We’re getting quotes for external support on our ISO 27001 renewal across our three offices and the difference between consultants is honestly baffling me.
One firm quoted a fixed package - sounds clean on paper but it’s nearly 3x what two hourly-rate consultants quoted for what looks like the same scope. The fixed-price firm keeps saying ‘no surprises’ but I’ve worked with hourly consultants before who came in under estimate.
My GM wants the fixed price because it’s ‘easier to budget’ but I feel like we’re just paying for their risk buffer.
Anyone in a similar multi-site setup dealt with this? Curious whether the peace of mind is actually worth it or if I’m about to win this argument with my GM.