ISO 27001 - Enquiry

1 - Can you confirm if during stage 1 of a certification process, does an organisation certified Lead Implementer or Auditors within the organisation before the organisation is certified and which clause demands this.

I’m assuming you are asking if certified Lead Implementers or auditors need to be present in the organization as certification criteria.

Considering that ISO 27001 does not prescribe the role of lead implementer so the presence of a lead implementer is not a requirement for certification. Regarding the auditor role, the standard defines it in clause 9.2, but only requires that the internal audit needs to be performed by a person with proper competency (clause 7.2 competence), so the presence of auditors is not a requirement for certification (the certification auditor will only check if audits were performed by auditors with proper competencies).

For further information, see:

• Which questions will the ISO 27001 certification auditor ask? https://advisera.com/27001academy/blog/2015/07/20/which-questions-will-the-iso-27001-certification-auditor-ask/

2 - Secondly, can an organisation outsource the roles of ISO 27001 LA and LI and be successfully certified?

I will be grateful to have your feedback.

ISO 27001 does not prescribe that auditors and implementers need to be employees of the organization, so it is acceptable to outsource these roles.

For further information, see:

• How to prepare for an ISO 27001 internal audit https://advisera.com/27001academy/blog/2016/07/11/how-to-prepare-for-an-iso-27001-internal-audit/