About ISO 27001
ISO/IEC 27001 provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System (ISMS). The design and implementation of the ISMS is driven by the organization’s needs and objectives, security requirements, processes employed and its size and structure. The ISMS and its supporting systems are expected to change over time, and it is expected that the implementation will be scaled in accordance with the needs of the organization. E.g. a simple situation requires a simple ISMS solution.
The benefits of ISO 27001 certification can be summarized as follows:
- Independent verification that your organization’s ISMS conforms to the requirements of the internationally recognized and accepted ISO 27001 information security standard
- Meet requirements of your customers who require verification of your conformance to ISO 27001 standards of practice
- Achieve cost savings by utilizing a centrally managed ISO 27001 certified ISMS that can form the core of various compliance efforts, including NIST 800-53, HIPAA, EUCS, SOC 2, Sarbanes-Oxley and more
- Identify risks to your corporation information and minimize them
- Improve reputation and stakeholder confidence
- Increase in information security awareness
- Reduce staff-related information security breaches
- Stay up-to-date and comply with relevant legislation
Scoping of the ISMS
The ISO 27001 standard does not define a particular scope required for the ISMS, however a critical component of the certification process is determining the scope of the review. The ISMS scope is determined by the organization itself and can include a specific application or service of the organization, or the organization as a whole.
The requirements of the standard, including the consideration of the control activities included within the ISO 27001 standard, are to be applied only to the scope of the ISMS under review once it is defined. When the official certification is issued, it will state specifically what the scope of the ISMS is.
Contact us for more information
ISO 27001 Certification Process
Assuming that you have not been certified to ISO 27001 before, the initial audit, certification and maintenance process has several stages:
- Initial Certification Review - Stage 1
The initial certification audit consists of two stages. The first stage, often performed onsite at the client location, consists of a policy and process review to determine the readiness of your ISMS framework to undergo the full audit in Stage 2 of the certification review. This review would include inspection of all client documents required by the standard.
- Initial Certification Review - Stage 2
The second stage of the initial certification audit includes in-depth testing to determine that the ISMS framework has been implemented appropriately and is monitored and maintained per the ISO 27001 standard requirements and internal policies and procedures. This stage is performed at the client location, or multiple locations, if required by the scope of the ISMS. At the end of this Second Stage, Lazarus Alliance will determine whether it will issue ISO 27001 Certification to the client. There may also be gaps identified that will need to be addressed before certification can be provided
- Surveillance Audit Stage
ISO 27001 certification is valid for a three-year term, during which time surveillance audits are required to be completed at a minimum on an annual basis. During the surveillance audits, Lazarus Alliance will conduct a brief onsite review to determine if any significant or relevant changes have been made to the ISMS, as well as perform limited testing to confirm that the organization is continuing to follow the framework and controls identified in the original certification of the ISMS.
- Re-Certification Stage
Before the expiry of the initial three-year certification term and in subsequent cycles, full re-certification audits will be performed by Lazarus Alliance, to ensure continuity of your certification. The scope of this review and audit will depend on the findings of the surveillance audits and information determined in Stage 1 of the re-certification review.
- Audit Timing
The required time for the overall certification process is strongly dependent on the extent to which the organization's Management System is in conformance to the requirements of the ISO 27001 standard. Some organizations might be able to obtain certification within a few months of the beginning of the certification review, whereas other more complex organizations and systems may require up to a year to obtain certification.
Lazarus Alliance Certification Services
As an accredited Certification Body (CB), Lazarus Alliance cannot provide any professional consulting services to assist in the design, selection, or implementation of controls to meet the ISO 27001 requirements. We are however able to provide the following services in addition to full audit and certification:
ISO 27001 Certification Pre-Assessment
A formal Readiness Assessment is not a requirement of certification to the ISO/IEC 27001 Standard, but it can be helpful in assisting organizations in the process of getting properly prepared for initial certification. The intention of the assessment is to save the organization time and money by identifying deficiencies in its Information Security Management System (ISMS) before seeking Certification to the ISO/IEC 27001 Standard.
Many organizations have found this to be an important step in the process of preparing the organization for the formal Certification Audit.
In the pre-assessment, Lazarus Alliance will perform a high-level review of your intended scope, policies, procedures, and control processes to identify gaps in the conformity of your proposed ISMS to the ISO/IEC 27001 Standard. The assessment will provide a comparison between all requirements of the Standard and the processes, procedures and controls you have in place for the design, implementation, operation, and maintenance of your ISMS. The result will be a report providing clarity on the deficiencies that will need to be addressed before a formal Certification Audit should be attempted.
For organizations considering an ISO 27001 certification, the following steps should be considered:
- Please contact us to better understand the requirements and process for certification.
- Purchase all applicable ISO 27701 series standards which best align with an organization's goals or needs, or utilize a reputable industry GRC solution, such as the Continuum GRC SaaS, which is the first and only FedRAMP Authorized assessment solution in the world.
- Perform gap analyses either internally or utilizing our services outlined above.
- Develop a plan for remediation, implementation, and certification.
Also, for additional information on Lazarus Alliance, please see our ISO 27001 business policy page.