Part 38 - Getting Certified to ISO 27001 – Selecting Your Certification Body
So you have created your information security system management system (ISMS). Now how do you get it certified to ISO 27001?
The first thing you’ll do is select a Certification Body (CB) to carry out your audit.
Here are our top tips to choose your Certification Body:
1. Are they accredited to conduct your audit?
You’ll need to find out if they are accredited by a reputable authority. It pays to only deal with CBs that are accredited by national Accreditation Bodies (AB).
For example,
- here in New Zealand (and Australia) the AB is JASANZ.
- In the US it’s ANAB, and
- in the UK it’s UKAS.
- In Germany it’s DAkkS.
So your first question to your CB is “are you accredited?” If not, then move on.
2. Ask for their industry experience, background, and expertise.
It is crucial that they understand what you do and how you do it. If they haven’t got experience in your exact industry, kick them to the curb and find another.
3. Ask them if they can work in your scope.
Make sure they have the technical ability to carry out your audit.
Request evidence that they can work in your scope. See the resumes of the proposed audit team.
4. See references from the CB.
Ask the CB for any references from organisations that are in your industry and have used them in the past.
Ask if you can talk to these reference sites too.
5. See if they can meet your timeframe for certification.
Some CBs are super busy so you need to check with them to ensure that you can book their auditors to do your audit when you want them to.
6. Check the fee schedule.
Make sure the fee schedule is discussed and agreed upfront. There should be no surprises when the invoice arrives. CBs will withhold certificates if invoices haven’t been paid.
7. Is the CB keen to establish a long term relationship?
It is good business practise to build a long term relationship with your CB to ensure that they continue to provide a good audit experience for you.
Here at Mango we decided on DQS (www.dqsausnz.com.au) based out of Melbourne in Australia.
DQS ticked all the boxes as listed above. In terms of responsiveness to our requests they really stood out, whether that was by email or by phone.
Takeaways
- Check that they are accredited.
- Check their industry experience, background, and expertise.
- Check that they work in your scope.
- Get client recommendations.
- Can they meet your time frame for certification?
- Check their costings.
- Check if they are keen to establish a long term relationship.
View previous blogs in this series "ISO 27001 Information Security Management Standard":
Part 1 - Reasons why you need to meet this standard
Part 2 - Principle 1 - Analysing the Protection of Your Information and then Applying Controls
Part 3 - Principle 2 - Awareness of the Need for Information Security
Part 4 - Principle 3 - Assignment of Responsibility for Information Security
Part 5 - Principle 4 - Incorporating Management Commitment and the Interests of Stakeholders
Part 6 - Principle 5 - Enhancing Societal Values
Part 9 - Principle 8 - Active prevention and detection of information security incidents
Part 10 - Principle 9 - Ensuring a comprehensive approach to information security management
Part 12 - ISO 27001 Information Security Management Standard: Clauses 0, 0.1, 0.2, 1, 2 and 3
Part 13 - ISO 27001 Information Security Management Standard: Clauses 4.1, 4.2, 4.3 and 4.4
Part 14 - ISO 27001 Information Security Management Standard: Clause 5.1
Part 15 - ISO 27001 Information Security Management Standard: Clause 5.2
Part 16 - ISO 27001 Information Security Management Standard: Clause 5.3
Part 17 - ISO 27001 Information Security Management Standard: Clause 6.1
Part 18 - ISO 27001 Information Security Management Standard: Clause 6.2
Part 19 - ISO 27001 Information Security Management Standard: Clauses 7.1 - 7.4
Part 20 - ISO 27001 Information Security Management Standard: Clause 7.5
Part 21 - ISO 27001 Information Security Management Standard: Clauses 8.1, 8.2, 8.3
Part 22 - ISO 27001 Information Security Management Standard: Clauses 9.1, 9.2, 9.3
Part 23 - ISO 27001 Information Security Management Standard: Clauses 10.1, 10.2
Part 24 - ISO 27001 Information Security Management Standard: Clause A5
Part 25 - ISO 27001 Information Security Management Standard: Clause A6
Part 26 - ISO 27001 Information Security Management Standard: Clause A7
Part 27 - ISO 27001 Information Security Management Standard: Clause A8
Part 28 - ISO 27001 Information Security Management Standard: Clause A9
Part 29 - ISO 27001 Information Security Management Standard: Clause A10
Part 30 - ISO 27001 Information Security Management Standard: Clause A11
Part 31 - ISO 27001 Information Security Management Standard: Clause A12
Part 32 - ISO 27001 Information Security Management Standard: Clause A13
Part 33 - ISO 27001 Information Security Management Standard: Clause A14
Part 34 - ISO 27001 Information Security Management Standard: Clause A15
Part 35 - ISO 27001 Information Security Management Standard: Clause A16
Part 36 - ISO 27001 Information Security Management Standard: Clause A17
Part 37 - ISO 27001 Information Security Management Standard: Clause A18
