Most companies looking for an ISO consultant start with a Google search, get overwhelmed by nearly identical websites, and end up choosing based on whoever responds fastest or quotes lowest. That approach works about as well as hiring an attorney based on their billboard.
I have helped more than 200 organizations achieve ISO certification across seven different standards, with a 100% first-time audit pass rate. In that time I have seen what makes a consulting engagement succeed and what makes it quietly fail months before the auditor ever arrives. This guide is the conversation I wish every prospective client had before signing an engagement letter.
If you want the shorter version focused on red flags and warning signs, I wrote a companion piece on how to spot compliance consultant red flags. This guide goes deeper: what ISO consultants actually do, how engagement models differ, what drives cost, and how to evaluate credentials standard by standard.
What Does an ISO Consultant Actually Do?
An ISO consultant helps your organization build and implement a management system that meets the requirements of a specific ISO standard, then prepares you to pass the certification audit on the first attempt. That is the job in one sentence. Everything else is details about how well or how poorly it gets done.
In practice, a good ISO consultant does four things:
- Gap assessment. They evaluate your current processes, documentation, and organizational practices against the requirements of the target standard. The gap assessment tells you exactly where you stand and what needs to change.
- System design and documentation. They help you build the policies, procedures, work instructions, and records that the standard requires. The critical word here is "help"—a good consultant documents what your organization actually does, not what a template says a generic company should do.
- Implementation support. They work alongside your team to embed the management system into daily operations. This is where the difference between a good consultant and a bad one becomes obvious. Templates gather dust. Implemented systems pass audits.
- Audit preparation. They conduct internal audits, management reviews, and mock certification audits so your team knows exactly what to expect when the registrar arrives.
A consultant who skips any of these steps is cutting corners that will show up during your certification audit. If someone offers to "get you certified" by handing over a set of documents, that is not consulting. That is a transaction with a predictable failure rate.
Types of ISO Consulting Engagements
Not every organization needs the same level of support. Understanding the engagement models available helps you match the right level of consulting to your actual situation.
| Engagement Type | What You Get | Best For | Typical Duration |
|---|---|---|---|
| Full-Service Implementation | Gap assessment through certification audit—the consultant manages the entire project | Organizations new to ISO certification or those with limited internal quality resources | 3–12 months |
| Gap Assessment Only | A detailed report of where you stand vs. the standard's requirements | Organizations that want to understand their readiness before committing to full implementation | 1–4 weeks |
| Documentation Development | Custom policies, procedures, and records built to match your actual operations | Organizations with strong processes but poor documentation | 4–12 weeks |
| Internal Audit & Mock Certification | Independent audit against the standard, followed by a mock certification audit | Organizations preparing for an upcoming certification or surveillance audit | 1–3 weeks |
| Integrated Management System (IMS) | Combines two or more standards (e.g., ISO 9001 + 14001 + 45001) into one system | Organizations pursuing multiple certifications who want to avoid duplicate processes | 6–18 months |
| Ongoing Advisory/Retainer | Continuous compliance support, surveillance audit prep, management review facilitation | Certified organizations that want to maintain and improve their system over time | Monthly |
The engagement type you need depends on where you are, not where you want to be. A company with an existing quality system that just needs alignment to a new standard is in a fundamentally different position than a company building from scratch. Any consultant who quotes the same scope for both situations is not listening.
Credentials That Matter (and Why Most Lists Get It Wrong)
Most "how to hire a consultant" articles give you a checklist of acronyms without explaining what they actually mean for your engagement. Here is what I think matters and why.
The credentials that signal real competence
- Lead Auditor certification (IRCA or Exemplar Global). This means the consultant has been trained and assessed as competent to lead a third-party audit against the standard. A consultant who has never been on the auditor side of the table will struggle to prepare you for someone who has.
- ASQ certifications (CMQ/OE, CQA, CFSQA). These are exam-based credentials from the American Society for Quality that require both experience and demonstrated knowledge. They are verifiable at asq.org.
- RAC (Regulatory Affairs Certified). Issued by RAPS, this credential signals regulatory strategy competence. Essential if your ISO implementation intersects with FDA or other regulatory submissions.
- PMP (Project Management Professional). An ISO implementation is a project with a defined scope, timeline, and budget. A consultant who can manage the project, not just advise on the standard, will deliver more reliably.
What most lists miss
Credentials tell you what someone studied. Track record tells you what they can do. I would take a consultant with a CMQ/OE and 150 first-time audit passes over a consultant with six acronyms after their name and no verifiable client outcomes.
The question that matters most is not "what letters do you have?" It is "how many clients have you taken through this standard, and what percentage passed on the first audit?" If a consultant cannot answer that question with a specific number, that tells you something important.
For a deeper look at how to verify credentials and spot consultants who inflate their qualifications, see our guide to compliance consultant red flags.
7 Questions to Ask Before You Hire an ISO Consultant
These are the questions I would ask if I were the one hiring. They are designed to separate consultants who do the work from consultants who sell the work.
- "What is your first-time certification audit pass rate, and across how many clients?" Specific numbers matter. "Very high" is not a number.
- "Who will actually perform the work on our engagement?" At larger firms, the credentialed principal often sells the engagement while junior staff execute it. Know who you are getting.
- "Walk me through the last major revision of [our target standard]. How did you adapt your methodology?" This tests whether they are current. ISO 9001:2015, ISO 27001:2022, and ISO 42001:2023 all introduced significant structural changes. A consultant working from outdated knowledge will build you an outdated system.
- "Do you build documentation from templates or from our actual processes?" The right answer is "from your actual processes, using proven frameworks as a guide." If the answer is just "templates," your documentation will not reflect how your organization operates, and your auditor will notice.
- "What happens if we do not pass the certification audit?" Understand the consultant's remediation approach and whether they share any risk in the outcome.
- "Can you provide references from organizations similar to ours in size and industry?" And call them. Ask the references: "Did the consultant deliver what they promised, on the timeline they promised?"
- "How do you handle knowledge transfer to our internal team?" The mark of a good engagement is that your team can maintain and improve the management system after the consultant leaves. If the consultant builds a system that only they understand, you are dependent on them indefinitely.
What ISO Consulting Should Cost (and What Drives the Price)
Cost is the question everyone wants answered and most consultants avoid. Here is a straightforward breakdown based on what I have seen across hundreds of engagements.
| Standard | Gap Assessment | Full Implementation | Key Cost Drivers |
|---|---|---|---|
| ISO 9001 | $3,000–$8,000 | $15,000–$50,000 | Number of sites, process complexity, existing documentation maturity |
| ISO 14001 | $3,500–$10,000 | $18,000–$55,000 | Environmental aspects/impacts scope, regulatory permit complexity |
| ISO 45001 | $3,500–$10,000 | $18,000–$55,000 | Workforce size, hazard profile, existing safety programs |
| ISO 13485 | $5,000–$15,000 | $25,000–$80,000 | Device classification, design control complexity, regulatory market (FDA, EU MDR) |
| ISO 27001 | $5,000–$12,000 | $25,000–$75,000 | Scope of information assets, existing security controls, cloud vs. on-premise |
| ISO 22000 | $3,000–$8,000 | $15,000–$45,000 | HACCP plan complexity, supply chain scope, prerequisite program maturity |
| ISO 42001 | $5,000–$15,000 | $30,000–$90,000 | AI system inventory, risk assessment scope, regulatory landscape (EU AI Act, NIST AI RMF) |
What drives cost up: multiple sites, complex regulatory environments, minimal existing documentation, tight timelines, and standards with heavy technical documentation requirements (ISO 13485, ISO 27001, ISO 42001).
What drives cost down: mature existing processes, strong internal quality staff, single-site scope, and realistic timelines that allow the consultant to work efficiently.
A consultant who quotes significantly below these ranges is either cutting scope, using generic templates without customization, or planning to bill you for change orders later. A quote that seems too good to be true in consulting is exactly that.
Standard-by-Standard: What to Look for in Your Specific Certification
Each ISO standard has its own technical requirements, and the consultant you choose should have demonstrated experience with yours. Here is what matters most for each:
ISO 9001 — Quality Management
The most common ISO standard and the one with the most consultants claiming expertise. Look for consultants who emphasize process-based thinking and risk-based approaches (the core of the 2015 revision), not those still focused on the old document-heavy 2008 model. Your consultant should be able to build a quality management system that works for your organization, not one that looks good in a binder.
ISO 14001 — Environmental Management
Requires specific competence in environmental aspects and impacts identification, legal compliance evaluation, and life cycle perspective. A consultant who only knows quality management will struggle with the environmental regulatory overlay that ISO 14001 demands.
ISO 45001 — Occupational Health & Safety
Worker participation and consultation requirements distinguish this standard from its predecessor OHSAS 18001. Your consultant should understand hierarchy of controls, hazard identification methodology, and how to integrate OH&S into operational planning rather than treating it as a standalone program.
ISO 42001 — AI Management Systems
The newest ISO management system standard (published December 2023) and the one with the fewest experienced consultants. Look for someone who understands AI risk assessment, the intersection with the EU AI Act and NIST AI Risk Management Framework, and how to build responsible AI governance that satisfies the standard without paralyzing innovation. This is a first-mover space with very low competition for qualified consultants.
ISO 13485 — Medical Devices
The most heavily regulated ISO standard due to its intersection with FDA 21 CFR Part 820 and EU MDR. Your consultant must understand design controls, risk management (ISO 14971), software validation, and regulatory submission requirements. This is not a standard where a generalist quality consultant can improvise.
ISO 27001 — Information Security
Requires competence in information security risk assessment, Annex A controls (93 controls in the 2022 revision), Statement of Applicability development, and security incident management. The 2022 revision reorganized controls significantly—a consultant still working from the 2013 structure is out of date.
ISO 22000 — Food Safety Management
Combines ISO management system structure with HACCP principles. Your consultant should understand prerequisite programs (PRPs), hazard analysis methodology, and how ISO 22000 relates to GFSI-recognized schemes like SQF, BRC, and FSSC 22000. For food safety consulting options beyond ISO 22000, see our full food safety certification services.
The Engagement Model That Actually Works
After hundreds of engagements, I can tell you the model that consistently produces first-time audit passes: the consultant works alongside your team, builds documentation from your actual processes, and transfers knowledge at every step so your people own the system when it is done.
That model has three characteristics:
- Process-first documentation. The consultant observes and interviews, then documents what your organization actually does. The documentation reflects reality. When the auditor asks your shop floor team about a procedure, their answer matches what is written down because the procedure was written from what they told the consultant in the first place.
- Embedded knowledge transfer. Your internal team participates in every phase—gap assessment, documentation development, internal audits, management review. By the time the certification audit arrives, your quality manager can explain and defend the system because they helped build it.
- Mock audit rigor. A proper mock audit is not a formality. It is a full simulation of the certification audit, conducted by someone with lead auditor credentials, with formal findings that get corrected before the real auditor arrives. If your consultant treats the mock audit as a checkbox, you are not getting your money's worth.
The opposite model—a consultant who drops off a template package, spends a few hours on a call, and wishes you luck—costs less upfront and more in every way that matters. Failed audits, re-audits, corrective action plans, and the organizational demoralization that comes with them.
To learn more about how we approach implementation end-to-end, see our A-to-Z service methodology. To hear from organizations who have been through it, read our client success stories.
FAQ: Choosing an ISO Consultant
How much does an ISO consultant cost?
ISO consulting costs vary by standard, company size, and engagement model. A full-service ISO 9001 implementation for a small-to-mid-sized company typically runs $15,000 to $50,000. Gap assessments alone range from $3,000 to $12,000. ISO 13485 and ISO 27001 engagements tend to run higher due to regulatory complexity and technical documentation requirements. Template-only packages cost $200 to $2,000 but carry a much higher risk of audit failure.
What credentials should an ISO consultant have?
Look for credentials from recognized professional bodies: ASQ certifications (CMQ/OE, CQA, CFSQA) for quality management, IRCA or Exemplar Global lead auditor certifications for audit competence, and PMP for project management. For regulated industries, RAC (Regulatory Affairs Certified) from RAPS signals regulatory strategy expertise. The most telling credential is a verifiable track record of first-time audit passes across a substantial client base.
How long does ISO certification take with a consultant?
Typical timelines depend on your starting point and the standard. ISO 9001 for a small-to-mid-sized organization takes 3 to 9 months. ISO 14001 and ISO 45001 follow similar timelines. ISO 13485 for medical devices often takes 6 to 12 months due to design control and risk management documentation. ISO 27001 typically takes 6 to 14 months depending on scope and existing security controls. A consultant should provide a milestone-based timeline at the start of any engagement.
Can one consultant handle multiple ISO standards at once?
Yes, and there are real efficiency gains when a single consultant implements an Integrated Management System (IMS) combining standards like ISO 9001, 14001, and 45001. The management system core—document control, internal audit, management review, corrective action—overlaps significantly across ISO standards. The key requirement is that the consultant holds credentials and demonstrated experience in each standard being implemented.
What is the difference between an ISO consultant and a certification body auditor?
An ISO consultant works for you. They help you build, implement, and prepare your management system for certification. A certification body auditor works for an accredited registrar (like Bureau Veritas, BSI, or DNV) and evaluates your system against the standard to grant or deny certification. Due to impartiality requirements in ISO 17021, the same person cannot consult and audit the same client. Your consultant prepares you; the auditor evaluates you.
Should I choose a solo ISO consultant or a large consulting firm?
Both can deliver excellent results. The deciding factor is who actually does your work. Solo consultants with strong credentials often provide more senior-level attention than firms where a credentialed principal sells the engagement but junior staff execute it. With larger firms, always ask who will be assigned to your project day-to-day and what their individual credentials are. The best engagement is one where the person doing the work has the credentials and experience to back it up.
Last updated: 2026-04-07
Jared Clark
JD, MBA, PMP, CMQ-OE, CPGP, CFSQA, RAC
Jared Clark is the founder of Certify Consulting. He has helped more than 200 organizations achieve certification across ISO, GMP, food safety, and regulatory frameworks with a 100% first-time audit pass rate.
Ready to get started?
Schedule a free consultation to discuss your certification goals and get a clear picture of scope, timeline, and cost.
Free Consultationor call 858-240-4353