Walt Disney had this to say about his park: “Disneyland will never be completed. It will continue to grow as long as there is imagination left in the world.”
Your information security management system (ISMS) is probably a lot less exciting than a theme park, but if you’re pursuing ISO 27001 certification, you’ll need to adopt Walt’s mindset.
The holistic nature of ISO 27001 entails a significant commitment from you, not only in satisfying the standard’s requirements but also regarding the process. And while it is absolutely worth it to stand up your own ISMS and become certified, it helps your decision to know exactly what you’re getting into.
In this article, we will detail just that. Schellman is an ISO Certification Body, meaning we help our clients through this process consistently, with over 400 ISO 27001 audits in just the last 12 months. Though it may be routine for us, we know it may not be for you and we want to support you how we can–no matter if you use us for certification or not.
Though it won’t be anything like Space Mountain or Tower of Terror, this breakdown of what you can expect during your ISO 27001 process will help you anticipate what’s coming. You’ll have a better idea of what will be reviewed during each phase and thus be better positioned for a streamlined certification and what is a cyclical process.
The ISO 27001 Certification Audit Lifecycle
We should say right now that the following outline does not include what will need to be an extensive planning and preparation period to get your ISMS functional and compliant. We’ve written an article breaking down that stage too, but given how comprehensive both the pre-audit and audit periods are, we decided to break it up.
What we’ll talk about now is what’s involved when your third party auditor is on site doing their review, and there are four parts to that cyclical process.
Initial Certification: 2 Stages of Review
Stage 1 Review
- This first stage is largely an evaluation of your designed ISMS against the extensive requirements of ISO 27001.
- We said before that ISO 27001 requires you write everything down, and this is where your third party will check that you have the policies, procedures, processes, and other documents relevant to your ISMS in place.
- This stage is more high level than the next since your auditor won’t dive into the effectiveness of controls in practice (yet). The goal of the Stage 1 is to ensure you are ready to undergo the Stage 2 review.
- Your auditor will be looking for what are referred to as “nonconformities,” i.e., something that’s missing or doesn’t meet the ISO 27001 standard. If they find one (or more), your auditor will require corrective action plans and evidence of correction before you can proceed to Stage 2.
- In this stage, your auditor will also be looking for opportunities for improvement to help identify areas that can be enhanced.
After you complete the Stage 1, you’ll need to take time to correct and remediate any nonconformities your auditor notes:
- Major nonconformities require an acceptable corrective action plan, evidence of correction, and evidence of remediation prior to certificate issuance.
- Minor nonconformities only require those first two to issue the certificate—no remediation evidence necessary.
Note: Despite it not being necessary for issuing of your certificate, your auditor will take the time to evaluate evidence of remediation for any noted minor nonconformities during the subsequent surveillance review to formally close them out. (Read on for more on those surveillance reviews.)
How this all affects your overall timeline will be up to you, but we can say that you should expect to spend some time in between initial certification stages.
Stage 2 Review
- If your ISMS appears well-designed, accounting for all necessary requirements, now it’s time to watch it in action.
- During this phase, the auditor will evaluate your ISMS and whether its active practices, activities, and controls are functioning effectively. Your ISMS will be assessed against the requirements of both ISO 27001 and your internal requirements.
- During your pre-audit planning, you will have performed a risk assessment of your environment. Those results will have allowed you to form subsequent risk treatment plans and a statement of applicability that notes which of the control activities within Annex A of ISO 27001 support your ISMS. During the Stage 2, ISMS Framework Clauses 4-10 and those controls you defined within your statement of applicability will be reviewed to ensure they are operating effectively. (For a breakdown of clauses 4-10, check our ISO 27001 guide.)
- Keep in mind that retaining relevant records is imperative to your success during the Stage 2, as they are evidence that required practices and activities are being performed.
- Much like the Stage 1, your auditor will be looking for nonconformities and opportunities for improvement based upon the ISO 27001 standard and your own defined requirements.
- Prior to receiving your ISO 27001 certification, corrective action plans and evidence of correction and remediation must be provided for each nonconformity based upon their classification. The time it takes to correct and remediate these nonconformities should be considered when determining the amount of time it will take to obtain your ISO 27001 certification.
Now that you have your ISO 27001 certification, you must ensure your ISMS continues to perform like a well-oiled machine. That means continuing to perform the activities necessary for the continued maintenance, monitoring, and improvement (e.g., go back and cycle through everything you did in your pre-audit buildout of your ISMS).
- Your ISO 27001 certification is valid for 3 years, but to maintain it, your auditor must return on an annual basis during the two calendar years following certification to reassess the continued conformance of your ISMS to the ISO 27001 standard.
- These reviews are less intense than certification audits, because not every element of your ISMS may be reviewed–think of these more as snapshots of your ISMS since only ISMS Framework Clauses 4-10 and a sample of Annex A control activities will be tested each year. Your auditor will also review action taken on any nonconformities and opportunities for improvement identified during the previous audit.
- Again, your auditor will note any nonconformities and opportunities for improvement based on the ISO 27001 standard and your own internal requirements. The nonconformities will require corrective action plans and evidence of correction and remediation based upon their classification. Failing to address nonconformities put your ISO 27001 certificate at risk of becoming inactive.
One of the things that makes ISO 27001 such a strong standard is that it necessitates you continue to develop and prioritize your ISMS even when your auditors aren’t on-site to evaluate. That means you’ll need to continue your monitoring, documenting any changes, and internally auditing your risk, because when it comes time for your surveillance review, that’s what will be checked.
- You’ll be required to recertify your ISMS prior to certification expiration (every 3 years).
- The goal of recertification is to assess that the ISMS has been effectively maintained, that any changes have been properly implemented into the ISMS, and that identified nonconformities and opportunities for improvement are being handled appropriately.
- Three years is a long time, and plenty can change within your organization. Recertification audits ensure that as these changes have occurred within your organization, you’ve documented the impact to your ISMS and mitigated any new risks.
- The recertification will evaluate the entirety of your ISMS, which includes ISMS Framework Clauses 4-10 and each applicable Annex A control.
- By now you can guess the next step—any noted nonconformities during this process will require corrective action plans and evidence of correction and remediation based upon their classification as major or minor. Reissuance of your ISO 27001 certificate is dependent on the correction and remediation of major nonconformities and the correction of minor nonconformities.
- This recertification audit will need to take place every 3 years for as long as you want to maintain your ISO 27001 certification.
Next Steps Towards Your ISO 27001 Certification
ISO 27001 certification can provide strong assurance to your customers and prospects regarding your information security practices, but you now understand how its cyclical and stringent nature makes for a thorough and demanding process.
Still, your knowledge now of what to expect from each phase–including what certification bodies like Schellman will evaluate each time they’re on-site–will help you set expectations for said process and alleviate some stress surrounding what will become routine for you.
For that reason, you may wonder instead about a SOC 2 examination–there are some overlapping controls there and like ISO 27001, SOC 2 is also a widely accepted and popular information security standard. Read more about it here:
But, if you’re set on becoming ISO 27001 certified, you’re likely to have more questions about how your organization can accommodate this process. Reach out to us and we can set up a conversation that will help further shape what your ISO 27001 experience could look like.