ISO 27001 Information Security Management Standard - Certification Step 1

Posted by Craig Thornton

Part 38 - Getting Certified to ISO 27001 – Selecting Your Certification Body

So you have created your information security system management system (ISMS).  Now how do you get it certified to ISO 27001?

The first thing you’ll do is select a Certification Body (CB) to carry out your audit. 

Certification Body

 

Here are our top tips to choose your Certification Body:

 

1. Are they accredited to conduct your audit?

You’ll need to find out if they are accredited by a reputable authority.  It pays to only deal with CBs that are accredited by national Accreditation Bodies (AB).  For example, here in New Zealand (and Australia) the AB is JASANZ.  In the US it’s ANAB, and in the UK it’s UKAS.  In Germany it’s DAkkS.

So your first question to your CB is “are you accredited?” If not, then move on.

 

2. Ask for their industry experience, background, and expertise.

It is crucial that they understand what you do and how you do it. If they haven’t got experience in your exact industry, kick them to the curb and find another.

 

3. Ask them if they can work in your scope.

Make sure they have the technical ability to carry out your audit.

Request evidence that they can work in your scope.  See the resumes of the proposed audit team.

 

4. See references from the CB.

Ask the CB for any references from organisations that are in your industry and have used them in the past. 

Ask if you can talk to these reference sites too.

 

5. See if they can meet your timeframe for certification.

Some CBs are super busy so you need to check with them to ensure that you can book their auditors to do your audit when you want them to.

 

6. Check the fee schedule.

Make sure the fee schedule is discussed and agreed upfront.  There should be no surprises when the invoice arrives.  CBs will withhold certificates if invoices haven’t been paid.

 

7. Is the CB keen to establish a long term relationship?

It is good business practise to build a long term relationship with your CB to ensure that they continue to provide a good audit experience for you.

Here at Mango we decided on DQS (www.dqsausnz.com.au) based out of Melbourne in Australia.

DQS ticked all the boxes as listed above.  In terms of responsiveness to our requests they really stood out, whether that was by email or by phone. 

 

Takeaways

  1. Check that they are accredited.
  2. Check their industry experience, background, and expertise.
  3. Check that they work in your scope.
  4. Get client recommendations.
  5. Can they meet your time frame for certification?
  6. Check their costings.
  7. Check if they are keen to establish a long term relationship.

View previous blogs in this series "ISO 27001 Information Security Management Standard":

Part 1 - Reasons why you need to meet this standard

Part 2 - Principle 1 - Analysing the Protection of Your Information and then Applying Controls

Part 3 - Principle 2 - Awareness of the Need for Information Security

Part 4 - Principle 3 - Assignment of Responsibility for Information Security

Part 5 - Principle 4 - Incorporating Management Commitment and the Interests of Stakeholders

Part 6 - Principle 5 - Enhancing Societal Values

Part 7 - Principle 6 - Risk assessments determining appropriate controls to reach acceptable levels of risk

Part 8 - Principle 7 - Security incorporated as an essential element of information networks and systems

Part 9 - Principle 8 - Active prevention and detection of information security incidents

Part 10 - Principle 9 - Ensuring a comprehensive approach to information security management

Part 11 - Principle 10 - Continual reassessment of information security and making of modifications as appropriate

Part 12 - ISO 27001 Information Security Management Standard: Clauses 0, 0.1, 0.2, 1, 2 and 3

Part 13 - ISO 27001 Information Security Management Standard: Clauses 4.1, 4.2, 4.3 and 4.4

Part 14 - ISO 27001 Information Security Management Standard: Clause 5.1

Part 15 - ISO 27001 Information Security Management Standard: Clause 5.2

Part 16 - ISO 27001 Information Security Management Standard: Clause 5.3

Part 17 - ISO 27001 Information Security Management Standard: Clause 6.1

Part 18 - ISO 27001 Information Security Management Standard: Clause 6.2

Part 19 - ISO 27001 Information Security Management Standard: Clauses 7.1 - 7.4

Part 20 - ISO 27001 Information Security Management Standard: Clause 7.5

Part 21 - ISO 27001 Information Security Management Standard: Clauses 8.1, 8.2, 8.3

Part 22 - ISO 27001 Information Security Management Standard: Clauses 9.1, 9.2, 9.3

Part 23 - ISO 27001 Information Security Management Standard: Clauses 10.1, 10.2

Part 24 - ISO 27001 Information Security Management Standard: Clause A5

Part 25 - ISO 27001 Information Security Management Standard: Clause A6

Part 26 - ISO 27001 Information Security Management Standard: Clause A7

Part 27 - ISO 27001 Information Security Management Standard: Clause A8

Part 28 - ISO 27001 Information Security Management Standard: Clause A9

Part 29 - ISO 27001 Information Security Management Standard: Clause A10

Part 30 - ISO 27001 Information Security Management Standard: Clause A11

Part 31 - ISO 27001 Information Security Management Standard: Clause A12 

Part 32 - ISO 27001 Information Security Management Standard: Clause A13

Part 33 - ISO 27001 Information Security Management Standard: Clause A14

Part 34 - ISO 27001 Information Security Management Standard: Clause A15

Part 35 - ISO 27001 Information Security Management Standard: Clause A16

Part 36 - ISO 27001 Information Security Management Standard: Clause A17

Part 37 - ISO 27001 Information Security Management Standard: Clause A18

Tags: ISO 27001, information security, ISO 27001 Certification