While your selection of certification body should have no impact on your success in achieving certification, there are a couple of issues you should consider in making your selection – which isn’t necessary until you have already made considerable progress toward readiness for certification. You will, of course, want to ensure that there is a cultural fit between yourself and your supplier of certification services, and that pricing and so on is acceptable.
There are two other key issues that do need to be taken into account when making this selection: the first is relevant to organisations that already have one or more externally certified management systems in place, the second applies specifically to organisations tackling ISO 27001.
It is essential that your ISMS is fully integrated into your organisation; it will not work effectively if it is a separate management system and exists outside of, and parallel, to any other management systems. Logically, this means that the framework, processes and controls of the ISMS must be integrated with, for instance, your ISO 9001 quality system to the greatest extent possible. Clearly, therefore, assessment of your management systems must also be integrated: you want one audit that deals with all the aspects of your management system. Doing anything else is simply too disruptive to the organisation, too costly and too destructive to good business practice. You should ensure that whoever you choose for your ISMS audit can, and does, offer an integrated assessment service.
The second issue that you should take into account when selecting your supplier of certification services is their approach to certification itself. An ISMS is fundamentally designed to reflect the organisation’s assessment of risks in and around information security. In other words, each ISMS will be different. It is important, therefore, that each external assessment of an ISMS takes that difference into account so that the client gets an assessment that adds value to its business, rather than one that is merely a mechanical comparison of the ISMS against the requirements of ISO 27001.
Once you have chosen your certification body and you are ready for a certification audit, there are six secrets to certification success. None of these secrets will get you through an audit that you are fundamentally not ready for, nor will they enable an inadequate ISMS to achieve certification. However, they do ensure that all the good aspects of your ISMS are noted and that the auditors are left with a favourable overall impression.
1. Impress the auditors as early as possible by ensuring that your documentation is complete, comprehensive and all available for inspection at the initial visit – the one that comes before the actual certification audit. This first visit is expressly to determine if your ISMS is ready for external audit.
2. Ensure that all your internal audit and testing records are immediately available for the certification auditors when they plan and commence their work; they should use these records to focus their attention on key areas of the ISMS, so ensure that you have adequately tested them. No external auditor wants to sign off on a system that is breached a week later, and the thoroughness of your own work will give the auditor confidence.
3. Teach staff throughout the organisation to be completely open and honest with the auditors, especially about things they feel may not be up to standard. This serves two purposes: it flushes out weaknesses that you can tighten up on, and it demonstrates to the auditors that you have an open organisation that identifies and deals with information security issues. By contrast, an attempt to suggest that everything is perfect throughout the organisation will provoke incredulity amongst the auditors; they have learned, through long experience, that no system is without flaws and that every attempt to pretend to perfection hides a myriad of previously undetected imperfections. Do not encourage them to start hunting these imperfections down.
4. Teach staff who are likely to be interviewed by auditors to show how the system that is being examined actually works, and to restrict what they say to answering the specific questions asked without explaining anything off-topic. This will demonstrate to the auditor that your people are tightly focused, and will also avoid the danger of someone talking so much that they lead the auditor to examine an aspect of your ISMS that doesn’t need external examination.
5. Critically, ensure that management are fully involved in the certification audit. If necessary, rehearse with senior management the type of questions that they will be asked and the types of answers that they will be expected to give. While senior management should be perfectly capable of handling the audit (as they will have been involved in and fully committed to the ISMS project from the outset) they may not be fully aware of how best to demonstrate this commitment to an external auditor. Done well, senior management’s performance on the day can make a substantial contribution to certification success.
6. Be prepared to argue. You should do this only in a constructive and calm fashion, but if there are issues on which you feel that an auditor has misunderstood your ISMS or some aspect of it, or has misinterpreted the Standard, and is, as a result, thinking about recording a non-conformity (either major or minor), you should set out, calmly and firmly, why you believe that you are in the right. Auditors will respond negatively to any attempt to browbeat or belittle them; they will (usually) respond positively to any constructive attempt to help them achieve a better outcome. And the greater their conviction that you’re committed to the long-term effectiveness of your ISMS, the more prepared they will be to give you the benefit of the doubt on any marginal decisions.
The outcome of the initial audit should, if the organisation has diligently followed all the recommendations contained in this book, be certification of the ISMS to ISO 27001 and the issuing of a certificate setting this out. The certificate should be appropriately displayed and the organisation should start preparing for its first surveillance visit, which will take place about six to nine months later. Any minor non-conformances should be capable of being closed out by email, and any recommendation for certification will be dependent on this happening within an agreed timescale.
The certificate will refer to the latest version of the SoA and the auditors will check for updates on their subsequent visits. Therefore, when supplying a copy of the certificate to clients, stakeholders or other parties, the organisation should be prepared to provide a copy of the most recent SoA. While the SoA is a living document, updated as and when necessary, the organisation should endeavour to keep such updates and alterations to a minimum.