This short post is the seventh in a series that explains in straightforward terms the process we follow to build an ISO 27001 certifiable Information Security Management System (ISMS). You can access our entire proven process here.
We hope you find these bite-sized posts useful for understanding how ISO 27001 certification is achieved, and what it could look like for your organization. You may want to read them in order, starting with Step 1. Enjoy!
To achieve your initial ISO 27001 certification, the operation of your ISMS is formally evaluated and certified by an ISO 27001 Registrar in an independent “Certification Audit.”
Stage 1 of the audit is different from what you might expect, in that it focuses exclusively on the design and operation of ISMS clauses 4 through 10 in the ISO 27001 standard. For that reason, making sure you are optimally prepared and/or supported by an experienced ISO 27001 implementer can go a long way towards a successful Stage 1 outcome.
“… making sure you are optimally prepared and/or supported by an experienced ISO 27001 implementer can go a long way towards a successful Stage 1 outcome.”
After successful completion of Stage 1, the auditor will return several weeks later to conduct Stage 2 of your certification audit. This stage concentrates on the design and operation of controls as outlined in ISO 27001’s Annex A. Understanding the external audit program, its relationship to your risk assessment, and the auditor’s background are all keys to a smooth Stage 2 audit and subsequent certification of your ISMS.
Have questions about ISO 27001 certification or the best way to achieve your information security goals? Contact Pivot Point Security—we specialize in advising organizations on how to manage information security risk.