So your information security management system, or ISMS, is finally ready. You’ve defined your scope and context, set your objectives, assessed your risks, put your controls in place, completed a management review and conducted some internal audits. How does your organization become certified to the ISO27001 standard?
The first step is to choose a registered certification body, or RCB. There are plenty to choose from, but we recommend that you go for one that is accredited by an accreditation body in your country that is part of the International Accreditation Forum, or IAF. This helps to ensure your certificate carries some weight once you have it.
You’ll need to contact the RCB to obtain and agree a quote for their auditing services. Rates vary so you may want to contact more than one. Ensure you answer their questions accurately as your answers will determine how many days they quote for, and therefore how much your certification will cost.
Once you’ve chosen your RCB, it is a two stage process. Stage one is a review of your scope and your documentation to reach a view about how ready you are for the stage two certification audit.
If you’re very ready then the gap between stage one and two may be short. Otherwise you may need some time to address any issues that were found at stage one.
Stage two will be an in-depth look at your ISMS. You should be provided with an audit plan which will set out the structure of the audit, including areas to be reviewed, people to be met and timings.
Auditing is quite strictly regulated, so the auditor will have specific things they need to do, in a specific format, starting with an opening meeting and ending with a closing meeting. Do what you can to make it easy for them by providing access to the relevant documents and resources as quickly and smoothly as possible.
Basically, all the auditor is doing is the same exercise as you did yourself when you performed (and repeated) the gap assessment. It’s purely a matter of going through the requirements of the ISO/IEC 27001 standard and asking to be shown how you meet them.
The auditor will need to record the evidence they have been shown, including any relevant references such as document titles and versions. They may also want to see the relevant procedures in action which may mean reviewing the records you keep and possibly talking to the people who perform the procedures.
If the auditor finds something that doesn’t conform to the requirements of the standard, they will raise a “nonconformity”. These can be major or minor and, as the names suggest, these vary in importance.
A major nonconformity may be raised if there is a significant deviation from the standard. This is often due to a complete section not being addressed, or something important that has been documented but there is no evidence that it has been done. Examples might be if no internal auditing has been carried out, no risk assessment completed, or no management reviews held.
A minor nonconformity is a lower level issue that doesn’t affect the operation of the ISMS but means that one or more requirements have not been met. Examples could be that an improvement has not been evaluated properly, a control has not been implemented as planned or a risk assessment doesn’t follow the documented process.
Some auditors take note of a third level of item often called an “observation”. These are not nonconformities and so don’t affect the result of the audit, but may be useful for improvement purposes.
Once the audit has been completed, the auditor will write up the report often whilst still on site. They will then tell you the result of the audit and go through any nonconformities that have been raised. Certification to the standard is conditional upon any nonconformities being addressed and upon the higher-level body that regulates the auditors agreeing with their recommendations. This can take a while to process so, even if you have no nonconformities, officially your organization is not certified yet.
You will need to produce an action plan to address any nonconformities raised, and if this is accepted and they are closed off, you will then become certified and the certificate will be issued for a period of three years. During this time, there will be annual surveillance visits followed by a re-certification audit after three years.
For more guidance on implementing the ISO27001:2022 standard, we’ve put together a list of our best free resources including video guides, blogs and downloadable documents.