The number of organisations achieving certification for ISO 27001, the international standard for information security has increased dramatically over recent years.
But what does it mean, why would you want it and how do you get it?
This blog aims to answer those questions.
What does ISO 27001 Certification Mean?
The requirements of ISO 27001 have been covered in more detail in other blogs from this series. See What are the requirements of ISO 27001?
Many organisations adopt ISO 27001 specifically for the accolade that certification brings, but it’s important to understand what ISO certification actually means.
This is a management system standard based on risk, so the standard ensures you have a framework in place for managing information security risks and apply appropriate controls.
ISO Certification is a process of validating that the management system you have implemented is effective. Therefore a certificate is awarded to the organisation rather than a specific product or services; although depending on your desired certification scope, the processes for the design, build, operation and support of your product or service will be covered.
However, ISO Certification involves ‘auditing’ which is a sampling process. This means that the outcome of the certification audit is only based on a sample of evidence, and there may be underlying issues in the system good or bad which are not identified. Therefore a thorough ISO 27001 Internal Audit programme is also required for absolute assurance.
Why are my customers asking me for ISO 27001 Certification?
Many tenders use ISO 27001 certification as a way of filtering the respondents at early stages of the process.
The recognised structure of ISO 27001 is also appealing for customers who want to be familiar with your information security approach and better able to work with you to manage information security risks.
Although some customers will be reassured by your impartially audited, UKAS accredited ISO 27001 certificate, others may have specific requirements which means they still request their own meetings or audits with you.
Either way, ISO Certification gives you a good basis for responding to customer questions quickly and confidently.
Is ISO 27001 Certification mandatory?
There is no legal requirement to become iso 27001, nor does the standard itself mandate certification (you can implement all the requirements of ISO 27001 without having it certified).
However, you may be contractually required to maintain a certified system by your customer.
How does my organisation become ISO 27001 Certified?
1. Implement your ISMS
Before starting the certification process it’s important to implement the requirements of ISO 27001 in to your isms and embed it across your organisation.
2. Check your ISMS
Once implemented, you should check your ISMS meets the requirements of the standard. You can do this by training internal auditors or by inviting an external ISO Consultancy like Assent to conduct a full internal audit. This gives you a good opportunity to find any weaknesses in the system and get a feel for what the certification audit process will be like.
3. Choose a certification body
There are many organisations who offer ISO certification, however we recommend choosing only UKAS accredited bodies.
Here’s more information on why: Why chose a UKAS Certification Body?
There are many factors involved in choosing the right certification body for you including their industry expertise, brand, global presence and of course price. Here’s our guide on choosing an iso certification body.
4. Stage 1
Once selected and the quotation process is completed, you can book you certification audits. This is done in two stages.
The stage 1 is a document check audit and is not considered pass or fail, however it may affect the timing of your stage 2 audit.
5. Stage 2
The stage two audit is where sampling and evidencing takes place. It’s important to prepare relevant parties across tour organisation for this audit, as all areas in scope will be covered.
If the certification auditors identify a problem this may be raised as a non-conformance. These are categorised as either minor or major.
Usually minor non-conformances require an action plan to be submitted before certification can be confirmed.
However, major non-conformances will often delay your ISO 27001 certification until the certification body has verified it has been resolved. Often this means additional audit time on site.
Non-conformances can be avoided by conducting robust internal audits before hand.
It is only after a successful stage 2 audit that an organisation may quote itself as ISO 27001 certified and display the certification mark provided by the body.
What happens after ISO 27001 Certification?
Achieving ISO 27001 is just the start of the journey. Ukas accredited certificates last for three years, during which time a series of planned surveillance audits take place to ensure the isms continues to improve and remains effective.
The risk based approach makes it easy to manage and measure your activities.
ISO 27001 certification and be confusing and time consuming. Our consultants are Assent have helped many organisations achieve and maintain certification. Contact us to find out how we can help.
Want more on Cyber Security? See our Cyber Security Portal.