Editor’s Note: This post was originally published in August 2013 and has been updated for accuracy and comprehensiveness.
The other day one of our Lead Implementers was told a very interesting story by an ISO-27001 Lead Auditor who performs certification audits for a number of registrars (certification bodies). The auditor was performing a certification audit; the following story came out during a lunch conversation(details have been altered to protect the innocent):
“I was onsite conducting Stage 2 of the certification audit when I discovered that the client had not done a management review of their ISMS. When I let them know that I would be issuing a major nonconformity, they got very upset and called a well-known ISO 27001 consulting firm that had prepared them. When the consultant realized there was indeed a problem, he hung up and called the registrar I was conducting the certification audit for to plead his case. A few minutes later my cell phone rang and it was the President of the registrar I was working for asking me why I was going to issue a major nonconformity. When I explained that they had no evidence a management review of the ISMS had been conducted, the President simply said, ‘OK, thanks.’ and hung up. I was hopeful that would be the end of the situation. The client continued to insist that since the consultant hadn’t told them they needed to conduct a management review of the ISMS to comply with the standard, they shouldn’t be issued a major nonconformity. I found out later that the client had called the registrar and insisted they send a different auditor (not me) for the follow-up audit.”
It was interesting to us how much this auditor stressed the importance of the implementer’s role in this context. Despite most peoples’ contention that all auditors want to issue findings, he insisted 27001 auditors really don’t want to issue nonconformities… they increase the costs of certification for organizations, consume the registrar’s time and stress the client-registrar relationship. A good implementer reduces the costs and burden associated with nonconformities by preventing them whenever possible and simplifying the corrective action process when they do occur.
At Pivot Point Security, we try to prevent nonconformities by performing a gap assessment in Phase 1, an internal audit and pre-certification audit consultation in Phase 2, and annual internal audits in Phase 3 of our implementation roadmap. We simplify the corrective action process by recommending corrective actions, drafting corrective action plans that will be acceptable to registrars (we have many ISO 27001 Certified Lead Auditors that manage ISO 27001 consulting engagements) and acting as a liaison to reduce any unnecessary back-and-forth between client and registrar.
If you’re thinking about pursuing ISO 27001 certification, there are two potential lessons in the auditor’s story:
- More important in many ways than the resume of an ISO 27001 consulting firm are the resumes of the lead implementer and engagement manager for your specific engagement. Many consulting firms hire consultants as contractors rather than employees to reduce their costs for ISO 27001 consulting. At Pivot Point Security, all of our consultants are full-time employees and ISO 27001 Certified Lead Implementers. This is why we have a 100% success rate on certification and surveillance audits with very few nonconformities on our record.
- Having your ISO 27001 consultant onsite for the certification audit is usually a good idea if the certificate is business-critical. While no consultant would have been able to resolve a nonconformity of the magnitude described above, it is often possible to minimize nonconformities or address minor nonconformities in near real-time to ensure that your certification effort is successful.