The 10 most frequently asked questions for obtaining ISO 27001 certification
What is ISO 27001?
ISO 27001 is an international standard that specifies the requirements for an information security management system in the context of an organisations risks. It specifies requirements for implementing information security controls and against which organizations can become certified. It can apply to any type of business.
What are the benefits of certifying with ISO 27001?
It seems that every other day another information security incident makes the news. Now, smart organizations are implementing an information security management system to preserve the confidentiality, integrity and availability of their information. An information security management system should lead to improvements in security processes and controls and more effective risk management. While there are alternatives, the ISO 27001 standard provides the most widely accepted model for an ISMS.
Can we only comply with ISO27001 without being certified?
Your information security management system can be developed to comply with the requirements of the standard without being certified. However, the question would be what assurance do your directors, management, clients any other interested parties have it is actually fully compliant? ISO 27001 certification provides the best assurance for your organization’s systems and the information under its control.
Increasingly, certification is also becoming a contractual obligation and may be a requirement to be considered for certain tenders.
Subjecting your information security management system to regular external audits will also help to lock in good practice and lead to continual improvement.
Certification would entitle your organization to use the certification body’s approved logo in marketing material for enhanced brand reputation. Certification may also increase your organization’s market value.
For validity, certification should be sought from an accredited certification body. Sci Qual International and its partners (Qudos) are IAF registered and fully accredited by JAS-ANZ. This is the gold standard of accreditation and certificates issued are valid globally.
What is the difference between ISO 27001 and 27002?
ISO 27001 is the standard that specifies requirements and against which organizations can become certified. You cannot get certified to ISO 27002 because it is not a certification standard. It is essentially for guidance purposes and provides a great deal of useful detail for the implementation of controls in ISO 27001.
How can we achieve certification?
The first step is typically for a Gap Analysis to be conducted. Sci Qual International can do that for you - or you can choose to do it yourself. Your information security management system should then be established, documented, implemented and maintained to address the gaps identified and meet the applicable requirements of ISO 27001’s 7 clauses and 114 controls as applicable. To achieve certification, the information security management system must be successfully audited by an auditor or auditor team belonging to a certification body. There must be no major nonconformities (e.g. the absence or significant failure of a major system element). A small number of minor issues would not normally prevent certification.
What are the different stages of certification?
There are 2 stages:
- Stage 1 is to establish whether the organisation is ready to proceed to the certification audit. This typically takes just 1 or 2 days.
- Stage 2 is the main certification audit. The duration of this will vary on the complexity of your business and we advise of the duration in our proposal. This will take 4 days or more.
You then maintain and improve your information security management system over time. Your system would also be subject to surveillance audits by Sci Qual International (typically on an annual basis).
What is the cost of certification?
The cost will depend on the size of your organisation, risk and other factors. We will gladly provide you with a competitive, no-obligation proposal. Click here for a free quote.
How long would it take to get a proposal for certification?
With the required information, we can provide an estimate in 2-3 business days. Please allow 5 business days for a formal proposal to allow for our internal quality assurance checks.
We are already certified. What are the advantages of transferring to Sci Qual International from our existing Certification body?
If you are satisfied with your existing CB that's great, but Sci Qual can offer a fresh, client-friendly approach:
- We guarantee a simplified certification process.
- We will be responsive from your first contact with a dedicated Client Manager allocated to you.
- We will be flexible in meeting your needs.
- Our auditors are pragmatic and seeking to add value to your business.
- A significant number of our management system auditors can conduct integrated audits of management systems across multiple topics.
- Where appropriate, we will use technology to incorporate a degree of remote auditing to save you costs and minimise interruptions to your busy work schedule.
- Unlike many certification bodies, Sci Qual charges no mark-up on travel costs.
- Sci Qual offers free access to online resources that will help you understand relevant ISO requirements and develop, update or expand your management system with confidence - saving time and money.
- Sci Qual International can offer fully-accredited certification to ISO 9001 Quality, ISO 14001 Environment, ISO 45001 OHS, ISO 27001 Information Security Management Systems - Not all CBs can offer that.
Do we have to wait until re-certification time to transfer?
No. In most cases, you can transfer to Sci Qual International from your existing certification body at any time - you don’t have to wait until re-certification is due. We will handle the certification arrangements for you. Contact us to find out how.