This short blog is the eighth and final post in a series that explains in straightforward terms the process we follow to build an ISO 27001 certifiable Information Security Management System (ISMS). You can access our entire proven process here.
We hope you found reading these posts to be worthwhile. Many thanks for your interest!
It’s possible to get an imperfect ISMS certified, but it’s impossible to keep it certified.
Your initial ISO 27001 certificate is valid for a period of three years. It’s understood that this initial audit will be somewhat limited because your ISMS has probably not been operational for long at that point.
“Of course, the point of maintaining and improving your ISMS is to make your company more secure and more desirable to do business with—not because you need to pass an audit.”
To retain your ISO 27001 certification, you’ll need to undergo a recertification audit in three years’ time. You’ll also experience at least two (or possibly four) “surveillance visits” during that period, where the independent auditor checks how things are going, reviews progress towards closing any nonconformities and validates that your ISMS remains operational on an everyday level.
Of course, the point of maintaining and improving your ISMS is to make your company more secure and more desirable to do business with—not because you need to pass an audit. A well operationalized ISMS will make it much easier to adjust to ongoing changes in your business environment, like new threats, new technology, new regulations and new client expectations.
Have questions about ISO 27001 certification or the best way to achieve your information security goals? Contact Pivot Point Security—we specialize in advising organizations on how to manage information security risk.