ISO 27001 remains the gold‑standard information‑security certification in 2025—but the path to that shiny certificate is no longer a one‑size‑fits‑all journey. Some organisations prefer to build an internal “ISO muscle”, investing in staff who live and breathe the controls every day. Others simply want to pass the audit fast and lean on an external consultant to do the heavy lifting. If you are weighing those two options, this in‑depth guide is for you. Below we unpack the 2022 revision of ISO 27001, translate the jargon into plain English, and give you a practical checklist for each route, complete with real‑world costs in US dollars.

Why the 2022 Revision Changes the Game

Although Clauses 4–10 kept their numbering, Annex A was radically streamlined: from 114 controls in 14 domains down to 93 controls in four themes—Organisational, People, Physical and Technological. Eleven brand‑new controls (such as Threat Intelligence and ICT Readiness for Business Continuity) tackle modern cloud and ransomware risks. Every organisation certified to the 2013 edition must transition by late 2025, so most boards now see ISO 27001:2022 as a mandatory refresh rather than a “nice‑to‑have”.

Route 1 – Train an Internal Implementation Team

Typical timeline: 6–12 months
Typical direct spend: US $2 000 – $8 000 for accredited training, plus audit fees.

Going DIY builds long‑term capability. Once the first audit is over, your team already knows the playbook for surveillance and re‑certification audits. Global survey data shows firms with in‑house ISO leadership reduce incident‑response time by up to 40 %, simply because process owners sit only a Slack ping away.

Internal‑Training Checklist

1. Nominate an ISMS Owner. Give them authority—and a budget line—to drive the project.
2. Send two champions to a Lead Implementer or Lead Auditor course. Cost: about $600 each in India or $1 500 in the US/GCC.
3. Run a clause‑by‑clause gap analysis. Map every control to a named asset owner.
4. Rewrite policies. Align them with the four new Annex A themes; update the Statement of Applicability.
5. Kick off a risk assessment workshop. Use a lightweight tool or even spreadsheets, but record risk criteria and treatment plans.
6. Conduct an internal audit. Someone not involved in daily operations should perform it to avoid conflicts of interest.
7. Hold a management review. Document decisions, resource needs and continual‑improvement actions.
8. Schedule Stage‑1 and Stage‑2 audits. Prepare evidence folders and practise “mock interviews”.

Pros

• Deep institutional knowledge and faster day‑to‑day decision‑making.
• Lower external spend after Year 1.
• Culture shift: security becomes “the way we do business”, not an external test.

Cons

• Steeper learning curve; mis‑interpreting a clause can trigger major non‑conformities.
• Hidden labour cost—key employees may spend 20–30 % of their week on ISO tasks.
• Longer runway if you start from zero maturity.

Route 2 – Hire an External Consultant

Typical timeline: 3–6 months
Typical spend: US $15 000 – $40 000 for a mid‑sized enterprise, audit fees excluded.

Consultants bring ready‑made templates and the scar tissue of past audits. A seasoned auditor‑turned‑consultant can spot deal‑breakers in minutes and keep you off the auditor’s hit list. If time‑to‑market is critical—say you need ISO to win a government contract—external help often pays for itself.

Consultant Engagement Checklist

1. Draft a detailed RFP. Demand ISO 27001:2022 experience and industry references.
2. Request a fixed‑price gap assessment. Deliverables should include a project Gantt chart and a draft SoA.
3. Lock in weekly sprint workshops. Risk, Access Control, Supplier Security, Incident Response.
4. Mandate knowledge‑transfer sessions. Ensure editable documents, not PDF hand‑offs.
5. Run a consultant‑led mock audit. Fix all findings before the certification body arrives.
6. Negotiate post‑audit support. Reduced day‑rates for surveillance audits keep continuity.

Pros

• Fast track: certification in as little as three months.
• Lower risk of audit failure; consultants know every auditor trick.
• Internal team freed to focus on BAU.

Cons

• Higher upfront cost and possible vendor lock‑in.
• If knowledge transfer is weak, internal capability remains low.
• Shelf‑ware risk: generic policies that do not match actual practice.

Decision Matrix

Factor	Train In‑House	Consultant
Cash Outlay	$2 k–$8 k + staff hours	$15 k–$40 k
Time to Cert	6–12 mo	3–6 mo
Audit Risk	Medium–High	Low–Medium
Long‑Term Self‑Sufficiency	High	Medium

Hidden Costs You Should Budget For

Regardless of the route you pick, remember the following line items:

• Certification‑body audits: Stage‑1 + Stage‑2 cost between $5 000 and $15 000 globally.
• Technical upgrades: You may need a log‑management platform, MFA licences or secure‑coding training.
• Surveillance audits: Annual health checks are mandatory for the three‑year cycle.

Final Thoughts

If ISO 27001 is merely an RFP checkbox, a consultant may deliver the fastest ROI. If security is your market differentiator, internal capability yields compounding returns. Many companies blend both: a consultant lays the foundation while an internal champion shadows the work, learning the ropes. By the time surveillance audits roll in, the business owns its ISMS destiny. Whatever path you choose, Tricognix can help with hybrid programmes that unite outside expertise and inside ownership.

What the Auditor Will Actually Ask

During Stage‑1 the auditor mainly plays “document police”: Do you have a documented Information Security Policy? Where is the risk‑assessment methodology? Who signed the Statement of Applicability? Yet in Stage‑2 the tone changes. Auditors will interview developers, HR, even Finance to verify that policies live beyond the SharePoint folder. They may ask a random sysadmin to demonstrate multi‑factor login to a critical server, or quiz HR on onboarding checklists. If you train in‑house, rehearse these scenario interviews. If you outsource, insist the consultant stage live fire‑drills so staff are not caught cold.

Transitioning from 2013 to 2022—A Mini‑Project Inside the Project

Already certified? Do not assume a rubber‑stamp upgrade. You must remap every legacy control to the new themes, update the SoA, and show evidence for the 11 new controls. Companies underestimate the effort here: a 500‑person SaaS vendor in California spent six weeks merely re‑tagging controls in its GRC platform. Factor that into timelines.

Real‑World Cost Scenarios

India – 200‑employee fintech startup: Two staff trained in‑house, low‑cost tooling, remote audit. Total cash outlay: $9 700; timeline: 10 months.
GCC – mid‑market healthcare provider: External consultant, on‑site workshops, bilingual documentation. Total spend: $32 400; timeline: 4.5 months.
US – global e‑commerce brand: Hybrid model: consultant for scoping + cloud‑security controls, internal team for policy maintenance. Total year‑one spend: $48 000; recertification years drop to $12 000.

Common Pitfalls—And How to Dodge Them

• Asset inventory half‑done: Without knowing what to protect, risk assessment is meaningless.
• Policies without owners: Every document must list a name, not “Security Team”.
• Control evidence not centralised: Auditors dislike hunting across email threads. Use a single folder or GRC tool.
• Management review lip‑service: Meeting minutes should record decisions, not generic “noted”.

Next‑Step Action Plan

1. Download our free gap‑analysis template.
2. Book a 30‑minute discovery call to map your certification route.
3. Start a pilot risk assessment on one department to build momentum.

Ready to move? Whether you need a Sherpa or just better climbing gear, Tricognix offers flexible engagement models from coach‑the‑team packages to full turnkey implementations.