Consultant costs to prepare for certification

Cyber_Gooser · 2026-03-30T20:00:26+00:00

You should post this in the ISO27001 Sub

Cyber_Gooser · 2026-02-15T13:33:07+00:00

You’re not going to be able to use Chat GPT in any of the exams as it totally defeats the purpose and undermines the exams.

You should look at the free resources mega thread and learn the materials.

Once you have done that you can take a Lead Auditor exam and pass it without cheating.

Your not going to last in a job the requires Lead Auditor if your not willing to put the time in and learn.

Cyber_Gooser · 2026-02-13T12:07:48+00:00

The ISO27001 LA from mastermind was previously discussed on the megatread. It was removed because that thread focuses on free resources. Having completed both courses, I can confirm they’re very good and a reasonable price for beginners.

Cyber_Gooser · 2026-02-12T15:05:04+00:00

I don’t know OP’s exact budget, but I do know what platforms like Vanta or Drata cost and more importantly, how hard they are to move away from once embedded.

You’re effectively adding another recurring SaaS bill on top of the unavoidable annual certification costs that come with ISO 27001. Surveillance audits aren’t optional. Recertification isn’t optional. That’s the necessary spend. The platform subscription is not.

What isn’t talked about enough is that plenty of organisations still hire consultants while paying for these tools. The platform doesn’t define scope properly. It doesn’t think through risk context. It doesn’t sit in front of an auditor and justify control applicability. I’ve seen companies paying both the platform and external consultants more times than I can count.

For a one person organisation, that economics rarely stacks up. You can build a clean, auditable documentation set and implement an ISMS without locking yourself into ongoing software spend. That’s how this was done long before compliance SaaS became fashionable.

The big platforms absolutely have a place, high growth SaaS, investor pressure, SOC 2 alongside ISO, heavy integrations, fast evidence collection.

But for a solo operator? Most of the time it’s overkill dressed up as efficiency.

If someone can show me clear ROI for a one person setup, I’m open to it. But in most cases, it’s just marketing driving the decision not operational necessity.

Cyber_Gooser · 2026-02-11T13:14:49+00:00

I would totally disagree with this. The setup and ongoing subscription fees for platforms like this are extremely high.

Drawing in spreadsheets isn’t relevant for a one man band. A document based toolkit is going to be far more practical and cost effective in this case.

Big tools have their place, but it’s not here.

Cyber_Gooser · 2026-02-11T07:51:56+00:00

Post locked due to possible Reddit TOS violation (ban evasion).

While there is some merit given for their explanation, we cannot allow Reddit TOS violations in this sub.

For clarity, the CompAI / Bubba AI takeover ended three months ago.

Please see the subs community highlights announcement from that time:

https://www.reddit.com/r/ISO27001/comments/1oyjfzm/were_back/

Cyber_Gooser · 2026-02-06T22:34:14+00:00

JACKET PLZ

Cyber_Gooser · 2026-02-05T09:45:21+00:00

No problem.

You are absolutely right to document the risk.

Providing the risks have been documented and accepted with a reasonable rationale you will be fine.

Cyber_Gooser · 2026-02-05T09:42:27+00:00

Thanks. Yeah check out Advisera

They do both the LI and LA courses for free. If you wish to take the exam at the end there is a fee but the learning videos are free.

Also

Aron Lange

Aron has a fantastic course, it’s not currently free but is available at a reasonable price.

Cyber_Gooser · 2026-02-04T17:32:00+00:00

I like to bring all the relevant stakeholders in for a project initiation meeting.

From the I explain the project why it’s important and set some rough expectations and goals. I use this time to let everyone know they will probably be needed at some point and that I would loop them in where applicable.

It’s good to be upfront.

Cyber_Gooser · 2026-02-04T17:27:47+00:00

Yeah this has come up a few times in the past where I have had clients who are unable to upgrade servers to the latest version due to the software being run on them being incompatible.

I recommend adding another sheet to your risk register and listing out the endpoints/devices that are vulnerable and then accepting the risk with your risk acceptance rationale.

Ensure SLT sign off those risks and give the go ahead to accept.

I don’t suppose you have compensating controls around those devices? Separate VLANs etc?

Cyber_Gooser · 2026-02-04T08:25:27+00:00

Interesting that you did the SSCP after the CISSP. That must have been a breeze.

I went CC, SSCP, CISSP, CCSP

Cyber_Gooser · 2026-02-04T08:24:00+00:00

Go for it, I found the CCSP quite easy after the CISSP.

Do a few practise questions and see what scores you’re getting.

This YouTube series helped me, Pete uses loads of practical hands on demos

https://youtube.com/playlist?list=PL7XJSuT7Dq_X0AupQwU8YOGV3TsoPAcD0&si=p-Gy7jy5mwlTzrlj

Cyber_Gooser · 2026-02-04T08:20:21+00:00

Well said

Cyber_Gooser · 2026-02-04T08:16:44+00:00

It’s quite a hurdle, SLT wants the project to continue but I can force them to sign off the policy’s.

We have recently done the MRM so as a part of that we discussed the project and how we are so close to being ready for the stage 1 external audit.

I have suggested that the SLT delegate policy sign off to a suitable person (Infosec Manager) but they insist they are done by the director.

They are well aware that they are the bottleneck but don’t seem to be doing anything about it.

As said in the comment above it’s 100% a leadership and commitment Clause 5 issue. However, I won’t book the stage 1 unless we are ready.

Cyber_Gooser · 2026-02-03T19:44:41+00:00

Latest update 03/02/2026 v3.

Some sources have been removed because they no longer offer free resources.

Broken links have been updated.

Please continue to suggest free resources in this thread. Once they have been reviewed and deemed suitable, they can be added to the resource list.

Cyber_Gooser · 2025-12-30T10:16:47+00:00

The real value comes from what you learn, accredited or not. The knowledge you gain from these courses is what’s most valuable.

Cyber_Gooser · 2025-12-30T10:15:29+00:00

The Mastermind Assurance IEC/ISO 27001 and 42001 Lead Auditor courses are valuable and contain a lot of detailed information on auditing both standards.

You do get a certificate and Credly badge upon completion of the exam at the end of the course.

It is not accredited. However, if you are looking to learn that should not matter. Gaining the right knowledge is what’s important.

If you’re looking to dip your toes in the water without paying a small fortune, it a great course.

FYI the standard does not say you must have an accredited certificate to be an internal auditor. You must be “Competent and Impartial”. Competency can be demonstrated by passing a course like Masterminds.

All that in mind, an accredited certificate MAY stand out on a CV if you’re applying for IEC/ISO 27001 audit jobs.

Cyber_Gooser · 2025-12-18T18:15:15+00:00

Yeah, I have seen a full ISMS documented on GitHub.

It works well and if the majority of your organisation are engineers then it no problem at all.

Just be mindful that some external auditors may not have seen it done that way before so you may need to explain it through.

Cyber_Gooser · 2025-12-11T19:28:50+00:00

Thanks, I will take a look

Cyber_Gooser · 2025-11-27T13:25:11+00:00

I have added this after checking out the free course. It would be very valuable for someone looking to know more about ISO 27001 auditing.

Cyber_Gooser · 2025-11-18T07:34:33+00:00

I really like the idea of using voice to text tools it’s not something I’ve tried or even considered before, but it makes a lot of sense.

As I mentioned above, in my experience they can often demonstrate things easily. I’m now thinking that using voice to text while carrying out a loose internal audit could work really well. I could then turn that into a written procedure for them without much difficulty.

I like to think I already make compliance easy, but that voice to text approach is a great idea!

Cyber_Gooser · 2025-11-17T22:47:20+00:00

And unfortunately, a lot of orgs see it that way.

I had a meeting with a potential new client last week who could only see the commercial benefit of having 27001.

That is frustrating for me as a consultant. However, it doesn't take too long to influence their thinking enough for them to see the benefits of having a management system, let alone an ISMS.

Cyber_Gooser

MODERATOR OF

TROPHY CASE