Part 38 - Getting Certified to ISO 27001 – Selecting Your Certification Body
So you have created your information security system management system (ISMS). Now how do you get it certified to ISO 27001?
The first thing you’ll do is select a Certification Body (CB) to carry out your audit.
Here are our top tips to choose your Certification Body:
1. Are they accredited to conduct your audit?
You’ll need to find out if they are accredited by a reputable authority. It pays to only deal with CBs that are accredited by national Accreditation Bodies (AB). For example, here in New Zealand (and Australia) the AB is JASANZ. In the US it’s ANAB, and in the UK it’s UKAS. In Germany it’s DAkkS.
So your first question to your CB is “are you accredited?” If not, then move on.
2. Ask for their industry experience, background, and expertise.
It is crucial that they understand what you do and how you do it. If they haven’t got experience in your exact industry, kick them to the curb and find another.
3. Ask them if they can work in your scope.
Make sure they have the technical ability to carry out your audit.
Request evidence that they can work in your scope. See the resumes of the proposed audit team.
4. See references from the CB.
Ask the CB for any references from organisations that are in your industry and have used them in the past.
Ask if you can talk to these reference sites too.
5. See if they can meet your timeframe for certification.
Some CBs are super busy so you need to check with them to ensure that you can book their auditors to do your audit when you want them to.
6. Check the fee schedule.
Make sure the fee schedule is discussed and agreed upfront. There should be no surprises when the invoice arrives. CBs will withhold certificates if invoices haven’t been paid.
7. Is the CB keen to establish a long term relationship?
It is good business practise to build a long term relationship with your CB to ensure that they continue to provide a good audit experience for you.
Here at Mango we decided on DQS (www.dqsausnz.com.au) based out of Melbourne in Australia.
DQS ticked all the boxes as listed above. In terms of responsiveness to our requests they really stood out, whether that was by email or by phone.
- Check that they are accredited.
- Check their industry experience, background, and expertise.
- Check that they work in your scope.
- Get client recommendations.
- Can they meet your time frame for certification?
- Check their costings.
- Check if they are keen to establish a long term relationship.
View previous blogs in this series "ISO 27001 Information Security Management Standard":