Once an organization has implemented ISO 27001 "Information technology - Security techniques - Information security management systems," the standard relating to information security, to obtain certification it is necessary to undergo an audit performed by an accredited certification body.
During the audit for certification, you must be prepared to demonstrate that your management system meets the requirements of the reference standard and that the management system has been implemented effectively and is able to consistently achieve its objectives.
The certification of the management system provides independent demonstration that the system complies with the specified requirements, is able to consistently pursue the declared policy and objectives, is able to guarantee the customer compliance with the provisions of law, applicable regulations and contractual requirements, and that it is effectively implemented.
The first audit for the certification of an ISO 27001 management system (we remind you that the certification expires after three years) takes place in two parts. The first phase is a preliminary investigation during which the certification body assesses the degree of implementation of the management system and takes place by analyzing the company's documentation. If you have successfully passed the first phase of the certification audit, you will have access to the second phase, the purpose of which is to assess the implementation, including the effectiveness, of the management system and which will take place at the customer's work site.
This second part of the audit will be based on interviews with personnel, observation of how the work is done operationally, physical inspection, system investigation, etc. At the end of phase 2, the auditor will analyze all the information and evidence collected during phase 1 and phase 2 to argue the results of the audit and determine the conclusions.
In a closing meeting, the conclusions of the audit and the recommendation to grant or not to grant the certification are presented. An auditor, during a certification audit, can detect two types of non-compliance: major non-compliance that affects the ability of the management system to achieve the expected results and minor non-compliance that does not affect the ability of the management system to achieve the stated objectives.
During a certification audit, you will never receive any advice on specific solutions to adopt for resolving non-conformities because the certification activity and the consulting activity can never overlap. Once the closing meeting of the audit is finished, a written report will be prepared in the following days.
The audit report will contain a statement on the compliance and effectiveness of the management system, together with a summary of the related evidence to support what is stated in the report and, specifically, evidence of the ability (or inability) of the system to meet the applicable requirements and to achieve the expected results, a conclusion on the suitability of the certification scope, and a confirmation that the audit objectives have been (or have not been) achieved.
In the audit report, moreover, if non-conformities have been highlighted during the audit, the body will require to analyze the cause of the non-conformities highlighted and to describe the specific corrective action that will be decided to implement to correct them and the expected timelines.
After receiving the corrective action plan prepared by the company, the body will determine whether the proposed corrections and deadlines are acceptable and how the certification path will continue, whether with a complete additional audit, with a limited additional audit, or only with the analysis of the documents.
After obtaining the ISO 27001 certificate, a cycle begins that lasts 3 years at the end of which your certificate will expire and must be renewed. You will see, in fact, that at the time of issue the certificate will already show the date of its expiration. During the three years of validity of the certificate, the body will perform surveillance audits for the maintenance of the certification.
It is not enough, in fact, to demonstrate once to adhere to the requirements of the standard, but you must do it consistently, so that the customer can always be certain that a certified company works in a certain way. If you want to have ACSQ as the body that follows the certification path we have described, contact us, without obligation, at this number 02.58320936 or at this email address: