ISO/IEC 27001 certification means that you are a quality company and spent the necessary time developing your Information Security Management System (ISMS). The ISMS ensures there are adequate security controls in place and will also continually improve over time. This requires the management team to have full control of their information security. To become certified, your company must pass an external audit on your organization's ISMS. For this certification to have any real meaning, you should choose to have an accredited certification body (CB) perform the external audit. This audit is typically conducted in several phases:
Document Request List Initiated – an accredited CB will request copies your organization's ISMS documentation. Thereafter, they will review all necessary documentation and schedule an onsite visit.
Onsite Audit – staff members from an accredited CB certification body will methodically perform their audit work and checklist to provide the necessary evidence that the ISMS is operating correctly. The ISMS policies, standards and procedures will be compared against the ISO/IEC 27001 requirements. All key areas must have supporting evidence / artifacts that are fully documented and tested to ensure the validity of ISO/IEC 27001 requirement is being met by your organizations ISMS
Audit Wrap-up – the formal results of the ISO/IEC 27001 audit will be documented and discussed with your organization's management team. These documented results typically fall into one of three categories of risk which could impede the issuance your organization's ISO/IEC 27001 certification. See Below:
i. Observation – general 'Best' practices recommendations
ii. Minimal Non-Compliant – issues that need to be addressed in the near future for certificate to be granted. These would be confirmed by follow-up visit.
iii. Major Non-Compliant – issues discovered that would prevent the ISO/IEC 27001 certificate from being awarded. Typically an audit would be suspended once a 'Major' issue was identified. This would allow your organization time to fix the issue before continuing the ISO/IEC 27001 certification process.
If all necessary requirements are met, your organization's certificate will be issued. Thereafter, there will be periodic follow-ups for as long as your organization chooses to maintain its certification. A formal recertification is required every three years, as the ISO/IEC 27001 certificates are only valid for a three year timespan.
Knowing where to begin the ISO/IEC 27001 certification and having an idea of where your organization stands compared to the ISO/IEC 27001 certification can be daunting. At Turner and Associates, we can help guide your organization through the entire ISO/IEC 27001 certification process. Our auditors have extensive experience in performing an ISO/IEC 27001 certification gap analysis on your organization's ISMS implementation. We will examine all of the current controls currently implemented at your organization and compare them against the recommended ISO/IEC 27001 requirements. Upon locating gaps, we will provide a very detailed recommendation to each of the gaps, which will assist your organization in closing non-compliance issues identified. We believe our guidance in this area could play a crucial part of assisting your organization in becoming ISO/IEC 27001 certified. We can assist your organization throughout the entire process.