The other day one of our Lead Implementers was told a very interesting story by an ISO-27001 Lead Auditor who performs certification audits for a number of registrars. The auditor was performing a certification audit for one of our clients, and we were on-site supporting the client during the audit. During lunch he told the following story (details blurred to protect the innocent):
“I was onsite conducting Stage 2 of the certification audit when I discovered that the client had not done a management review of their ISMS. When I let them know that I would be issuing a major non-conformity they got very upset and argumentative and conference-called a Well Known ISO 27001 Consulting Firm (WK27001CF) that had prepared them. When the consultant realized there was indeed a problem, he hung up and called the REGISTRAR I was conducting the certification audit for to plead his case. A few minutes later my cell phone rings and it’s the President of REGISTRAR asking me why I was going to issue a major non-conformity. When I explained that they had no evidence that a Management Review of the ISMS was conducted, the President simply said, ‘OK, thanks.’ and hung up. I was hopeful that would be the end of the situation. The client continued to insist that since the WK27001CF had not told them they needed to conduct a management review of the ISMS to be compliant with the standard that he shouldn’t be issued a major non-conformity. I found out after I left that the client called the REGISTRAR when I left and insisted they send a different auditor for the follow-up audit.”
It was interesting to us how much the lead auditor stressed the importance of the implementer’s role in this context. Despite most peoples’ contention that all auditors want to issue findings, he insisted that 27001 auditors really don’t want to issue non-conformities because they increase the costs of certification for organizations, consume the registrar’s time and stress the client-registrar relationship. This client believes that a good implementer reduces the costs and burden associated with non-conformities by preventing them whenever possible and simplifying the corrective action process when they do occur.
At Pivot Point Security, we try to prevent non-conformities by performing a gap assessment in Phase 1, an internal audit and pre-certification audit consultation in Phase 2, and annual internal audits in Phase 3 of our implementation roadmap. We simplify the corrective action process by recommending corrective actions, drafting corrective action plans that will be acceptable to registrars (we have a Certified Lead Auditor that manages ISO 27001 consulting engagements) and acting as a liaison to reduce any unnecessary back-and-forth between client and registrar.
If you’re thinking about pursuing ISO 27001 certification, there are two potential lessons in the auditor’s story:
- More important in many ways than the resume of an ISO 27001 consulting firm is the resume of the lead implementer and engagement manager for your specific engagement. Many consulting firms hire consultants as contractors rather than employees to reduce their costs for ISO 27001 consulting. All of our consultants are full-time employees and ISO 27001 Certified Lead Implementers. This is why we have a 100% success rate on certification and surveillance audits with very few non-conformities on our record.
- Having your ISO 27001 consultant onsite for the certification audit is usually a good idea if the certificate is business-critical. While no consultant would have been able to resolve a non-conformity of the magnitude described above, it is often possible to minimize non-conformities or address minor non-conformities in near real-time to ensure that your certification effort is successful.