing (not just a lump sum), the boundary between their work and your internal effort, assumptions about your starting maturity, and a knowledge transfer plan. If any of these are missing, ask for them before committing.
Is it worth paying for a gap analysis if I have a compliance platform?
It can be, especially if your data processing is complex or spans multiple jurisdictions. A consultant brings an external perspective that your internal team may lack. However, a platform with built-in gap analysis tools (like ISMS.online) can handle straightforward assessments. Consider a consultant-led gap analysis as insurance for complex implementations and a platform-led approach for simpler ones.
