Question about certification requirements
We are working on the implementation of the BIO (Baseline information security for Dutch governments) and are thinking of ISO27001 certification. I purchased the internal audit toolkit (Dutch) to get a better understanding of the work still to be done.
1 - Could you explain how the certification process is done and what the average costs are?
2 - Can Advisera do this certification?
3 - Can the certification being done online / remote or need to be done onsite?
4 - What would be the best option to prepare ourselves and get certified? What budget should I take into account? Hope to hear or read from you soon. Thanks.
Assign topic to the user
1 - Could you explain how the certification process is done and what the average costs are?
The ISO 27001 certification process is performed in two stages:
Stage 1 certification audit is also called "Documentation review" - the auditor will evaluate whether you have all the mandatory documentation.
You can find the list of mandatory documents in this blog post: List of mandatory documents required by ISO 27001 (2013 revision) https://advisera.com/27001academy/knowledgebase/list-of-mandatory-documents-required-by-iso-27001-2013-revision/
In stage 2, the auditor goes around your company, speaks to your employees, looks for logs and other records observes the effectiveness of your safeguards (the controls stated as applicable in the Statement of Applicability - SoA), etc.
Learn more about it in this webinar: ISO 27001/ISO 22301: The certification process https://advisera.com/27001academy/webinar/iso-27001iso-22301-certification-process-free-webinar-demand/
Regarding certification costs, this will depend on the size and complexity of the scope, so without more detailed information, it is not possible to provide you with a precise estimation.
There are a significant number of variables to be considered when estimating the certification cost, such as size and complexity of the scope, number of employees, number of sites, etc.
2 - Can Advisera do this certification?
Currently, Advisera does not perform certification audits.
3 - Can the certification be done online / remote or need to be done onsite?
Details on how the certification audit can be performed need to be evaluated on a case-by-case basis with the certification body, so you need to contact your certification body for this kind of information.
4 - What would be the best option to prepare ourselves and get certified? What budget should I take into account? Hope to hear or read from you soon. Thanks.
First, you should consider a gap analysis to understand your situation. You can use this tool for gap analysis: https://advisera.com/27001academy/free-iso-27001-gap-analysis-tool//
Once you know where you are, you can consider these general steps to be prepared for certification:
1) getting management buy-in for the project
2) defining ISMS basic framework (e.g., scope, objectives, organizational structure), by understanding the organizational and requirements of interested parties
3) development of risk assessment and treatment methodology
4) perform a risk assessment and define a risk tent plan (at this point you can make use of processes frameworks like ISO 38500 and ISO 20000 as a reference to help identify risks, but please note that this approach is not mandatory by the standard)
5) controls implementation (e.g., policies and procedures documentation, acquisitions, etc.)
6) people training and awareness
7) controls operation
8 performance monitoring and measurement
9) perform internal audit
10) perform management critical review
11) address nonconformities, corrective actions, and opportunities for improvement.
This article will provide you with a further explanation of ISMS implementation:
- ISO 27001 implementation checklist https://advisera.com/27001academy/knowledgebase/iso-27001-implementation-checklist/
Regarding implementation approaches, the most common are:
- Use your own staff to implement the ISMS
- Use a consultant to perform most of the effort to implement the ISMS
- Use a consultant only to support the staff on specific issues, leaving the organization's staff with most of the implementation effort.
Each one of them has its advantages and disadvantages.
For more information, I suggest you the following materials:
- 3 strategic options to implement any ISO https://advisera.com/blog/2016/04/11/3-strategic-options-to-implement-any-iso-standard/
- Implementing ISO 27001 with a consultant vs. DIY approach https://info.advisera.com/27001academy/free-download/implementing-iso-27001-with-a-consultant-vs-diy-approach
These materials will also help you regarding ISO 27001 implementation:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- Free online training ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/
- Diagram of ISO 27001:2013 Implementation https://info.advisera.com/27001academy/free-download/diagram-of-iso-27001-implementation-process
- ISO 27001 Documentation Toolkit https://advisera.com/27001academy/iso-27001-documentation-toolkit/
Comment as guest or Sign in
Oct 17, 2022