The Journey to Information Security
If your organisation is starting to think about making the move towards keeping your data secure, the steps below can start you journey.
Step 1 - Application
Step 2 - Assessment
Step 3 - Audit
Initial Certification Audit — Stage 1
The purpose of this assessment is to confirm that your organization is ready for full assessment. This assessment will take place at your management system centre (normally head office) and will be a documentation review assessment.
During the stage 1 assessment, your assessor will:
confirm the accuracy of the information that you submitted during the application process
confirm that the management system conforms to the requirements of the standard
confirm the implementation status of your management system(s)
confirm the scope of certification
verify the evaluation of legal compliance
The output of the stage 1 assessment will be:
a report that identifies any Areas of Concern (AOC’s) which, if not addressed, could be raised as non-conformances at the stage 2 assessment
the scheduling of the stage 2 assessment visit
an assessment plan for the stage 2 assessment
Initial Certification Audit — Stage 2
The purpose of this assessment is to confirm that the management system fully conforms to the requirements of the chosen standard in practice. If you undertake site work, or have more than one location that you want within the scope of your certification then your assessor will also need to audit these activities / locations.
During the stage 2 assessment, your assessor will:
document how the system complies with the standard by using objective evidence
undertake sample audits of the processes and activities defined in the scope of certification
visit any remote locations, additional sites or remote activities to evaluate the effectiveness of the management system off site
report any non-conformities or opportunities for improvement
produce a surveillance plan and agree a date for the first annual surveillance visit
If the assessor identifies any major non-conformances, certification cannot be issued until corrective action is taken and verified. Accreditation requirements stipulate that if this is not completed within 6 months, then certification cannot be recommended without a further stage 2 assessment.
Specifically for ISMS this requirement extends to any nonconformity regarding the internal audit or management review processes. Certification may not be issued for ISO 27001 until there is sufficient evidence to demonstrate that arrangements for management reviews and internal ISMS audits have been implemented, are effective and will be maintained.
Step 4 - Certification
Following a successful two stage audit, it’s determined whether your operations and processes meet the required scope of certification within the applicable standard or standards. Consequently, a certification decision is made and if positive, certification to the required standard is issued by NQA. You will receive a hard and soft copy of the certification. That copy will enable you to share your certification with third parties to demonstrate the high standards your organization adheres to.
Learn about non-conformances here.
Certification is valid for three years and is maintained through a program of annual surveillance audits and a three yearly recertification audit.
Get in touch today to begin your journey to a securing your data.