The IT Governance experts are faced with many questions in relation to ISO 27001, but the above is one of the most common. We’re almost certain that this isn’t just a popular question amongst our clients, but anyone who has an interest in ISO 27001. To ensure that no question goes unanswered, one of IT Governance’s ISO 27001 experts has written the below response.
The initial audit for accredited certification takes place in two stages:
The first stage is to confirm that the ISMS is in place, has been developed in accordance with the standard and warrants a more detailed stage 2 audit. For this stage 1 audit some evidence of all key aspects of the management system being in place is desirable – the amount of evidence required depends on the Certification Body (CB) being engaged; For example, under the scheme it is up to the CB to determine to what extent the internal audit programme has to have been completed. Some want to see that the internal audit programme is in place and that at least some internal audits have been conducted, with corrective action being taken where identified as necessary; others require a full cycle of audits to have been completed (if the ‘cycle’ is one internal audit every x months then programme it for early in the 6 month period and get it completed – job done!).
At the Stage 2 audit the CB looks for evidence of the ISMS complying with the standard (evidence of all aspects of the management system requirements being addressed) and it being effective – this requires some measures of effectiveness of the ISMS being collated, etc.
In short, there is no fixed minimum period for having run an ISMS to enable a successful audit – of the many, many clients we have supported through to certification some (small organisations with relatively straight forward information security issues) have been successful with as little as two-three months of operating a formal ISMS in accordance with the Standard, largely because they already had the majority of the security controls they required in place before the project commenced.
Pre-Certification Audit Dress Rehearsal
If you are really concerned, and the need for certification is such that you need to be confident of achieving certification on the first pass, it is worth considering a Pre-Certification Audit Dress Rehearsal – this serves two purposes: ensuring the ISMS is ready for the full external audit, and helping prepare the personnel who are likely to be questioned.
IT Governance can provide an experienced auditor to undertake such a dress rehearsal. The resulting report will be written in such a manner that it could be used as evidence of an internal ISMS audit, or alternatively as evidence of an independent review of information security‘, (ISO27001:2005 control reference Annex A.6.1.8). We could also advise the individuals involved on the issues to consider when formulating a response to a question from a CB auditor.
Don’t hesitate to email us or telephone + 44 845 070 1750 if you have further questions regarding your ISO 27001 project