The certification audit takes place once the organisation is satisfied that it has implemented the requirements of ISO 27001 as intended. Here are a few tips to help you succeed on the day.
1. The certification audit can be daunting – be prepared!
Whether or not the company is prepared for certification is usually determined through an internal audit, conducted either by an appointed staff member who is also a qualified ISO 27001 internal auditor, or by seeking the assistance of an experienced internal auditor from an ISO 27001 consultancy.
ISO 27001 expert Steve Watkins explains “ISO27001 is very specific in its requirements and, to compound matters, its language is generic, so it can be hard for the uninitiated to understand precisely how it applies to them”.
That’s why companies often prefer using an independent third party to conduct the internal audit to ensure impartiality, like one of our clients, Carve Consulting LLP, recently did:
“Our consultant gave me good idea of what the certification audit would be like and helped us to be triple prepared”, says Kate Halls from Carve.
The auditor will complete documentation assessing the risks, noting the implemented and absent controls, identifying nonconformities and recommending remediation you need to implement before the certification audit.
2. Be very selective about who you choose to partner with
If you are fortunate to have selected a good internal auditor, you will benefit from their insights and be well prepared for the certification audit.
“Our auditor was very thorough, if not more thorough than the formal audit. The feedback was very helpful and detailed”, says David Perrin, Managing Director of Ascensus.
If you have opted for the consultancy route to help you implement ISO 27001, it is important to ensure that your provider will be on-hand during the certification audit in case you need any help. Your consultant should have prepped you well enough for this not to be necessary, though!
“Although IT Governance was on hand to assist with the certification audit, we were well prepared and didn’t need any further assistance”, says Gregory Tai-Apin, IT manager for BNETS.
3. Select an accredited certification body
It is crucial to use a certification body that is independent of the consultancy provided and accredited with the recognised accreditation bodies. UKAS is the only recognised accreditation body in the UK that can accredit certification bodies, and does so as appointed by the Department of Business, Innovation and Skills (BIS).
There is a risk that you may believe you are certified (by a non-UKAS-accredited body) only to find your certificate is not recognised. The UKAS website lists certification bodies accredited to ISO 27001.
During the certification audit, the auditor will conduct a thorough assessment to establish whether the organisation’s ISMS is compliant with the ISO 27001 standard and seek evidence that the organisation is following the documentation (policies, procedures, etc.) in practice.
The auditor (or auditors) will review their audit checklists and provide feedback regarding any nonconformities.
Upon passing the audit, the auditor will issue a certificate stating that the business has met the ISO 27001 requirements and recommend the company for ISO 27001 certification.
4. Use proven tools that can easily be understood by the auditors
Many tools are available that claim to help, but not all tools live up to their expectations.
Using a tool that can quickly and accurately deliver a Statement of Applicability and risk treatment plan is invaluable. It’s also useful if the tool can ensure all of your relevant documentation is found in one place.
5. Don’t settle for anything less than the best
When it comes to preparing for ISO 27001 certification, use the right people with the best skills, experience and track record.
Contact IT Governance today for an initial discussion about your ISO 27001 requirements.