Moved a directory, changed some filenames

Corpus/Standards/ISO27x/about/ISO 27001 Certification audit.md

@@ -0,0 +1,89 @@
+# ISO 27001 Certification audit
+- [ ] compare requirements below, with KIWA document
+
+
+The certification audit must be performed by a certified auditor, and only a recognized Certification Body can issue a ISO 27001 certificate.
+
+See also this [FAQ on ISMS audits and certification](https://www.iso27001security.com/html/audit_-_certification.html).
+
+
+## Stage 1 audit: Document review
+The auditor looks for:
+- the documented scope, 
+- ISMS policy and objectives, 
+- description of the risk assessment methodology, 
+- Risk Assessment Report, 
+- Risk Treatment Plan
+- procedures for document control 
+- procedures for corrective and preventive actions
+- procedures for internal audit. 
+- Statement of Applicability, 
+- Documentation of applicable Annex A controls
+- inventory of assets (A.7.1.1), 
+- acceptable use of assets (A.7.1.3), 
+- roles and responsibilities of employees, contractors and third party users (A.8.1.1), 
+- terms and conditions of employment (A.8.1.3), 
+- procedures for the operation of information processing facilities (A.10.1.1), 
+- access control policy (A.11.1.1), 
+- identification of applicable legislation (A.15.1.1). 
+- records of at least one internal audit and management review.
+
+Only if all these requirements are met, you pass on to Stage 2.
+
+## Stage 2 audit: Main audit
+Usually follows a few weeks after Stage 1 audit.
+
+The focus is on proof of actual implementation of your ISMS processes and controls.
+
+This is checked mainly by asking for records of activities, but also through observation and employee interviews.
+
+Mandatory records include education, training, skills, experience and qualifications (5.2.2), internal audit (6), management review (7.1), corrective (8.2) and preventive (8.3) actions; however, the auditor will be expecting to see many more records as a result of carrying out your procedures.
+
+## Report
+The auditor will report the findings using 3 categories:
+
+- Observations, which may be handled by the organization as it sees fit
+- Minor non-conformities: which are deviations from the standard that do not affect the ability to achieve the ISMS's goals. They require drafting a Corrective Action Plan to resolve the issue
+- Major non-conformities, which do affect the ISMS's ability to achieve the intended results. These prevent the certificate from being issued.
+
+The auditor will report the findings, with a deadline for resolving the non-conformities, usually 90 days. After resolving the issue, you notify the auditor and supply evidence. If you've done this well, the auditor will accept your corrective action issue the certificate.
+
+Source: [Advisera](https://advisera.com/27001academy/blog/2010/02/15/how-to-get-certified-against-iso-27001/), retrieved December 13, 2021
+
+### Reasons for major non-conformities
+
+-   If a company completely failed to fulfill a certain requirement – e.g., it didn’t perform management review at all, although this was required by the standard.
+-   If your process has completely fallen apart – e.g., your procedure required you to perform backup once a day, whereas the backup was performed only a couple of times per month, randomly.
+-   If you have several minor nonconformities that are related to the same process or to the same element of your management system – e.g., you have several minor nonconformities related to your Human resources department: some of the training records are missing, not all employees are trained as they should be, some of the employment records are missing, etc. – this becomes a major nonconformity because there is obviously something very wrong with this department.
+-   If a certification mark is misused – e.g., you claim to your customers that your product is ISO certified (certification of ISO management standards covers only the processes and management systems, not the products themselves).
+-   If a minor nonconformity, raised during the previous audit, has not been resolved within the deadline – such a small nonconformity automatically becomes a major one.
+
+Source: [Advisera](https://advisera.com/27001academy/blog/2014/06/02/major-vs-minor-nonconformities-in-the-certification-audit/), retrieved December 13, 2021 
+
+See also: [Dealing with non-conformities](https://info-savvy.com/iso-27001-clause-10-1-non-conformity-and-corrective-action/)
+
+## Nico Nijenhuis, TüV, 10 juni 2020
+- Wordt bij TüV 3 maanden vooruit gepland
+- Er staat een vast aantal dagen voor, dat is in de norm bepaald
+* Je kunt vooraf evt een proefaudit laten doen
+* Certificering bestaat uit 2 fasen:
+	* Fase 1 - documentatie onderzoek - is de verplichte documentatie aanwezig (of is aantoonbaar vastgesteld dat bepaalde zaken geregeld zijn.) – de norm noemt op verschillende punten “gedocumenteerde informatie”
+	* Na enkele weken volgt Fase 2: interviews en audits per onderwerp/afdeling
+* Daarna wordt de rapportage opgemaakt
+* Waar er sprake is van non-conformity krijg je 12 weken de tijd om het op te lossen
+* Indien opgelost volgt er een certificaat
+* Als er een groter probleem is, is er langere tijd en een tweede certificeringsronde nodig.
+
+1. Observatie: mag je zelf actiepunten voor definiëren, doe je er niets mee, dan escaleert het naar …
+2. Niet-kritieke afwijking —> Corrective Action Plan; indien niet opgelost, escalatie naar …
+3. Kritieke afwijking —> je krijgt uitstel om het op te lossen, is show stopper voor certificaat.
+
+CAP: Corrective Action Plan
+
+
+Related: [ISO 17021 Conformity assessment](ISO%2017021%20Conformity%20assessment.md)
+
+### Audit cyclus
+* Het certificaat is 3 jr geldig
+* Binnen die 3 jaar zijn er 2 controle audits
+* Na 3 jaar moet je op voor hercertificering