ISO/IEC 27001 Certification Process

Our ISO 27001 Certification Proven Process, Step-by-Step

The ISO 27001 Certification Process can be intimidating. Our expertise is in getting you fully prepared for your ISO 27001 certification, but the
process doesn’t end there as we can provide support throughout the remaining steps required to be (and stay) ISO 27001 certified.

ISO 27001 Certification Process

The ISO 27001 certification process can seem intimidating—but it doesn’t have to be.

Pivot Point Security’s ISO 27001 proven process has helped many organizations like yours achieve and maintain certification. As your implementation partner, success is a guaranteed reality.

What will your ISO 27001 certification process require? Here is an easy-to-read roadmap:

Determine your scope

What information do you need to protect? What processes act on that information? Answering these questions will help you understand and document the people, systems and other assets that influence your information related risk. Interviewing “the right people” is usually the easiest way to gather the input you need.

Understand your current controls

The first step in going anywhere is to figure out where you are. What information security controls do you have in place today? To what extent are they operational? This step is just about documenting what’s currently being done; the “critiquing” step happens later. The easiest way to gather this input is to review policies, procedures, audit findings, penetration test results, etc.; along with interviewing IT and information security staff.

Analyze your risk

What are the risks posed to your information assets? Which risks are managed to an acceptable level, and which are not? These questions drive your risk assessment, where you identify and analyze risk, including which risks need to be addressed by improvements to your information security program.

Build a Risk Treatment Plan

Once you know which risks you need to address, you create a Risk Treatment Plan to mitigate them to acceptable levels by improving your security controls. This plan gives you the near-term, tactical guidance you need to start managing risk more effectively.

Execute your plan

A good Risk Treatment Plan prioritizes risk treatments based on risk level, effort level and the logical relationships between different treatments. Once you have executed and operationalized your plan, you’re ready to verify the effectiveness of your controls.

Conduct an internal audit

Your internal audit will help identify what is working well, and document what isn’t

The process for obtaining certification can be complex. Here is more information on how your ISO 27001 project can come to fruition:

Steps for Getting Certified

PPS Support (if required)

Preparation for ISO 27001 Certification
Registrar Selection
  • An ISO registrar will conduct the required information security audits and issue your ISO 27001 certification. Selecting the right registrar can reduce your costs and/or increase the likelihood of certification success. PPS works with you to select the best registrars, fills out the required questionnaires, and assists in the registrar selection process.
Preliminary Screening
  • Most registrars will perform a quick review of the documented ISMS to determine whether it meets the requirements of the standard, prior to scheduling the formal certification audit. This is done to ensure that neither your or their time/money is wasted on a formal audit if the ISMS is not ready. PivotPoint’s proven ISO/IEC 27001 consulting process generates the necessary artifacts to ensure your readiness for the certification audit.
Stage 1 ISO 27001 Certification Audit
  • During Stage 1 of the certification audit (also commonly referred to as the table top audit) an extensive review of the ISMS documentation is conducted. This process generally extends over 2 – 3 days with the outcome being a report on preliminary “failures” (referred to as either major or minor non-conformities). If the ISMS documentation fails to meet the required standard, the Registrar will require corrective action (or corrective action plans) before proceeding to Stage 2. PPS often provides on-site Stage 1 Certification Audit Support. That is, we are at the table, as a member of your team, working with you and on your behalf. The advantage of this approach is that having an ISMS expert there to explain subtleties of your ISMS reduces the likelihood that an auditor will issue a non-conformity.If the registrar is considering issuing a non-conformity, it is often possible to update the ISMS documentation during the Stage 1 audit to prevent a non-conformity.
Stage 2 ISO 27001 Certification Audit
  • During Stage 2 of the certification audit (commonly referred to as the compliance audit) the registrar will examine evidence that the ISMS is operating effectively, consistently, and in compliance with the organization’s documented ISMS (which has already been validated to meets the requirements of ISO 27001 during Stage 1).PPS often provides onsite Stage 2 Certification Support. We are present at the different sites/locations that the auditor samples, as a member of your team, working with you and on your behalf. Having an ISMS expert on hand to explain the evidence (or “appropriate” lack thereof) reduces the likelihood that an auditor will issue a non-conformity.
image 40 min