Expert Advice Community

Guest

ISO certification

  Quote
Guest
Guest user Created:   Jul 22, 2020 Last commented:   Jul 22, 2020

ISO certification

1. What are all the procedures for getting ISO 27001 certification for an organization?
2. What are all the requirements (i.e., qualification for company, needs for getting ISO certification)?
3. Where we can apply for that ISO certification?
4. What is the cost of this ISO certification?
5. If we applied when it will reach us?
6. How much the period of time for this ISO certification? Once we got that certification when we renew that or not needed.

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Jul 22, 2020

1. What are all the procedures for getting ISO 27001 certification for an organization?

First, it is important to note that some documents and records are mandatory to fulfill clauses from the main sections of the standard (sections 4 to 10), and these are:

  • Scope of the ISMS (clause 4.3)
  • Information security policy and objectives (clauses 5.2 and 6.2)
  • Risk assessment and risk treatment methodology (clause 6.1.2)
  • Statement of Applicability (clause 6.1.3 d)
  • Risk treatment plan (clauses 6.1.3 e and 6.2)
  • Risk assessment report (clause 8.2)
  • Records of training, skills, experience, and qualifications (clause 7.2)
  • Monitoring and measurement results (clause 9.1)
  • Internal audit program (clause 9.2)
  • Results of internal audits (clause 9.2)
  • Results of the management review (clause 9.3)
  • Results of corrective actions (clause 10.1)

Another situation is that some documents are required to fulfill controls that are mandatory if at least one of these situations happen:

  • There are unacceptable risks that justify the application of the control
  • There are legal requirements (e.g., laws or contract clauses) to which the organization must comply with that demands the application of the control
  • There is a top management decision, to implement the control, by considering it as good practice.

If none of the above conditions happen, there is no need to implement a document related to that control. Examples of such documents are:

  • Inventory of assets (to implement control A.8.1.1)
  • Acceptable use of assets (to implement control A.8.1.3)

Considering that, besides the documents to fulfill clauses from the main sections, without a detailed evaluation of an organization, it is not possible to define how many documents an organization would have, and which ones would be an overkill.

These articles will provide you a further explanation about ISO 27001 documents and selection of controls:

2. What are all the requirements (i.e., qualification for company, needs for getting ISO certification)?

Broadly speaking, to be ready for ISO certification, an organization needs to:

  • Broadly speaking, after getting support for your project (through approval of the ISMS project plan) and approval of the Procedure for Document and Record Control, you should consider these steps:
  • define the ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding the organizational context and requirements of interested parties;
  • develop risk assessment and treatment methodology;
  • perform a risk assessment and define the risk treatment plan;
  • implement controls (e.g., policies and procedures documentation, acquisitions, etc.);
    perform people training and awareness;
  • operate controls;
  • perform monitoring and measurement;
  • perform an internal audit;
  • perform management critical review; and
  • address nonconformities, corrective actions, and opportunities for improvement.

This article will provide you a further explanation about ISMS implementation:

3. Where we can apply for that ISO certification?

ISO 27001 certifications are issued by organizations known as "certification bodies", which follow strict procedures to audit and report audit results to provide confidence on audit findings to interested parties (e.g., the organization itself, its customers, regulation bodies, etc.).

The choice of the certification body is an organization's decision, based on its strategies and business objectives and alignment with certification body practices.

This article will provide you a further explanation about the certification body:

4. What is the cost of this ISO certification?

There are a significant number of variables to be considered when estimating an implementation cost, so without more detailed information, it's not possible to precise a value. What I can tell you are some cost issues you should consider:

  • Training and literature
  • External assistance
  • Technologies to be updated/implemented
  • Employee's effort and time
  • The certification process

Regarding ISMS maintenance costs, the above-mentioned costs also have to be considered, but at different levels, and you have to add the surveillance audit costs for certification maintenance.

These articles can provide you more information:

5. If we applied when it will reach us?

I'm sorry, but I'm not certain about what do you mean about "when it will reach us" to provide a proper answer. If you could provide more information or an example maybe I can help.

6. How much the period of time for this ISO certification? Once we got that certification when we renew that or not needed.

After certification, surveillance visits must take place at least once a year, and the certificate is valid for 3 years. After the certificate expires, an organization can decide whether to go for the recertification, but this is not mandatory - this is something you do only if you want to keep the certificate.

This article can also help you: 

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Jul 22, 2020

Jul 22, 2020

Suggested Topics