Advise on Project timelines for ISO 27001 Certification
Assign topic to the user
1 - Our ISO 27K implementation project is on track to complete the documentation phase by the end of March. The plan after that is to have all Control records and evidence in place for an Internal Audit by April 22nd. Thereafter (all being well) the plan is to engage with an external Auditor to commence the external Audit process on June 15th with an aim to be certified by June 30th
The question I have is, are these dates realistic?
An internal audit can be performed within 1 day, with whatever records you may have, so a three-week period for generating evidence is more than enough to gather evidence for the internal audit.
Two weeks for the certification audit process is a realistic timeframe (in general certification audits last from 2 to 5 days, depending on scope size and complexity).
For further information, see:
- Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/
2 - My second question relates to Major nonconformities. As I understand it, if the Audit finds a major nonconformity we have 3 months to correct it. Is this a fix period, as in we can only move the audit process forward until the 3 months have elapsed, or does it restart after we have resubmitted the evidence that proves we have corrected it.
The certification audit is not resumed after the nonconformity is corrected. The auditor will verify if the nonconformity is resolved (after the official part of the certification audit is completed) and the evidence is sent to him.
For further information, see:
- Major vs. minor nonconformities in the certification audit https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/
Comment as guest or Sign in
Mar 04, 2022