Fixing nonconformities before the certification audit
Assign topic to the user
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more 
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
ISO 27001 DOCUMENTATION TOOLKIT
Step-by-step implementation for smaller companies.
Find out more
Answer: You should fix all the nonconformities before the certification audit - you'll identify most of the nonconformities after you perform your internal audit and your management review. You can plan to implement some of the controls after the certification audit, but this is a different issue from nonconformities.
This article will also help you: Becoming ISO 27001 certified – How to prepare for certification audit https://advisera.com/27001academy/iso-27001-certification/
This book will explain you in detail how to implement the standard and prepare for the certification: Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
I've received further question:
> You say that we can plan to implement some of the controls after the externa audit. Sorry, but it's still a bit confusing to me. Maybe better with an example. A.12.1.4 says: Development, testing, and operational environments shall be separated to reduce the risks of unauthorized access or changes to the operational environment. Can this be implemented after the audit? If yes, how can the auditor verify that we are going to implement it? How can we know what controls can be implemented after, and what controls have to be implemented before the certification audit?
Answer:
Although this is not very popular, you can leave some of the less important controls for the implementation after the certification. There is no hard rule for this, but if you have controls that are not related to major risks, then you can leave them for later, and explain that you were not able to implement those because of time and budget restraints.
You have to make this planning very clear through the Risk treatment plan, and your risk owners need to accept the risks while those controls are not implemented.
The certification auditor will check whether you implemented those controls during the surveillance visits - see this article: Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/
Comment as guest or Sign in
Aug 17, 2016