ISO 27001 CERTIFICATION EXPLAINED

Contrary to common belief, certification is applicable against ISO 27001, rather than ISO 27002 (ex 17799). The certification itelf is international, in that National Accreditation Bodies have a mutual recognition model in place enabling certifications granted in one territory to be recognized in another. Clearly, this is essential for an international standard.

Common reasons to seek certification include: Organisational assurance; trading partner assurance; Competitive advantage (market leverage); reduction or elimination of trade barriers; reduced regulation costs; and so on.

To meet the certification requirements, an organization's ISMS must be audited by a 'Certification Body' (or strictly speaking, an assessor who works for a Certification Body). There is a clear segregation of dutues here: the assessor must be independent of consultancy and training.

A Certification Body must have been accredited by the National Accreditation Body for the territory in question (eg: UKAS in the UK). This helps ensure that the Certification Bodies meet national and international standards for their services, and ensure consistency. In respect to ISO 27001, this is typically a document called EA-7/03 (‘Guidelines for Accreditation of Bodies Operating Certification / Registration of Information Security Management Systems’).

The following diagram may clarify this process:



Different certification bodies tend to adopt slightly different approaches to the exercise, with some being more 'hands on' than others. However, the following six step process is a fairly common one:

1 - Questionnaire (the Certification Body obtains details of your requirements)
2 - Application for Assessment (you complete the application form)
3 - Pre-assessment Visit or a ‘Gap Analysis’ (optional).
4 – The Stage 1 Audit (a ‘Document Review’). This is the first part of the audit proper.
5 - The Stage 2 Audit (otherwise called the ‘Compliance Audit’)
6 – Ongoing Audits