Scribd
Upload
62 views14 pages

1.08.accreditation & Certification Process

The document describes the ISO 27001 certification process, which involves two stages of auditing an organization's information security management system. Stage 1 involves reviewing the organization's documentation and readiness. Stage 2 evaluates the implementation of the system, including risk assessments, controls, and effectiveness. If the audit team determines the system is adequate, suitable, and effective, the organization may be certified and undergo annual surveillance audits to maintain certification.

Uploaded by

Srishti Tripathy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
62 views14 pages

1.08.accreditation & Certification Process

The document describes the ISO 27001 certification process, which involves two stages of auditing an organization's information security management system. Stage 1 involves reviewing the organization's documentation and readiness. Stage 2 evaluates the implementation of the system, including risk assessments, controls, and effectiveness. If the audit team determines the system is adequate, suitable, and effective, the organization may be certified and undergo annual surveillance audits to maintain certification.

Uploaded by

Srishti Tripathy
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 14

CQI-IRCA Certified PR373 ISMS ISO/IEC 27001:2022 Lead Auditor

Training Course

Course ID: 2551

1.08 Accreditation & Certification Process


Accreditation/Certification Process

Accreditation Board Function


Accreditation Board
(e.g. ANAB, UKAS,NABCB…)
ISO /IEC 17021,
ISO 27006 and
IAF Guidelines
Certification/Registration
Body (CB)
(e.g. Bureau Veritas Certification)

ISO 27001

Organization to be certified
(i.e. Client)

Nov 2022 CQI IRCA Certified : ISMS ISO 27001:2022 Lead Auditor Training Course (2551) 2
Accreditation/Certification Process

Client/
Organisation Certification Process

Application CB
Contract Review:
 Scope
 Time-scale
Stage 1 Audit  Audit team

Recertification
Stage 2 Audit

Certification Surveillance

Ref :ISO/IEC 17021

Nov 2022 CQI IRCA Certified : ISMS ISO 27001:2022 Lead Auditor Training Course (2551) 3
Accreditation/Certification Process

Application & Review

 Application by organisation in Certification Body’s (CB) format


 Application review by CB to ensure:
 adequacy of information about organisation
 the CB has the necessary competence
 differences are resolved.

 CB to determine the competence required for the audit and


appoint audit team accordingly

Ref :ISO/IEC 17021

Nov 2022 CQI IRCA Certified : ISMS ISO 27001:2022 Lead Auditor Training Course (2551) 4
Accreditation/Certification Process

Certification to ISO 27001 is carried out in 2 Stages

A pre-audit is optional and value added

Stage 1 Audit Stage 2 Audit


AND

1 – Preparation for documentation and implementation audit


2 – Helps organization to familiarize themselves with the certification audit approach
3 – Covers all ISO 27001 requirements
4 – Optional and done at the request of the organisation.

Ref :ISO/IEC 17021

Nov 2022 CQI IRCA Certified : ISMS ISO 27001:2022 Lead Auditor Training Course (2551) 5
Accreditation/Certification Process

Stage 1 – “Readiness audit”


 Recommended to be done on site.
 Audit of documentation
 Evaluation of location / site specific conditions
 Review of Key performances parameters
 Validation of scope.
 Collection of information regarding statutory & regulatory requirements and their
compliance
 Review of allocation of resources for stage 2 audit, agree with client and plan for
Stage 2.
 Evaluation of Internal audits & Management reviews
 Assess the overall readiness for Stage 2 audit.
 Report the findings including areas of concern to the Client /Auditee
Ref :ISO/IEC 17021

Nov 2022 CQI IRCA Certified : ISMS ISO 27001:2022 Lead Auditor Training Course (2551) 6
Accreditation/Certification Process

Stage 2 “Implementation” Audit

• The purpose : Evaluation that policies, procedures


and objectives are being achieved, including
effectiveness of the system
• ISMS conforms to all requirements of ISO 27001
• Must be conducted at site.

Ref :ISO/IEC 27006

Nov 2022 CQI IRCA Certified : ISMS ISO 27001:2022 Lead Auditor Training Course (2551) 7
Accreditation/Certification Process

Stage 2 “Implementation” Audit

 Assessment of information security related risks

 Do risk assessments produce comparable and


reproducible results

 Selection of control objectives and controls based on


the risk assessment and risk treatment processes

 Reviews of the effectiveness of the ISMS

Ref :ISO/IEC 17021

Nov 2022 CQI IRCA Certified : ISMS ISO 27001:2022 Lead Auditor Training Course (2551) 8
Accreditation/Certification Process

Stage 2 “Implementation” Audit

 Monitoring, measurement, analysis and evaluation of


the ISMS
 Reporting and reviewing against the ISMS objectives
 Internal ISMS audits and management reviews
 Linkage between the controls selected, SOA, risk
assessment results, ISMS policy and objectives

 Implementation of controls

Ref :ISO/IEC 17021

Nov 2022 CQI IRCA Certified : ISMS ISO 27001:2022 Lead Auditor Training Course (2551) 9
Accreditation/Certification Process

Stage 2 “Implementation” Audit

 Linkages between Statutory & regulatory requirements,


Information Security Policy, performance objectives and targets
 Evaluate system’s effectiveness in:
 Achieving objectives & targets
 Implementing policy commitments (i.e. compliance, meeting
requirements, continual improvement, etc)
 Operational controls in all areas of ISMS
 Corrective actions.

 Evaluate the overall implementation and effectiveness of the


organisation’s Information Security Management System.

Ref :ISO/IEC 17021

Nov 2022 CQI IRCA Certified : ISMS ISO 27001:2022 Lead Auditor Training Course (2551) 10
Accreditation/Certification Process

Stage 2 - Complete System Audit


Full system audit covers:
 EVERY clause of ISO 27001 for: intent,
implementation and effectiveness.
 Linkages between elements of the ISMS.

3 Key Questions:
1. Is the system adequate?
2. Is the system suitable?
3. Is the system effective?
Ref :ISO/IEC 17021

Nov 2022 CQI IRCA Certified : ISMS ISO 27001:2022 Lead Auditor Training Course (2551) 11
Accreditation/Certification Process

Audit Conclusions
 Based on both Stage 1 & Stage 2 findings
 Certification decision based on Audit team’s findings

Ref :ISO/IEC 17021

Nov 2022 CQI IRCA Certified : ISMS ISO 27001:2022 Lead Auditor Training Course (2551) 12
Accreditation/Certification Process

Surveillance audits

► Conducted at least once per year (some at 6 months) on site.

► Covers all functions/processes over a 3 year period subsequent to


certification / Re certification audits
► Audit plan based upon results of previous audits & importance &
status of processes.
► Internal audits may be taken into account

► Assess organisations’ continued conformance to the certified


standard requirements
► What shall be checked during surveillance audits ….?

Ref :ISO/IEC 17021

Nov 2022 CQI IRCA Certified : ISMS ISO 27001:2022 Lead Auditor Training Course (2551) 13
Accreditation/Certification Process
Audit and Certification cycles
(An illustration)

SV 1 SV 2
Certification
Decision = 23 Mar 23 23 Mar 24 Expiry date
Effective date 23 Mar 25
24 Mar 22

Certification Cycle (3 years)


Audit Cycle (3 years)

Last day
Recertification
Stage 2 audit
Audit
15 Jan 22

•Note :
Recertification audit must be conducted well in advance so that no NCRs are “Open” before the
expiry date of certificate

Nov 2022 CQI IRCA Certified : ISMS ISO 27001:2022 Lead Auditor Training Course (2551) 14

You might also like