Once an organisation has implemented ISO 27001’s requirements, the next step is often to seek certification. Not all organisations do this, but there are many benefits of certifying to the Standard, so it’s something that should at least be considered.
The process involves going through an ISO 27001 certification audit, in which an expert from an accreditation body visits an organisation to examine its ISMS (information security management system). If they are satisfied with what they see, they will award a certificate.
The audit takes place in two stages:
Stage 1: Initial audit
Before diving into their investigation, the auditor will make sure the organisation’s ISMS has been developed in accordance with the Standard.
The organisation is expected to present evidence of all key aspects of the ISMS. How much they need to show depends on the requirements of the certification body carrying out the audit.
Stage 2: Full audit
If the organisation passes the initial stage, the auditor will conduct a more thorough examination. This involves looking at the development of the ISMS (by analysing the organisation’s policies and procedures), as well as how it works in practice (with an on-site investigation). The auditor will also interview key members of staff.
Preparing for the audit
The certification process can seem daunting, but here are five tips to help you pass with as little hassle as possible:
1) Be prepared: You can get a good idea as to whether you’re ready for a certification audit by conducting an internal audit.
2) Be selective about who you partner with: When choosing an internal auditor, you can pick someone in-house or opt for a third party. An in-house auditor will be more cost-effective than a third party, but you risk facing a conflict of interest and an inaccurate report.
3) Choose an accredited certification body: This ensures that your certificate is legitimate and respectable. Non-accredited certification bodies usually don’t operate in line with the international standards that set out requirements for certification bodies.
4) Pick proven, easy-to-understand tools: You’ll need to use software and other tools when creating an ISMS. Make sure these enable you to store all your documentation in one place, as this will make it easier to review and amend policies and procedures.
5) Don’t settle for less than the best: The easiest path to certification is to get expert help. IT Governance is a premier source of ISO 27001 guidance, with a variety of resources to help you with whatever stage of the process you are struggling with. Our team led the implementation of the world’s first ISO 27001-compliant ISMS, and we’ve since helped more than 600 companies certify to the Standard.
Get certification ready with our ISO 27001 implementation bundles
IT Governance offers a range of implementation bundles to help you achieve ISO 27001 certification, eliminating the costs of extensive consultancy work, travelling and other expenses.
You can also receive hands-on guidance from an ISO 27001 implementation specialist at critical points of your project, helping you to achieve accreditation without the added expense of a traditional consultancy.