richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
iso27diy-corp/Corpus/Standards/ISO27x/about/ISO 27001 Certification audit.md

5.5 KiB
Raw Permalink Blame History

ISO 27001 Certification audit

  • compare requirements below, with KIWA document

The certification audit must be performed by a certified auditor, and only a recognized Certification Body can issue a ISO 27001 certificate.

See also this FAQ on ISMS audits and certification.

Stage 1 audit: Document review

The auditor looks for:

  • the documented scope,
  • ISMS policy and objectives,
  • description of the risk assessment methodology,
  • Risk Assessment Report,
  • Risk Treatment Plan
  • procedures for document control
  • procedures for corrective and preventive actions
  • procedures for internal audit.
  • Statement of Applicability,
  • Documentation of applicable Annex A controls
  • inventory of assets (A.7.1.1),
  • acceptable use of assets (A.7.1.3),
  • roles and responsibilities of employees, contractors and third party users (A.8.1.1),
  • terms and conditions of employment (A.8.1.3),
  • procedures for the operation of information processing facilities (A.10.1.1),
  • access control policy (A.11.1.1),
  • identification of applicable legislation (A.15.1.1).
  • records of at least one internal audit and management review.

Only if all these requirements are met, you pass on to Stage 2.

Stage 2 audit: Main audit

Usually follows a few weeks after Stage 1 audit.

The focus is on proof of actual implementation of your ISMS processes and controls.

This is checked mainly by asking for records of activities, but also through observation and employee interviews.

Mandatory records include education, training, skills, experience and qualifications (5.2.2), internal audit (6), management review (7.1), corrective (8.2) and preventive (8.3) actions; however, the auditor will be expecting to see many more records as a result of carrying out your procedures.

Report

The auditor will report the findings using 3 categories:

  • Observations, which may be handled by the organization as it sees fit
  • Minor non-conformities: which are deviations from the standard that do not affect the ability to achieve the ISMS's goals. They require drafting a Corrective Action Plan to resolve the issue
  • Major non-conformities, which do affect the ISMS's ability to achieve the intended results. These prevent the certificate from being issued.

The auditor will report the findings, with a deadline for resolving the non-conformities, usually 90 days. After resolving the issue, you notify the auditor and supply evidence. If you've done this well, the auditor will accept your corrective action issue the certificate.

Source: Advisera, retrieved December 13, 2021

Reasons for major non-conformities

  • If a company completely failed to fulfill a certain requirement e.g., it didnt perform management review at all, although this was required by the standard.
  • If your process has completely fallen apart e.g., your procedure required you to perform backup once a day, whereas the backup was performed only a couple of times per month, randomly.
  • If you have several minor nonconformities that are related to the same process or to the same element of your management system e.g., you have several minor nonconformities related to your Human resources department: some of the training records are missing, not all employees are trained as they should be, some of the employment records are missing, etc. this becomes a major nonconformity because there is obviously something very wrong with this department.
  • If a certification mark is misused e.g., you claim to your customers that your product is ISO certified (certification of ISO management standards covers only the processes and management systems, not the products themselves).
  • If a minor nonconformity, raised during the previous audit, has not been resolved within the deadline such a small nonconformity automatically becomes a major one.

Source: Advisera, retrieved December 13, 2021

See also: Dealing with non-conformities

Nico Nijenhuis, TüV, 10 juni 2020

  • Wordt bij TüV 3 maanden vooruit gepland
  • Er staat een vast aantal dagen voor, dat is in de norm bepaald
  • Je kunt vooraf evt een proefaudit laten doen
  • Certificering bestaat uit 2 fasen:
    • Fase 1 - documentatie onderzoek - is de verplichte documentatie aanwezig (of is aantoonbaar vastgesteld dat bepaalde zaken geregeld zijn.) de norm noemt op verschillende punten “gedocumenteerde informatie”
    • Na enkele weken volgt Fase 2: interviews en audits per onderwerp/afdeling
  • Daarna wordt de rapportage opgemaakt
  • Waar er sprake is van non-conformity krijg je 12 weken de tijd om het op te lossen
  • Indien opgelost volgt er een certificaat
  • Als er een groter probleem is, is er langere tijd en een tweede certificeringsronde nodig.
  1. Observatie: mag je zelf actiepunten voor definiëren, doe je er niets mee, dan escaleert het naar …
  2. Niet-kritieke afwijking —> Corrective Action Plan; indien niet opgelost, escalatie naar …
  3. Kritieke afwijking —> je krijgt uitstel om het op te lossen, is show stopper voor certificaat.

CAP: Corrective Action Plan

Related: ISO 17021 Conformity assessment

Audit cyclus

  • Het certificaat is 3 jr geldig
  • Binnen die 3 jaar zijn er 2 controle audits
  • Na 3 jaar moet je op voor hercertificering