In the past few years, data leakage of information assets has become a prominent social issue. According to the National Industrial Security Center in South Korea, 71 percent who suffer from technology leakage are small and medium sized enterprises. Hence, establishment and operation of ISMS (Information Security Management System) for small and medium sized enterprises become an important issue. Since it is not easy to obtain ISMS certification for a small or medium sized enterprise by itself, consultation with an expert firm in information security is necessary before the security implementation. However, how to select a proper security consulting company for a small or medium sized firm has not been studied yet. In this study, we analyze empirically the selection factors of ISMS certification consulting company for a small or medium sized firm through exploratory factor analysis (EFA). Our study identified the following four important factors in selecting a security consulting company: expertise of the staffs and human resource management proficiency, market leading capability, competence to make progress during the consultation, and the performance and the size of the physical assets and human resources.