ISO 27001 Certification
About ISO 27001
Coalfire Certification has been accredited as an ISO/IEC 27001 Certiﬁcation Body by the ANSI-ASQ National Accreditation Board (ANAB), the official U.S. accreditation body for this International Standard.
ISO/IEC 27001 provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS). The design and implementation of the ISMS is driven by the organization’s needs and objectives, security requirements, processes employed and its’ size and structure. The ISMS and its supporting systems are expected to change over time and it is expected that the implementation will be scaled in accordance with the needs of the organization. E.g. a simple situation requires a simple ISMS solution.
Certiﬁcation depends on the conformity of an organization's ISMS to the ISO27001 standard.
The benefits of ISO 27001 certiﬁcation can be summarized as follows:
- Independent verification that your organization’s ISMS conforms to the requirements of the Internationally-recognized and accepted ISO 27001 information security standard
- Meet requirements of your customers who require verification of your conformance to ISO 27001 standards of practice
- Gain significant advantage over competitors who do not have a certified ISMS or be the first to market with an ISMS that is certified to ISO 27001
- Achieve cost savings by utilizing a centrally managed ISO 27001 certified ISMS that can form the core of various compliance efforts, including PCI, HIPAA, Sarbanes-Oxley and more
Scoping of the ISMS
The ISO 27001 standard does not define a particular scope required for the ISMS however a critical component of the certification process is determining the scope of the review. The ISMS scope is determined by the organization itself, and can include a specific application or service of the organization, or the organization as a whole.
The requirements of the standard, including the consideration of the control activities included within the ISO 27001 standard, are to be applied only to the scope of the ISMS under review, once it is defined. When the official certification is issued, it will state specifically what the scope of the ISMS is.
ISO 27001 Certification Process
Assuming that you have not been certified to ISO 27001 before, the initial audit, certification and maintenance process has a number of stages:
- Initial Certiﬁcation Review - Stage 1
The initial certiﬁcation audit consists of two stages. The first stage, often performed onsite at the client location, consists of a policy and process review to determine the readiness of your ISMS framework to undergo the full audit in Stage 2 of the certiﬁcation review. This review would include inspection of all client documents required by the standard.
- Initial Certiﬁcation Review - Stage 2
The second stage of the initial certiﬁcation audit includes in-depth testing to determine that the ISMS framework has been implemented appropriately, and is monitored and maintained per the ISO 27001standard requirements and internal policies and procedures. This stage is performed at the client location, or multiple locations if required by the scope of the ISMS. At the end of this Second Stage, Coalfire Certification will determine whether it will issue ISO 27001 Certification to the client. There may also be gaps identified that will need to be addressed before certification can be provided
- Surveillance Audit Stage
ISO 27001 certiﬁcation is valid for a three-year term, during which time surveillance audits are required to be completed at a minimum on an annual basis. During the surveillance audits, Coalfire Certification will conduct a brief onsite review to determine if any significant or relevant changes have been made to the ISMS as well as perform limited testing to confirm that the organization is continuing to follow the framework and controls identified in the original certification of the ISMS.
- Re-Certification Stage
Before the expiry of the initial three year certification term and in subsequent cycles, full re-certification audits will be performed by Coalfire Certification, to ensure continuity of your certification. The scope of this review and audit will depend on the findings of the surveillance audits and information determined in Stage 1 of the re-certification review.
The required time for the overall certiﬁcation process is strongly dependent on the extent to which the organization's Management System is in conformance to the requirements of the ISO 27001 standard. Some organizations might be able to obtain certiﬁcation within a few months of the beginning of the certiﬁcation review whereas other more complex organizations and systems may require up to a year to obtain certiﬁcation.
Coalfire Certification Services
As an accredited Certification Body (CB), Coalfire Certification cannot provide any professional consulting services to assist in the design, selection, or implementation of controls to meet the ISO 27001 requirements. We are however able to provide the following services in addition to full audit and certification:
Also, for additional information on Coalfire Certification, please see our ISO 27001 business policy page.
For organizations considering an ISO 27001 certiﬁcation, the following steps should be considered:
- Please contact us to better understand the requirements and process for certiﬁcation
- Purchase all applicable ISO 27001 series standards which best align with an organization's goals or needs. The standards may be purchased on the ANSI website at www.anab.com
- Perform gap analyses either internally or utilizing our services outlined above
- Develop a plan for remediation, implementation, and certiﬁcation