ISO 27001 is the internationally recognized standard that outlines the requirements for constructing a risk-based framework to initiate, implement, maintain, and manage information security within an organization. The standard, based on the Plan-Do-Check-Act model (PDCA), defines what an information security management system (ISMS) is, what is required to be included within the ISMS, and how management should form, monitor, and maintain the ISMS.

Certification Process

01. Initial Certification Review

Stage 1 is a preliminary informal review of the ISMS. This is typically performed onsite at the client location, and consists of a review of the key policy and process documentation.

02. Initial Certification Review

Stage 2 of the certification review is a more detailed and formal compliance audit. This is performed onsite at the client location(s) and includes in-depth testing to validate that the ISMS framework has been implemented, is monitored, and is maintained per ISO 27001 standard requirements and internal policies and procedures. Passing this stage results in the ISMS being certified compliant with ISO 27001.

Surveillance Audits

ISO 27001 certificates are valid for a three-year term. During this period a series of reviews called surveillance audits are required to be completed. These should take place at least annually but are often conducted more frequently, particularly while the ISMS is still maturing. A surveillance audit includes an onsite review to determine if any material changes have been made to the ISMS and limited testing to confirm that the organization is continuing to following the framework and controls.