Expert Advice Community

Guest

Question about certification requirements

  Quote
Guest
Guest user Created:   Oct 17, 2022 Last commented:   Oct 17, 2022

Question about certification requirements

We are working on the implementation of the BIO (Baseline information security for Dutch governments) and are thinking of ISO27001 certification. I purchased the internal audit toolkit (Dutch) to get a better understanding of the work still to be done.

1 - Could you explain how the certification process is done and what the average costs are?

2 - Can Advisera do this certification?

3 - Can the certification being done online / remote or need to be done onsite? 

4 - What would be the best option to prepare ourselves and get certified? What budget should I take into account? Hope to hear or read from you soon. Thanks.

0 0

Assign topic to the user

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

ISO 27001 DOCUMENTATION TOOLKIT

Step-by-step implementation for smaller companies.

Expert
Rhand Leal Oct 17, 2022

1 - Could you explain how the certification process is done and what the average costs are?

 The ISO 27001 certification process is performed in two stages:

Stage 1 certification audit is also called "Documentation review" - the auditor will evaluate whether you have all the mandatory documentation.

You can find the list of mandatory documents in this blog post: List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/

In stage 2, the auditor goes around your company, speaks to your employees, looks for logs and other records observes the effectiveness of your safeguards (the controls stated as applicable in the Statement of Applicability - SoA), etc.

Learn more about it in this webinar: ISO 27001/ISO 22301: The certification process https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/

Regarding certification costs, this will depend on the size and complexity of the scope, so without more detailed information, it is not possible to provide you with a precise estimation.

There are a significant number of variables to be considered when estimating the certification cost, such as size and complexity of the scope, number of employees, number of sites, etc.

2 - Can Advisera do this certification?

Currently, Advisera does not perform certification audits.

3 - Can the certification be done online / remote or need to be done onsite? 

Details on how the certification audit can be performed need to be evaluated on a case-by-case basis with the certification body, so you need to contact your certification body for this kind of information.

4 - What would be the best option to prepare ourselves and get certified? What budget should I take into account? Hope to hear or read from you soon. Thanks.

First, you should consider a gap analysis to understand your situation. You can use this tool for gap analysis: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool//

Once you know where you are, you can consider these general steps to be prepared for certification:

1) getting management buy-in for the project

2) defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding the organizational and requirements of interested parties

3) development of risk assessment and treatment methodology

4) perform a risk assessment and define a risk tent plan (at this point you can make use of processes frameworks like ISO 38500 and ISO 20000 as a reference to help identify risks, but please note that this approach is not mandatory by the standard)

5) controls implementation (e.g., policies and procedures documentation, acquisitions, etc.)

6) people training and awareness

7) controls operation

8 performance monitoring and measurement

9) perform internal audit

10) perform management critical review

11) address nonconformities, corrective actions, and opportunities for improvement.

This article will provide you with a further explanation of ISMS implementation:

Regarding implementation approaches, the most common are:

  • Use your own staff to implement the ISMS
  • Use a consultant to perform most of the effort to implement the ISMS
  • Use a consultant only to support the staff on specific issues, leaving the organization's staff with most of the implementation effort.

Each one of them has its advantages and disadvantages.

For more information, I suggest you the following materials:

These materials will also help you regarding ISO 27001 implementation:

Quote
0 0

Comment as guest or Sign in

HTML tags are not allowed

Oct 17, 2022

Oct 17, 2022

Suggested Topics

Guest user Created:   Jul 04, 2022 ISO 27001 & 22301
Replies: 1
0 0

Question about ISO-27001

Guest user Created:   Apr 19, 2022 ISO 27001 & 22301
Replies: 1
0 0

Question - ISO 27001