What is ISO 27001 Certification
ISO / IEC 27001 is a leading international standard for information security management. Worldwide, implement and maintain the ISO 27001 Information Security Management System (ISMS) to maintain critical information resources. This standard describes the process of risk management with people, processes and information technology systems, and thus provides a comprehensive approach to information security.
Procedure ISO 27001 certification
An organization willing get ISO 27001 certified shall Implement, establish and Maintain the Management system as Defined in ISO27001 Standards. The Certification process starts with first filling up with an application to the certification body with basic details of the company including the Physical address, scope of the Management system certified, Number of employees, process involved, Servers and Other IT Hardware and software used. Upon calculation of the Costs and other risks the certification comes up with the agreement with Quoted amount and terms and condition to be followed upon the certification.
3-year Cycle certification
An ISO certification is usually validated by an audit cycle of 3 years. The first time a company approaches the certification body for the certification, Certification cycle begins with the Stage 1 audit involving the audit for verification of gaps during the implementation of ISO standard. A Formal report is given to the Organization for which the Organization being certified comes with the effective action plan and closes the gaps necessary. After the closure of the Stage 1 observation by the auditor the Organization calls upon for stage 2 audit. Stage 2 audit involves in verification of the effectiveness of implementation, which may include the physical verification of records and the infrastructure. The next two year following the certification audit is considered to be the Surveillance audit.
Certification Vs Surveillance Audit
A certification audit which is carried out initially when an organization applies to the ISO certificate
The purpose of the certification audit is to
•Performance appraisal (monitoring, measurement, report and review)
•Assess your legal compliance, prompt process monitoring, internal audit, management review and policy
•Assess the relationship between regulatory requirements, policies, goals and objectives of performance, responsibilities, competencies of employees, operations, procedures and performance data.
•Identify all areas for potential management system improvement
A Surveillance audit is the audit performed in the next 2 consecutive years of an certification / Recertification cycle
The purpose of the Surveillance audit is to
•Make sure your management system continues to meet the requirements between audits
•Applications require internal audit and management review
•Consider inconsistent actions identified in previous audit
•Validate application of complaints
•Evaluate the ongoing effectiveness of the management system in achieving its goals
•Rate and evaluate your legal performance
•Evaluate the progress of the planned activities that are constantly being improved
•Guarantees continuous operational monitoring
•Review any changes in your organization from a previous audit
•Make sure the accreditation marks are used correctly
•Identify all areas for potential management system improvement
Validity of your ISO 27001 Certificate
Your certificate is valid only for three years subjected to audit every year or as per the audit Plan in the agreement. The validity of the certificate is clearly printed on your certificate with Date of certification, Date of the validity and period of validity. The validation of the certificate is based on the following conditions to be adhered
•Make sure your management system continues to meet the requirements between audits
•Applications require internal audit and management review
•Consider inconsistent actions identified in previous audits
•Evaluate the ongoing effectiveness of the management system to achieve its goals
•Guarantees continuous operational monitoring
•Identify all areas for potential management system improvement
An unscheduled audit can also be conducted as per the terms and conditions described in your agreement.
Re- Certification
A Recertification audit is performed in an organization when the 3-year cycle of the certificate expires. The Purpose of Re-certification audit is ensuring that the company is capable to effectively managing the system. The auditor ensures the 3-year improvements and Stage 2 requirement of the audit as per the accreditation body. If there have been any major changes such as change of location the certification body carries out a Stage 1 audit again
Transfer Certification
The transfer certification is a term used to transfer your certification to other certification body. When an organization finds that a certification does not live up to the expectation companies can and should change the existing certification body. The new certification body accepts the state of certification within the same accreditation when it is equal to or less than 6 months
Retaining ISO 27001 Certification
Obtaining ISO 27001 certification, which is an important step for any business, is only the first step in the process of continuous improvement, which is in the philosophy of ISO.
You will be amazed at how much you learn from the certification process; However, after certification, you should continue to use and maintain a management system.
There are a number of requirements that companies must meet to improve their systems and businesses, as well as provide the certification perspective.
This includes management review meetings, ongoing monitoring of customer improvement and satisfaction, as well as regular internal audits. Performing a regular internal audit is time-consuming, which not only requires knowledge and training of the ISO standard, but the person performing the audit is not involved in the work they are investigating.
The Wall