Organisations certify to ISO 27001 after they have implemented an information security management system (ISMS) that aligns with the Standard’s requirements. Certifying to ISO 27001 not only ensures that you are following information security best practices but also increases your reputation among stakeholders and potential clients.
ISO 27001 certification can be complicated topic, so here are three things you should bear in mind.
Choosing your certification body
When choosing a certification body, you should look for one with the correct accreditations.
Accreditations verify the quality of the body’s service and make the certificate more likely to be accepted internationally and by clients. Any certification body that claims to be accredited should be able to show you a current copy of its certificate of conformance to ISO/IEC 17021-1:2015. The certificate needs to be from a recognised national accreditation body that’s a member of the International Accreditation Forum (IAF). You can find a full list of recognised accreditation bodies on the IAF website.
What does the certification body do?
Certification bodies review your organisation’s documentation, including the scope of the ISMS, policies, procedures, and risk assessment and treatment documents. They also check your Statement of Applicability to confirm that you have implemented appropriate controls and justified the inclusion and exclusion of controls from Annex A (or the inclusion of controls from other sources).
The next step in the certification process is to carry out a site audit to assess your procedures in practice. If the certification body is satisfied that the implementation has been successful, it will issue the certificate.
How long will it take?
The length of the certification audit will vary depending on the size and type of your organisation, but it usually takes days rather than weeks.
How to prepare for certification
IT Governance offers a wide range of products and services to help you certify to ISO 27001. Our books, toolkits and training courses will help you understand and implement the Standard, but for comprehensive coverage, you should take a look at our ISO 27001 solutions.
These solutions consist of four packages, each containing copies of the Standard and compliance guides. Our more advanced solutions also include a policies and procedures toolkit, risk assessment software, training courses and online consultancy advice.