Guest user Created: Jul 08, 2016 Last commented: Jul 08, 2016

Estimating the price for risk assessment

I am facing a difficulty in estimating the price for risk assessment to a client with 600 employees divided in 3 branches. They are primarily interested in checking the roles, responsibilities of their IT/security department, the processes and performing the asset based risk assessment. What are the criteria based on which you charge the clients? What should be the average price per user, price per computer, or how do you do it?

0 0

Assign topic to the user

Select user

Expert

Dejan Kosutic Jul 08, 2016

Answer:

When acting as a consultant, you normally charge per hour or per day - for risk assessment jobs it is usually per day. To calculate the amount of time you'll need for your job, you have to know the following:
- Are you going to perform the interviews with all the department heads, or are they going to fill out the risk assessment sheets themselves
- Are you going to participate in determining the security controls, or will the client do this on their own
- Which other documents should you write

By the way, as part of our ISO 27001 Consultant Toolkit https://advisera.com/27001academy/consultants/ you'll find a document called "Division of tasks & time plan" which describes all the tasks in more detail, together with the expected timing for each.

In my book Secure & Simple you'll find a detailed explanation of the risk assessment process: https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/

This article may also help you: 3 phases of delivering an ISO 27001/ISO 22301 consulting job https://advisera.com/27001academy/blog/2015/09/28/3-phases-of-delivering-an-iso-27001iso-22301-consulting-job/

Quote

0 0

Comment as guest or Sign in

HTML tags are not allowed

Name *

Email *

I accept the Privacy and Terms

Notify me when someone replies

Jul 08, 2016

Expert Advice Community