When it comes to undergoing an ISO/IEC 27001:2013 (ISO 27001) certification audit, the initial certification review is by far the most arduous task. The level of difficulty, of course, is dependent on the preparation in advance of the review itself. A readiness assessment prior to the initial certification review is a great way to ensure the organization and its information security management system (ISMS) are prepared for the certification review.
The core objective of the initial certification is to determine that the ISMS conforms to the ISO 27001 standard and that the organization operates in conformance to its own policies, procedures, and objectives. In order to meet these objectives, the initial certification audit is divided into two separate reviews. These reviews are typically scheduled anywhere from one to three months apart, depending on the results of the first stage of the review.
Stage 1 of the initial certification audit focuses on the review of the design of the ISMS against the ISO 27001 standard as well as the organization’s preparedness for Stage 2. The assessment is against the management system requirements, specifically clauses 4-10. Among those requirements are specific documents and evidence or artifacts that must be in place, which include the following (relevant clause reference):
- Scope of the ISMS (4.3)
- Information security policy (5.2)
- Information security risk assessment process (6.1.2)
- Information security risk treatment process and the statement of applicability (6.1.3)
- Information security objectives (6.2)
- Evidence of competence (7.2d)
- Operational planning and control (8.1)
- Results of the information security risk assessments (8.2)
- Results of the information security risk treatment (8.3)
- Evidence of the monitoring and measurement results (9.1)
- Evidence of the audit program and audit results (9.2g)
- Evidence of the results of management reviews (9.3)
- Evidence of the nature of nonconformities identified and subsequent actions taken (10.1f)
- Evidence of the results of corrective action (10.1g)
Stage 2 of the initial certification review is a full review to include the ISMS as well as the controls the organization has in place to address their information security risk. The review of the ISMS, similar to what was performed during the Sage 1 review, also includes an assessment of the operating effectiveness of the management system as well as any assessment of addressing and remediating nonconformities that were identified during the Stage 1. The Stage 2 review also includes an assessment of the operating effectiveness of the controls within their statement of applicability, typically based on those controls in Annex A. This review includes inquiry, observation, and inspection of evidence that provides reasonable assurance that the control is in place and operational and mitigates the identified risk. The Stage 2 concludes with the audit team recommending certification or not, depending on the results of the ISMS and control assessment.
By the end of the Stage 2 review, the auditor will have determined the organization’s conformance to the ISO 27001 standard, as well as its conformance to its own objectives. Issues of nonconformity are documented as either minor or major. The key difference between the types of nonconformity is also the determining factor in the auditor’s recommendation of certification. Major nonconformities indicate a gap in the ISMS that hinders the effective operation of the overall system as it relates to the ISO 27001 standard. Major nonconformities are required to be addressed, contained, and resolved prior to the issuance of the certification. Minor nonconformities also indicate a gap in the ISMS; however, these gaps do not hinder the effective operation of the overall system. While the decision to certify is not contingent upon the resolution of minor nonconformities, they will need to be addressed and contained prior to issuance of the certification. Failure to resolve the nonconformity by the subsequent review, typically 12 months following the date of certification, will result in the escalation of the nonconformity to a major nonconformity. It is at that point that the identified nonconformity may impact the status of the certification.
The successful completion of an initial certification is a great achievement. It shows dedication to security at all levels of the organizational and in the performance of key activities, and it provides interested parties, both internal and external to the organization, with valuable information on the objectives of the organization. It is, however, only the beginning of what will be a continuously evolving system. If there is one ideal to always maintain, especially with regards to an ISO certified ISMS, it is that without a concerted act to sustain, all systems erode over time. That being said, an ISMS that conforms to the ISO 27001 standard is a significant step in the direction of maintaining an effective system of security.