ISO/IEC 27001 is the best-known standard providing requirements for an information security management system (ISMS).
An ISMS is a systematic approach to managing sensitive company information so that it remains secure. It includes people, processes and IT systems by applying a risk management process.
ISO/IEC 27001 was originally published on 2015 and derived from BS 7799 Part 2, first published as such by the British Standards Institute in 1999. It was extensively revised in 2013, bringing it into line with the other ISO management systems standards.
The standard specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO27001:2013 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.
The ISO27001:2013 follows the High Level Structure (Annex SL) which is the common framework for all revised and future ISO management system standards including the latest versions of ISO9001:2015, ISO14001:2015, ISO45001:2018.
The standard is aligned with the principles of risk management as defined in ISO31000.
The main sections of the standard are that set requirements are:
There are numerous benefits associated with a certified ISO 27001 management system that include:
Step 1: Proposal for Certification – Contact AVRV and exchange of preliminary information. AVRV provides you a proposal based on the size and nature of your organization, detailing the cost and time involved.
Step 2: Optional pre-audit – You may decide to perform pre-audit to assess the readiness of your organization for the audit. This stage is optional
Step 3: Stage 1 Audit – AVRV auditors team during stage 1 shall obtain a sufficient understanding of the design of the ISMS in the context of the client’s organization, risk assessment and treatment (including the controls determined – Statement of Applicability), information security policy and objectives and, in particular, of the client’s preparedness for the audit.
The results of stage 1 are documented in a written report by the Lead Auditor. The stage 1 report includes the further types of information and records that may be required for detailed examination during stage 2.
A positive result following an independent review and evaluation of the above shall allow planning for stage 2.
Step 4: Stage 2 Audit – Evaluation of the implementation and systems effectiveness through observation of working practices, infrastructure utilized, IT systems, personnel interviews and examination of records including for example
At the end of this stage all audit finding will be presented to you by the lead auditor that include nonconformities, opportunities for improvement and positive aspects.
Step 5: Recommendation for Certification – The assigned Lead Auditor shall propose the recommendation based on the evaluation and review of the effective implementation of corrections and corrective actions on findings raised during the audit. The final audit report is forwarded for the review and decision.
Step 6: Technical Review and Issue of Certificate subject to successful audit –Appointed independent and impartial expert team of AVRV reviews the audit report and the recommendation of the audit team and decides further on granting or not certification.
Step 7: Awarding Certification –The client is informed on the results of the certification decision and following successful certification a three years certification cycle is initiated and a certificate is issued
Step 8: Surveillance audit – Each year the validity of the certification remains subject to successful surveillance audits. Every twelve months we will verify that the management system conforms to the requirements of the standard.
Step 9: Re-certification – After 3 years and before the expiry of your certification our routine visit will be extended to enable a re-certification audit.
The technical review and decision of certification includes granting, refusing, maintaining, renewing, suspending, restoring or withdrawing certification or expanding or reducing the scope of the certification.
The roadmap of the certification process is summarized as follows
The technical review and decision of certification includes granting, refusing, maintaining, renewing, suspending, restoring or withdrawing certification or expanding or reducing the scope of the certification
For immediate communication with us concerning Services, Support or Quotes, please call us on working hours by Telephone: (+30) 210-6047-411or by Fax: (+30) 210-6046-507.