While your selection of certification body should have no impact on your success in achieving certification, there are a couple of issues you should consider in making your selection, which is not necessary until you have made considerable progress toward readiness for certification. Of course, you will want to ensure there is a cultural fit between you and your certification services supplier, and pricing and terms are acceptable.
There are two other key issues that do need to be taken into account when making this selection: the first is relevant to organizations that already have one or more externally certified management systems in place, while the second applies specifically to organizations tackling ISO 27001.
It is essential your ISMS is fully integrated into your organization; it will not work effectively if it is a separate management system and exists outside of and parallel to any other management systems. Logically, this means the framework, processes, and controls of the ISMS must integrate with, for instance, your ISO 9001 quality system to the greatest extent possible. Clearly, therefore, assessment of your management systems must also be integrated: you want one audit that deals with all aspects of your management system. Doing anything else is simply too disruptive to the organization, too costly, and too destructive to good business practice. You should ensure whomever you choose for your ISMS audit can, and does, offer an integrated assessment service.
The second issue you should take into account when selecting your supplier of certification services is their approach to certification itself. An ISMS is fundamentally designed to reflect the organization’s assessment of risks in and around information security. In other words, each ISMS will be different. It is important, therefore, that each external assessment of an ISMS takes that difference into account so the client gets an assessment that adds value to its business, rather than one that is merely a mechanical comparison of the ISMS against the requirements of ISO 27001.
Once you choose your certification body and are ready for a certification audit, there are six secrets to certification success. None of these secrets will get you through an audit you are fundamentally not ready for, nor will they enable an inadequate ISMS to achieve certification. However, they do ensure all the good aspects of your ISMS are noted and the auditors are left with a favorable overall impression.
The outcome of the initial audit should, if the organization has diligently followed all the recommendations contained in this book, be certification of the ISMS to ISO 27001 and the issuing of a certificate setting this out. The certificate should be appropriately displayed and the organization should start preparing for its first surveillance visit, which will take place about six to nine months later. Any minor nonconformances should be capable of being closed out by email, and any recommendation for certification will be dependent on this happening within an agreed timescale.
The certificate will refer to the latest version of the SoA and the auditors will check for updates on their subsequent visits. Therefore, when supplying a copy of the certificate to clients, stakeholders, or other parties, the organization should be prepared to provide a copy of the most recent SoA. While the SoA is a living document, updated as and when necessary, the organization should endeavor to keep such updates and alterations to a minimum.
18.119.133.96