ISO certification

1. What are all the procedures for getting ISO 27001 certification for an organization?

First, it is important to note that some documents and records are mandatory to fulfill clauses from the main sections of the standard (sections 4 to 10), and these are:

• Scope of the ISMS (clause 4.3)
• Information security policy and objectives (clauses 5.2 and 6.2)
• Risk assessment and risk treatment methodology (clause 6.1.2)
• Statement of Applicability (clause 6.1.3 d)
• Risk treatment plan (clauses 6.1.3 e and 6.2)
• Risk assessment report (clause 8.2)
• Records of training, skills, experience, and qualifications (clause 7.2)
• Monitoring and measurement results (clause 9.1)
• Internal audit program (clause 9.2)
• Results of internal audits (clause 9.2)
• Results of the management review (clause 9.3)
• Results of corrective actions (clause 10.1)

Another situation is that some documents are required to fulfill controls that are mandatory if at least one of these situations happen:

• There are unacceptable risks that justify the application of the control
• There are legal requirements (e.g., laws or contract clauses) to which the organization must comply with that demands the application of the control
• There is a top management decision, to implement the control, by considering it as good practice.

If none of the above conditions happen, there is no need to implement a document related to that control. Examples of such documents are:

• Inventory of assets (to implement control A.8.1.1)
• Acceptable use of assets (to implement control A.8.1.3)

Considering that, besides the documents to fulfill clauses from the main sections, without a detailed evaluation of an organization, it is not possible to define how many documents an organization would have, and which ones would be an overkill.

These articles will provide you a further explanation about ISO 27001 documents and selection of controls:

• List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
• The basic logic of ISO 27001: How does information security work? https://advisera.com/27001academy/knowledgebase/the-basic-logic-of-iso-27001-how-does-information-security-work/
• 8 criteria to decide which ISO 27001 policies and procedures to write https://advisera.com/27001academy/blog/2014/07/28/8-criteria-to-decide-which-iso-27001-policies-and-procedures-to-write/

2. What are all the requirements (i.e., qualification for company, needs for getting ISO certification)?

Broadly speaking, to be ready for ISO certification, an organization needs to:

• Broadly speaking, after getting support for your project (through approval of the ISMS project plan) and approval of the Procedure for Document and Record Control, you should consider these steps:
• define the ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding the organizational context and requirements of interested parties;
• develop risk assessment and treatment methodology;
• perform a risk assessment and define the risk treatment plan;
• implement controls (e.g., policies and procedures documentation, acquisitions, etc.);
  perform people training and awareness;
• operate controls;
• perform monitoring and measurement;
• perform an internal audit;
• perform management critical review; and
• address nonconformities, corrective actions, and opportunities for improvement.

This article will provide you a further explanation about ISMS implementation:

• ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/

3. Where we can apply for that ISO certification?

ISO 27001 certifications are issued by organizations known as "certification bodies", which follow strict procedures to audit and report audit results to provide confidence on audit findings to interested parties (e.g., the organization itself, its customers, regulation bodies, etc.).

The choice of the certification body is an organization's decision, based on its strategies and business objectives and alignment with certification body practices.

This article will provide you a further explanation about the certification body:

• Accreditation vs. certification vs. registration in the ISO world https://advisera.com/articles/accreditation-vs-certification-vs-registration-in-the-iso-world/
• How to choose a certification body https://advisera.com/blog/2021/01/11/how-to-choose-an-iso-certification-body/

4. What is the cost of this ISO certification?

There are a significant number of variables to be considered when estimating an implementation cost, so without more detailed information, it's not possible to precise a value. What I can tell you are some cost issues you should consider:

• Training and literature
• External assistance
• Technologies to be updated/implemented
• Employee's effort and time
• The certification process

Regarding ISMS maintenance costs, the above-mentioned costs also have to be considered, but at different levels, and you have to add the surveillance audit costs for certification maintenance.

These articles can provide you more information:

• How much does the ISO 27001 implementation cost? https://advisera.com/27001academy/blog/2011/02/08/how-much-does-iso-27001-implementation-cost/
• 5 ways to avoid overhead with ISO 27001 (and keep the costs down) https://advisera.com/27001academy/blog/2012/06/19/5-ways-to-avoid-overhead-with-iso-27001-and-keep-the-costs-down/
• How to Budget an ISO 27001 Implementation Project https://info.advisera.com/27001academy/free-download/how-to-budget-an-iso-27001-implementation-project/

5. If we applied when it will reach us?

I'm sorry, but I'm not certain about what do you mean about "when it will reach us" to provide a proper answer. If you could provide more information or an example maybe I can help.

6. How much the period of time for this ISO certification? Once we got that certification when we renew that or not needed.

After certification, surveillance visits must take place at least once a year, and the certificate is valid for 3 years. After the certificate expires, an organization can decide whether to go for the recertification, but this is not mandatory - this is something you do only if you want to keep the certificate.

This article can also help you: 

• Surveillance visits vs. certification audits https://advisera.com/27001academy/knowledgebase/surveillance-visits-vs-certification-audits/