An Introduction To
Most certification bodies work in a similar manner but there are usually slight differences in their processes. A generic process for BS 7799 or ISO 27001 certification is shown below:
The steps explained below are generic and may vary from Certification Body to Certification Body. The idea here is to give an overview of the process rather than the specifics of any given Certification Body.
Once an organisation decides to seek certification to ISO 27001 they will contact a number of Certification Bodies that offer certification to ISO 27001. Typically, they will then receive an information pack containing details of the certification process and an application form. Once the application form is completed and returned, it will be reviewed to ensure that it is within the scope of the Certification Body's accreditation. Assuming that this is the case, the Certification Body will submit a competitive quotation to the organisation.
A number of Certification Bodies can (and should) be approached and once the organisation has decided which Certification Body it is going to choose to provide certification services, the organisation will submit an application for registration with that Certification Body.
Assuming that the quotation is accepted, the Certification Body will carry out the first stage of the audit, an initial assessment of the documented ISMS to determine whether it meets the requirements of the standard. If the documentation fails to meet the required standard, the Certification Body will advise the Organisation of any shortfall at this stage. These shortfalls must be addressed before the assessment process can start. Typically this process involves an initial visit to the organisation by representatives of the Certification Body.
Once any outstanding matters have been addressed successfully, a date for the start of the start of the assessment process will be arranged with the organisation. The first stage of the assessment is the 'document review'. This evaluates the documented ISMS against the requirements of IS0 27001 and reports on any failures at that stage. This 'hurdle' has to be cleared before proceeding to the certification assessment. If the documentation fails to meet the required standard, the Certification Body will advise the Organisation and they must take the required corrective action before they can proceed to the certification assessment.
The conformance assessment will examine evidence that the ISMS conforms to the organisation's documented ISMS (which meets the requirements of or ISO 27001) and that it has been consistently implemented. The assessment also checks whether the selected controls satisfy the findings of the risk assessment carried out.
If the results of the conformance assessment indicate that the requirements of ISO 27001 have not been met, the organisation will be required to agree to undertake corrective action for any non-conformity identified. When the organisation has successfully addressed the non-conformities identified, a further conformance audit will be carried out. If the outcome of the further conformance audit is successful, then the Audit Team will make a recommendation for certification to the Certification Body.
When the ISO 27001 certificate has been granted, a process of periodic monitoring of the ISMS, known as Surveillance Audits, begins. This process is designed to ensure that the organisation's ISMS continues to conform to the requirements of ISO 27001. These take the form of 'Surveillance Assessments', which occur on a regular basis (typically once every six months or per year). These are 'mini assessments' which cover any recent issues raised, the mandatory controls and a selection of other controls. Three years after the certificate is granted a 'Triennial Assessment' is carried out. This is a full assessment of the whole ISMS and related controls. Then the process of 'Surveillance Assessments' starts all over again.
The Security Practitioner
An Introduction to Information Security