ISO 27001 Certification has many benefits, time with external auditors can be well spent testing the effectiveness of your Information Security Management System.
However, the prospect of increasing the length of an external audit is not likely to be met with joy, particularly where staff are operating the ISMS alongside other duties.
Unfortunately, from 31st October 2017 your Certification Body may have to increase the number of days they spend auditing you. Here’s why:
Changes to ISO 27006
ISO 27001 is part of a family of standards addressing various information security issues.
One of these standards, ISO 27006 Requirements for bodies providing audit and certification of Information Security Management Systems, was revised in 2015 with a major change taking effect this year.
Annex B, which defines the number of days needed, is now normative rather than informative, which means Certification Bodies under UKAS will be obliged to enforce the number of audit days referenced in the standard.
Normative rather than Informative
Most Certification Bodies will reassess your 3 year audit plan at the next re-certification, however new certificates after 31st October 2017 will have to align to the prescribed number of days immediately.
How Much Longer Will the Audit be?
Companies with between 11 and 25 staff could be most affected, as this category has now been split into two.
Apart from that, the number of days remains the same, with the main difference being that the annex is now mandatory for Certification Bodies to follow.
This means that there is less flexibility for Certification Bodies to reduce their audit days based on levels of risk, legal compliance and other factors; and the full quoted numbers must be applied.
What can you do?
- Talk to Your Certification Body
Contact your Certification Body to find out how many days will be added to your audit programme.
They may have already quoted the mandatory number, in which case there will be no increase.
Otherwise they can tell you the increase, additional costs and how they will add it to your existing programme.
- Review Your Scope
If you are concerned about the cost and inconvenience of additional audit days, you may wish to review the scope of your Certification.
Remember, you can apply the ISMS to your entire organisation but have only selected locations and processes certified. This could reduce the number of staff in scope and therefore reduce the number of audit days.
The scope statement is often crafted to meet customers’ expectations, so think carefully before removing any locations or processes that could cause contractual issues. Speak to other stakeholders in the business first.
- Consider Changing Certification Body.
While the number of days will be the same, Certification Bodies have different day rates, so you might find that this offsets some of the increased costs.
Additionally, the management, application, admin, travel and other fees also vary, so you should take this into consideration.
- Manage your Information Security
Regardless of the issues surrounding Certification, information security is a hot topic that should be taken seriously. Our Consultants are experienced in helping companies of all sizes manage their information security risk and guiding them through Certification.