ISO/IEC 27001 - Information security management system

ISO/IEC 27001:2017 is the information security management system standard designed to specify the requirements for the implementation of security controls within an individual organization. It also covers physical control and IT security issues.

Certification of the information security management system is a confirmation from an independent, competent and accredited agency that the business adheres to the requirements of an internationally recognized information security management system standard. This includes establishing, implementing, operating, monitoring, reviewing, maintaining and improving the organization’s information security management system.

ISO/IEC 27001:2017 includes elements to ensure the following:

  • Security requirements and objectives are properly formulated
  • Security risks are managed in a cost-efficient way
  • Compliance with laws and regulations
  • A proper framework for the implementation and management of controls to ensure the security objectives of the organization are met
  • Compliance with the policies, directives, and standards of the organization
  • Information security for customers

How does the certification process work?

System audits in the certification process are a means to measure if the information security management system meets the requirements of ISO/IEC 27001:2017. The main purpose of the system audits is to identify potential improvements

The certification process consists of two phases:

  • Phase 1 normally consists of a visit to the business in order to review the status of the organization, system documentation, infrastructure, etc. In particular, the organization’s Statement of Applicability (SOA) will be verified.
  • Phase 2 is the certification audit verifying that the system documentation meets the requirements of ISO/IEC 27001:2017. The certification audit will give feedback to the organization on issues that are not in conformance with the standard and that need to be corrected before a certificate can be issued.

The certificate will be valid for 3 years after being granted. During this period, annual surveillance audits will be conducted.

For more information contact us