Anacruses Associates Ltd
← Back to ISO InsightsGetting Started

Do You Need an ISO Consultant? Honest Answers from a Lead Auditor

2026-07-03

You do not legally need an ISO consultant to get certified. Many organisations self-implement successfully. But the majority of businesses that attempt ISO certification without specialist support either take significantly longer than necessary, produce systems that do not survive the first surveillance audit, or spend more correcting mistakes than a consultant would have cost. For most UK SMEs, the break-even point is clear.

I am a CQI/IRCA certified Lead Auditor who has been implementing ISO management systems for over 20 years. I have conducted audits at organisations that built their own systems and organisations that used consultants. I have seen both approaches succeed and both approaches fail. Here is what actually determines the outcome.

When you probably don't need a consultant

Self-implementation tends to work when someone in the organisation has directly relevant experience — they have implemented or managed an ISO management system before, ideally in a similar sector. It also works when the scope is narrow and well-defined, when internal resource is genuinely available rather than squeezed around other priorities, and when the certification timeline is flexible enough to absorb setbacks.

If all of those conditions apply, self-implementation is a legitimate choice. The risk is not that it is impossible — it is that it takes longer than expected and the gaps tend to appear at Stage 2 audit.

When you have a deadline driven by a contract or tender

If a customer or procurement process requires your certificate by a specific date, the cost of missing that deadline — losing the contract — almost always exceeds the cost of hiring a consultant to make sure you hit it. This is the clearest case for external support.

When you are pursuing ISO 27001

ISO 27001 is categorically more complex than ISO 9001, 14001, or 45001. The risk assessment methodology, the Statement of Applicability, and the 93 Annex A controls all require specialist knowledge to get right. The failure rate at Stage 2 for self-implemented ISO 27001 systems is significantly higher than for the other common standards. This is the standard where attempting self-implementation is most likely to go wrong.

When nobody internally has done it before

Reading the standard and understanding what it requires in practice are different things. The standard tells you what you need to achieve. It does not tell you how to run a management review that satisfies auditors, how to write objectives that are measurable and credible, or how to conduct an internal audit that adds value rather than just filling in a form. That knowledge comes from experience.

When you want the system to actually work

There is a meaningful difference between a management system that passes an audit and a management system that improves how your business operates. Building the latter requires knowing what good looks like — which means having seen a lot of management systems across a lot of sectors. A competent consultant builds systems that your team uses after the auditors leave.

When you are integrating multiple standards

Implementing ISO 9001, 14001, and 45001 simultaneously as an Integrated Management System is significantly more efficient than doing each separately — but only if the integration is done correctly from the start. A consultant who has built integrated systems knows where the overlaps are, what evidence serves multiple standards, and how to structure documentation that is genuinely unified rather than three separate systems bolted together.

What self-implementation actually costs

When organisations attempt ISO certification without support, the typical cost is not zero. It is the accumulated cost of staff time spent researching, drafting, and revising documentation (often significantly underestimated); certification body audit fees for a Stage 2 that raises major nonconformities and requires a follow-up visit; time lost between when certification was expected and when it is actually achieved; and in some cases, starting again after discovering the system that was built will not survive a second surveillance audit.

What an ISO consultant should actually do

A good ISO consultant does not write a generic manual and hand it over. They understand your business before writing anything. They map your existing processes and build the management system around how you actually work. They write documentation in your language, for your people — not in ISO-jargon for an auditor. They train the people who will own and maintain the system. They conduct an independent internal audit that finds real gaps before the certification body does. And they leave you with a system that works without them, because the point is your certification — not ongoing dependency.

Questions to ask before hiring a consultant

Are they certified? CQI/IRCA Lead Auditor certification is the recognised credential for ISO consultants — ask to see it. Have they worked in your sector? Sector experience matters. Do they audit as well as consult? Auditor experience is what makes a consultant valuable — they know what auditors look for because they are auditors. Will you deal with the expert? Some consultancy firms win the work and then assign a junior — ask whether the person you are speaking to is the person who will do the work. Is it a fixed fee? Day-rate consultancy is hard to budget; fixed-fee proposals give you certainty.

Can I use a consultant for part of the process?

Yes. Some organisations do their own gap analysis and documentation and bring in a consultant only for the internal audit stage — which benefits most from independent review. Others start with a consultant and maintain the system themselves after certification. The engagement model should fit your capabilities and your budget.

How do I know if a consultant is any good?

Ask them to explain the most common reasons organisations fail their Stage 2 audit for the standard you are pursuing. A consultant who gives you a fluent, specific, candid answer to that question has done this enough times to know. A consultant who gives you a sales pitch has not.

Does using a consultant affect how the certification body sees the audit?

No. The certification body audits your management system, not how it was built. A well-implemented system is a well-implemented system regardless of who did the implementation. The auditor's job is to verify it works — not to ask who wrote the documents.

About the author

Rob Pragnell is the founder of Anacruses Associates Ltd and a CQI/IRCA certified Lead Auditor across ISO 9001, 14001, 27001, 45001, and 42001. He has over 20 years of experience implementing and auditing ISO management systems across UK businesses in manufacturing, technology, professional services, construction, and healthcare.

Ready to talk about your business?

Book a free, no-obligation call. We will tell you exactly what certification would involve for your size, sector, and starting point.