How does ISO 27001 works?

Planning Stage (Pre-Audit)

• Preparing the documents (What you will need to have before being considered for an ISO 27001 certificate)
  • Client Information Form
  • SOA (Statement of Applicability) of ANNEX A of ISO 27001
    • These are the control activities relevant to your ISMS
  • Risk Assessment of the In-Scope Environment
  • Risk Treatment Plan

• Preparing the interviews
• Planning the audit

Initial Certification: 2 Stages of Review

Stage 1 Review

• This first stage is an evaluation of your ISMS against the requirements of ISO 27001.
• ISO 27001 requires you write everything down. We will verify that you have the policies, procedures, processes, and other documents relevant to your ISMS in place.
• The goal of the Stage 1 is to ensure you are ready for the Stage 2 review.
• We will look for and notice if there are any “nonconformities.” Noncomformities are items that are missing or doesn’t meet the ISO 27001 standard. Before a stage 2 begins, it will be necessary to have corrective action plans and have evidence that those plans are in place. Noncomformities are divided into:
  • Major nonconformities will require a corrective action plan, evidence that the correction plan is taking place, and evidence of remediation before issuing the certificate.
  • Minor nonconformities will only require a corrective action plan and evidence that the corrective action plan is taking place.

Stage 2 Review

After we have determined how well you designed your ISMS and how well your policies, procedures, processess, and documentation have conformed in relation with ISO 27001 requirements, it is now time for Stage 2.

In this stage, we will evaluate how active and effective your controls, practices and activities are performing. These will be assessed not only for ISO 27001 requirements, but also against your own internal requirements. Additional evaluations based on the following topics will also be observed:

1. Context of your Organization
   1. Scope of the Audit
      1. Risk, Objective, People, Oversight, Controls, etc.
   2. Leadership of your Organization
   3. Planning that includes:
      1. 1. 1. Who can collaborate and contribute in there risk areas
               1. Risk Owners!
               2. What controls are in place to reduce risk.
               3. Information Security Risk Assessment

How to treat those risks (Risk Treatment Plan)

Information Security Objectives

1. 1. What are the objectives
   2. Who will be responsible

What are the activities and controls that will take place

1. When will these activities and controls take place
2. How these activities and controls be measured

We will evaluate your ISMS and determine if your controls, practices, and activities are performing effectively. We will also be looking for nonconformities and improvement opportunities based on ISO 27001 and your internal requirements.

Before issuing your ISO 27001 certification, we will ask that you provide evidence that corrective actions plans and evidence of remediation be provided for each nonconformity found.

Annual Surveillance

Once you have your ISO 27001 certification, it is your responsibility that your ISMS continue to perform and that you continuously perform maintenance, monitoring, and improving everything you did in your pre-audit buildout of your ISMS.

• The validity of your ISO 27001 certification is 3 years. Every year, we will return for the next 2 years to perform a surveillance audit to reassess the conformity of your ISMS to the standard. but to maintain it, your auditor must return on an annual basis during the two calendar years following certification to reassess the continued conformance of your ISMS to the ISO 27001 standard.

• Being ISO 27001 certified means that your organization will be continuously monitoring, improving, and prioritizing your ISMS even when no external auditors are around. Your organization will always be applying the policies, processes, and procedures you developed and evaluating your risk. That is what makes ISO 27001 such a strong standard.

Recertification

• You’ll be required to recertify your ISMS prior to certification expiration (every 3 years as long as you want to maintain your certification)\
• Recertification will evaluate your entire ISMS, including each applicable Annex A control.

Reach out to us how we can help you get ISO 27001 certified.