The Information Security Management Systems Certification (ISO 27001:2013) helps organizations prove they are managing the security of clients’ and stakeholders’ information, and can generate the need for three types of vendors: certification body, internal audit and implementation.
The certification body (CB) is an organization accredited by a recognized accrediting body (UKAS, ANAB, etc.,) for its competence to audit and issue certification confirming that an organization’s processes meets the requirements of the ISO 27001:2013 standard. The certification is valid for three years with a successful annual audit and no major non-conformance for the duration of the certification. Organizations that are proceeding with certification for the first time have to undergo Stage I and Stage II audits from a certification body. The stage I audit is a preliminary documentation audit in which policies, procedures, risks, objectives, etc., are audited against the standard, and readiness for Stage II is assessed. In stage II, audit implementation and effectiveness of standards are evaluated. Certification cannot be done in-house, so the CB vendor needs to be on-boarded. Apart from cost and business requirements, the organization has to ensure that it gets certified from an accredited CB.
Internal auditor audits are based on ISO 27001 standards, which is done prior to external audit (certification body stage I and stage II audit). Internal audits can be done by in-house personnel or by a vendor. If organizations are deploying in-house personnel, they have to ensure that internal audits are done independently and impartially (i.e., the auditor shall not audit his or her own work). Internal auditors that are selected should be competent with ISO 27001 Lead Auditor certification, preferably by the International Register of Certificated Auditors with a CISA or similar certification. The experience of the auditor should be at least three years. A CV and project sign-off statement from previous clients can help evaluate competency.
Implementation then involves doing a risk assessment, training, formulating policies and procedures, creating awareness training, analyzing metrics, conducting a management review meeting, etc. This activity can be performed either by in-house personnel or by a vendor. The implementation should be done by a competent ISO 27001 Lead Implementer/Lead Auditor certified preferably by IRCA, with experience of three years post-certification along with CISA, CISM, CISSP or similar certification. Again, a CV and project sign-off statement from previous clients of the implementer can be helpful.
The time required for these three activities varies, but generally, the assignment would be for three years. A point of contact who has knowledge of the entire certification cycle is recommended. Activities of the certification body and internal auditor involve preparing the audit schedule, conducting audits, audit reporting and approving a Corrective Action Plan (CAP). CAP is the plan one submits to the auditor mentioning how the identified gaps during the audit would be closed. The duration of the audit depends on the number of people, number of locations, number of processes/departments involved, etc.
Implementation is generally of a much longer duration than the audits, as it involves multiple activities being performed in parallel. Inputs of the implementer are important during audits, and they need to be deployed in the organization for a few months to complete the certification process. For an organization that has a single location and about 100 people, the certification process would typically take three-to-six months to complete.