ISO 27001 Certification

About ISO 27001

Coalfire ISO has been accredited as an ISO/IEC 27001 Certification Body by the ANSI-ASQ National Accreditation Board (ANAB), the official U.S. accreditation body for this International Standard.

Overview
ISO/IEC 27001 provides a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an Information Security Management System (ISMS). The design and implementation of the ISMS is driven by the organization’s needs and objectives, security requirements, processes employed and its’ size and structure. The ISMS and its supporting systems are expected to change over time and it is expected that the implementation will be scaled in accordance with the needs of the organization. E.g. a simple situation requires a simple ISMS solution.

Certification depends on the conformity of an organization's ISMS to the ISO27001 standard.

Benefits
The benefits of ISO 27001 certification can be summarized as follows:

  • Independent verification that your organization’s ISMS conforms to the requirements of the Internationally-recognized and accepted ISO 27001 information security standard
  • Meet requirements of your customers who require verification of your conformance to ISO 27001 standards of practice
  • Gain significant advantage over competitors who do not have a certified ISMS or be the first to market with an ISMS that is certified to ISO 27001
  • Achieve cost savings by utilizing a centrally managed ISO 27001 certified ISMS that can form the core of various compliance efforts, including PCI, HIPAA, Sarbanes-Oxley and more

Scoping of the ISMS
The ISO 27001 standard does not define a particular scope required for the ISMS however a critical component of the certification process is determining the scope of the review. The ISMS scope is determined by the organization itself, and can include a specific application or service of the organization, or the organization as a whole.

The requirements of the standard, including the consideration of the control activities included within the ISO 27001 standard, are to be applied only to the scope of the ISMS under review, once it is defined. When the official certification is issued, it will state specifically what the scope of the ISMS is.

ISO 27001 Certification Process

Assuming that you have not been certified to ISO 27001 before, the initial audit, certification and maintenance process has a number of stages:

  • Initial Certification Review - Stage 1
    The initial certification audit consists of two stages. The first stage, often performed onsite at the client location, consists of a policy and process review to determine the readiness of your ISMS framework to undergo the full audit in Stage 2 of the certification review. This review would include inspection of all client documents required by the standard.

  • Initial Certification Review - Stage 2
    The second stage of the initial certification audit includes in-depth testing to determine that the ISMS framework has been implemented appropriately, and is monitored and maintained per the ISO 27001standard requirements and internal policies and procedures. This stage is performed at the client location, or multiple locations if required by the scope of the ISMS. At the end of this Second Stage, Coalfire ISO will determine whether it will issue ISO 27001 Certification to the client. There may also be gaps identified that will need to be addressed before certification can be provided

  • Surveillance Audit Stage
    ISO 27001 certification is valid for a three-year term, during which time surveillance audits are required to be completed at a minimum on an annual basis. During the surveillance audits, Coalfire ISO will conduct a brief onsite review to determine if any significant or relevant changes have been made to the ISMS as well as perform limited testing to confirm that the organization is continuing to follow the framework and controls identified in the original certification of the ISMS.

  • Re-Certification Stage
    Before the expiry of the initial three year certification term and in subsequent cycles, full re-certification audits will be performed by Coalfire ISO, to ensure continuity of your certification. The scope of this review and audit will depend on the findings of the surveillance audits and information determined in Stage 1 of the re-certification review.

Audit Timing
The required time for the overall certification process is strongly dependent on the extent to which the organization's Management System is in conformance to the requirements of the ISO 27001 standard. Some organizations might be able to obtain certification within a few months of the beginning of the certification review whereas other more complex organizations and systems may require up to a year to obtain certification.

Coalfire ISO Services
As an accredited Certification Body (CB), Coalfire ISO cannot provide any professional consulting services to assist in the design, selection, or implementation of controls to meet the ISO 27001 requirements. We are however able to provide the following services in addition to full audit and certification:

 Also, for additional information on Coalfire, please see our ISO 27001 business policy page.

Next Steps
For organizations considering an ISO 27001 certification, the following steps should be considered:

  • Please contact us to better understand the requirements and process for certification
  • Purchase all applicable ISO 27001 series standards which best align with an organization's goals or needs. The standards may be purchased on the ANSI website at www.anab.com
  • Perform gap analyses either internally or utilizing our services outlined above
  • Develop a plan for remediation, implementation, and certification