CHAPTER 9: CERTIFICATION

While your selection of certification body should have no impact on your success in achieving certification, there are a couple of issues you should consider in making your selection, which is not necessary until you have made considerable progress toward readiness for certification. Of course, you will want to ensure there is a cultural fit between you and your certification services supplier, and pricing and terms are acceptable.

There are two other key issues that do need to be taken into account when making this selection: the first is relevant to organizations that already have one or more externally certified management systems in place, while the second applies specifically to organizations tackling ISO 27001.

It is essential your ISMS is fully integrated into your organization; it will not work effectively if it is a separate management system and exists outside of and parallel to any other management systems. Logically, this means the framework, processes, and controls of the ISMS must integrate with, for instance, your ISO 9001 quality system to the greatest extent possible. Clearly, therefore, assessment of your management systems must also be integrated: you want one audit that deals with all aspects of your management system. Doing anything else is simply too disruptive to the organization, too costly, and too destructive to good business practice. You should ensure whomever you choose for your ISMS audit can, and does, offer an integrated assessment service.

The second issue you should take into account when selecting your supplier of certification services is their approach to certification itself. An ISMS is fundamentally designed to reflect the organization’s assessment of risks in and around information security. In other words, each ISMS will be different. It is important, therefore, that each external assessment of an ISMS takes that difference into account so the client gets an assessment that adds value to its business, rather than one that is merely a mechanical comparison of the ISMS against the requirements of ISO 27001.

Once you choose your certification body and are ready for a certification audit, there are six secrets to certification success. None of these secrets will get you through an audit you are fundamentally not ready for, nor will they enable an inadequate ISMS to achieve certification. However, they do ensure all the good aspects of your ISMS are noted and the auditors are left with a favorable overall impression.

1. Impress the auditors as early as possible by ensuring your documentation is complete, comprehensive, and all available for inspection at the initial visit—the one that comes before the actual certification audit. This first visit is expressly to determine if your ISMS is ready for external audit.
2. Ensure all your internal audit and testing records are immediately available for the certification auditors when they plan and commence their work. They will use these records to focus their attention on key areas of the ISMS, so ensure you have adequately tested them. No external auditor wants to sign off on a system that is breached a week later, and the thoroughness of your own work will give the auditor confidence.
3. Teach staff throughout the organization to be completely open and honest with the auditors, especially about things they feel may not be up to standard. This serves two purposes: it flushes out weaknesses you can tighten up on, and it demonstrates to the auditors that you have an open organization that identifies and deals with information security issues. By contrast, an attempt to suggest everything is perfect throughout the organization will provoke incredulity among the auditors; they have learned, through long experience, that no system is without flaws and every attempt to pretend to perfection hides a myriad of previously undetected imperfections. Do not encourage them to start hunting down these imperfections.
4. Teach staff who are likely to be interviewed by auditors to show how the system that is being examined actually works, and to restrict what they say to answering the specific questions asked without explaining anything off-topic. This will demonstrate to the auditor that your people are tightly focused, and will also avoid the danger of someone talking so much that they lead the auditor to examine an aspect of your ISMS that does not need external examination.
5. Critically, ensure management is fully involved in the certification audit. If necessary, rehearse with senior management the type of questions they will be asked and the type of answers they will be expected to give. While senior management should be perfectly capable of handling the audit (as they will have been involved in and fully committed to the ISMS project from the outset), they may not be fully aware of how best to demonstrate this commitment to an external auditor. If it is strong, senior management’s performance on the day can make a substantial contribution to certification success.
6. Be prepared to argue. You should do this only in a constructive and calm fashion, but if there are issues on which you feel an auditor has misunderstood your ISMS or some aspect of it, or has misinterpreted the Standard, and is, as a result, thinking about recording a nonconformity (either major or minor), you should set out, calmly and firmly, why you believe you are in the right. Auditors will respond negatively to any attempt to browbeat or belittle them; they will (usually) respond positively to any constructive attempt to help them achieve a better outcome. And the greater their conviction you’re committed to the long-term effectiveness of your ISMS, the more prepared they will be to give you the benefit of the doubt on any marginal decisions.

The outcome of the initial audit should, if the organization has diligently followed all the recommendations contained in this book, be certification of the ISMS to ISO 27001 and the issuing of a certificate setting this out. The certificate should be appropriately displayed and the organization should start preparing for its first surveillance visit, which will take place about six to nine months later. Any minor nonconformances should be capable of being closed out by email, and any recommendation for certification will be dependent on this happening within an agreed timescale.

The certificate will refer to the latest version of the SoA and the auditors will check for updates on their subsequent visits. Therefore, when supplying a copy of the certificate to clients, stakeholders, or other parties, the organization should be prepared to provide a copy of the most recent SoA. While the SoA is a living document, updated as and when necessary, the organization should endeavor to keep such updates and alterations to a minimum.