ISO/IEC 27001 and 27701 Certification
ISO/IEC 27001:2013 and 27701:2019 provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System (ISMS) and Privacy Information Management System respectively. The design and implementation of the ISMS/PIMS is driven by the organization’s needs and objectives, security requirements, processes employed and its size and structure. The ISMS/PIMS and supporting systems are expected to change over time, and it is expected that the implementation will be scaled in accordance with the needs of the organization. Certification depends on the conformity of an organization’s ISMS and PIMS to the associated standards.
The benefits of ISO 27001 and 27701 certification can be summarized as follows:
- Independent verification that your organization’s ISMS/PIMS conform to the requirements of the internationally recognized and accepted ISO/IEC 27001:2013 and 27701:2019 standards and meet requirements of your customers who require verification of your conformance to ISO standards of practice.
- Gain significant advantage over competitors who do not have a certified ISMS/PIMS or be the first to market with an ISMS/PIMS that is certified to ISO 27001 and 27701.
- Achieve cost savings by utilizing a centrally managed and certified ISMS/PIMS that can form the core of various compliance efforts, including PCI, HIPAA, HITRUST CSF, and more.
Scoping of the ISMS
The ISO/IEC 27001:2013 and 27701:2019 standards do not define a particular scope required for the ISMS. However, a critical component of the certification process is determining the scope of the audit. The ISMS/PIMS scope is determined by the organization itself and may include a specific application or service of the organization, or the organization as a whole.
The requirements of the standard, including the consideration of the control activities included within the ISO 27001 and 27701 standards, are to be applied only to the scope of the ISMS/PIMS under review once it is defined. When the official certification is issued, it will specifically state the scope of the ISMS/PIMS.
ISO/IEC 27001 & 27701 Certification Process
Assuming that you are not presently certified to either ISO 27001 or 27701, the audit and certification process has several components:
- Initial Certiﬁcation Audit – Stage 1
The initial certification audit consists of two stages. The first stage, often performed onsite at the client location, consists of a policy and process review to determine the readiness of your ISMS/PIMS framework to undergo the full audit in Stage 2. This review would include inspection of all client documents and management processes required by each standard.
- Initial Certiﬁcation Audit – Stage 2
The second stage of the initial certification audit includes observation and testing to determine that the ISMS/PIMS framework has been implemented appropriately, and is monitored and maintained per the ISO standards requirements, and internal policies and procedures. This stage is preferably performed onsite at the client location, or multiple locations if required by the scope of the ISMS/PIMS. At the end of this stage, LBMC will determine whether it will issue ISO 27001 and 27701 certification to the client. There may also be nonconformities identified that will need to be addressed before certification can be issued.
- Surveillance Audit Stage
ISO 27001 and 27701 certification is valid for a three-year cycle, during which surveillance audits are required to be completed in years one and two. During surveillance audits, LBMC will conduct a brief onsite audit to determine if any significant or relevant changes have been made to the ISMS/PIMS, as well as perform limited testing to confirm that the organization is continuing to follow the framework and controls identified in the original certification of the ISMS/PIMS.
- Re-Certification Stage
At conclusion of the initial three-year certification cycle, and of subsequent cycles, full re-certification audits will be performed by LBMC to ensure continuity of your ISMS/PIMS. The duration and timeline of this audit will depend on the audit scope at the time of re-certification.
The required time for the overall certification process is strongly dependent on the size of the organization’s scope of certification and the extent to which the ISMS/PIMS conforms to the requirements of the ISO/IEC 27001:2013 and 27701:2019 standards. Some organizations might be prepared for initial certification within a few months of beginning ISMS/PIMS implementation efforts, whereas other more complex organizations and systems may require a longer period to prepare for and achieve certification. LBMC will solicit a certification application to help determine the organization’s readiness for audit and to estimate audit duration.
Our Award Winning Team
We have assembled an exceptional and dedicated team of information security professionals that clearly differentiates LBMC from other ISO/IEC 27001/27701 certification service providers. Their backgrounds include time spent with national and regional accounting and consulting firms and direct industry experience. LBMC Certification Services makes available upon request, limited information about certifications we have issued.