An overview of the ISO27001 certification process
The ISO27001 certification process is what happens to get an organisation an ISO27001 certificate that they can proudly show off to the world to say that they meet the requirements of ISO27001.
An independent organisation – the “certification body” does this check/audit and it does so by sending certification auditors into your organisation to ask a lot of questions. If all goes well you get your certificate. They then come back again at intervals over the next 3 years to check that you should still keep the certificate.
You need a properly “accredited” certification body to do this. Be careful as not all certification bodies are “proper”. There is some guidance about this in this article. https://www.dhirubhai.net/pulse/how-choose-iso27001-certification-bodyregistrar-chris-hall/
There are some variations in how this all works depending on the certification body but this article focuses on what should be done by all properly accredited certification bodies.
Findings and the reports
You will get a report after each stage/audit giving details of any findings. There are typically 3 types of findings that will be raised during the audit and put into a report:
Major non conformity. You have a major problem with your ISO27001 implementation. Bad.
Minor non conformity. You have a minor problem with your ISO27001 implementation. Not quite so bad but not good.
Opportunity for Improvement. This is something that the auditor does not think is wrong as such but could benefit from improving in some way. It is a suggestion/recommendation. In theory you can ignore it but if you know you are going to ignore it when the auditor raises it you are best to tell them at the time rather than let them raise it.
Do not let the auditor raise a major or minor non conformity unless you fully understand it. It is essential that you know what you would need to so to make sure that the finding is "cleared" at the next audit not raised again. Do not let the auditor leave until you are sure about this for all the non conformities.
Between the audits you are unlikely to hear from or need to be in contact with your certification body apart from setting up the dates for the next audit. I.e. there is no check on the status of the findings from an audit until the next audit.
Getting the certificate in the first place.
There are two formal separate stages/audits to getting the certificate in the first place. If all is well at the second stage you will get your certificate.
The length of time between the two stages/audits is to some extent up to you but I recommend at least a few weeks between them.
Stage 1 Certification Audit.
This is usually just a day or two and its primary purpose is to see if you are ready enough for the Stage?2 to take place. A Stage 1 audit is sometimes called a "documentation audit" and is usually fairly high level. If it makes sense to do so the auditor comes on site at the main location where ISO27001 has been implemented. During the Stage 1 audit the auditor will typically only talk to a very small number of people – mostly just whoever implemented the main bits of ISO27001. They are unlikely to look at any of the controls.
领英推荐
It is a good idea to be open with the auditor during the Stage 1. You can't "fail" a Stage 1 audit as such and you want the auditor to check and see as much as possible to avoid any possible surprises at the Stage 2.
You must fix all the major non conformities before the Stage 2. Technically speaking you do not have to fix all the minor non conformities before the Stage 2 but you should and many certification bodies will insist on it. I also suggest that you try to implement as many of the opportunities for improvement as you can unless you have a very good reason not to.
Stage 2 Certification Audit.
The "big one".
The auditor will cover all the items covered at the Stage 1 but in more detail. They will also cover many more topics. They will also want to visit more locations and talk to a lot more people, etc. How long this all takes will vary but the main factor affecting the length of time is the number of people and the number of locations.
One of the first items to be covered during a Stage 2 audit is going through any findings from the Stage 1 and checking what you have done about them.
If you get any major non conformities you will not get your certificate. You can have some minor non conformities and still get your certificate but if you have a lot of them then that may be treated as a major. If you get a major non conformity you will need to fix it before asking the certification body to come back to check that you have properly addressed it before you will get your certificate.
At the closing meeting of the Stage 2 audit you will have a pretty good idea whether you are going to get your certificate but the auditor will not confirm this for certain either way. They are not allowed to. This is because the rule is that whatever the auditor thinks must be checked back at head office. Only when head office is happy will you get informed about the results of the audit. How long this takes varies considerably. Some certification bodies will give you a decision in a few days. Some can take over a month. If the timing of the decision is important you should emphasise this to the certification body.
The certificate lasts for 3 years unless the certification body withdraws it for some reason.
Stage 3 Surveillance Audits
These take place at intervals over the 3 years since the Stage 2. The interval varies. It can be 6 months but must not be more than 12 months. The objective is to make sure that you are still worthy of the certificate. In practice a surveillance audit is like a much shortened version of a Stage 2 audit where all the main ISO27001 requirements (clauses 4 to 10) are usually covered but only some of the controls/locations/business/etc areas, etc will be audited. Over the 3 years the idea is to cover a representative selection of controls/locations/business/etc and not just the same ones each time.
If you get a major nonconformity at a Stage 3 audit the certification body will threaten to take the certificate off you. You usually get a short period of time – perhaps a few weeks to fix the problem. If you don't they will take the certificate off you. Very bad.
Recertification Audit
Just before the three year anniversary of the initial Stage 2 you will be due a recertification audit and if all goes well you will get a new certificate. A recertification audit is usually very similar to the original Stage 2 audit. Don't get a major non conformity ??
Chris
An index of all my articles is here: https://btrp.co.uk/Articles2 ?
Head of Enterprise Security Architecture at National Highways and Honorary Research Fellow in Archaeology.
1 年There are various online platforms which people can use from PhalanxGRC, isms.online to Conformio. Do you have a preference?
Consultor e Professor (FIA-USP) (ABBC)| 25 anos de mercado e academia em Seguran?a da Informa??o e Cibernética | * Entrego resultados, compartilho conhecimento e agrego valor aos meus clientes.
1 年Simple and to the point as it should be. Congratulations Chris Hall !
?Digital Trust and Cybersecurity Workforce Development ?Personal Career Development ?Digital Trust and Cybersecurity Professional ?Creator of Social Value ?Enabler of Social Mobility ?Consultant ?Trainer ? Founder
1 年"You need a properly “accredited” certification body to do this". ? Some if the non-accredited CBs I have come across are excellent. Depends what level of assurance is needed and of course RoI. As always due diligence and a clear understanding of the objective is required.
What’s at stake? What does ‘secure (enough)’ look like?
1 年Try the Oxford Dictionary of English for objectives: it always fits if you can put a number on it. Zero incidents is defendable, but so wrong. Major, minor, or opportunity fo improvement?
Information Security Enthusiast, ISO 27001:2022 LI, IS Audit, CISSP, Lifelong Learner
1 年Thanks for sharing. Good content