ISO/IEC 27001 and 27701 Certification Audit

iso 27001 certified

Overview

The ISO/IEC 27001:2013 and 27701:2019 standards provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving an Information Security Management System (ISMS) and Privacy Information Management System (PIMS) respectively. The design and implementation of the ISMS/PIMS is driven by the organization’s needs and objectives, security requirements, processes employed and its size and structure. The ISMS/PIMS and supporting systems are expected to change over time, and it is expected that the implementation will be scaled in accordance with the needs of the organization. Certification depends on the conformity of an organization’s ISMS/PIMS to the associated standards.

Scope of Certification

The ISO/IEC 27001:2013 and 27701:2019 standards do not establish scope requirements for the ISMS/PIMS. However, a critical component of the certification process is determining the scope of the audit. The ISMS/PIMS scope is determined by the organization itself and may include a specific application, service, or department within the organization, or the organization as a whole.

The requirements of the standards, including the consideration of the control activities included within the ISO/IEC 27001 and 27701 standards, will be audited only within the scope of the ISMS/PIMS as defined. When a certificate is issued, it will include the organization’s scope statement for the associated ISMS/PIMS.

ISO/IEC 27001 and 27701 Certification Process

If the organization is not presently certified to either ISO/IEC 27001 and 27701, the audit and certification process has several components:

Initial Certification Audit – Stage 1

The initial certification audit consists of two stages. The first stage is an initial review by the auditor to determine the readiness of the defined ISMS/PIMS to undergo a full audit.

Initial Certification Audit – Stage 2

The second stage of the initial certification audit includes interviews, observation, and testing to determine whether the ISMS/PIMS has been implemented effectively, is managed per the ISO standards, and that all security controls conform with the standards. At the conclusion of this stage, LBMC’s internal Certification Committee will approve or deny ISO/IEC 27001 and 27701 certification based on the audit results and recommendation of the auditor. Audit findings may include nonconformities that must be addressed before the certificate can be issued.

Surveillance Audit

ISO/IEC 27001 and 27701 certification is valid for a three-year cycle following initial certification. Surveillance audits are conducted in years one and two of the cycle. Surveillance audits are conducted to identify significant or relevant changes to the scope of the certified ISMS/PIMS, and include targeted testing to confirm that the organization is effectively managing and maintaining the certified management system(s). The audit duration is generally one-third the time of the initial certification audit but may be impacted by changes to the scope of certification.

Re-Certification

At conclusion of the initial three-year certification cycle, and of each subsequent cycle, re-certification audits are performed to confirm ongoing effective management of the certified ISMS/PIMS. As with surveillance audits, the duration of the audit, generally two-thirds the time of the initial certification audit, may be impacted by changes to the scope of certification at the time of re-certification.

Special Audits

A special audit may be conducted at any time throughout the certification cycle for reasons including but not limited to the following:

  • Expansion of certificate scope, e.g., additional locations, personnel, services, etc.
  • Extension of ISO/IEC 27001 certificate to include ISO/IEC 27701 and/or other standards.
  • Audit of corrective actions from previous audits or follow-up audit for suspended certification.

Audit Timing

The required time for any of the audits listed above is strongly dependent on the size of the organization’s scope of certification, i.e., number of personnel, locations, services, etc., and the extent to which the ISMS/PIMS conforms to the requirements of the ISO/IEC 27001 and 27701 standards. Some organizations might be prepared for initial certification within a few months of beginning ISMS/PIMS implementation efforts, whereas more complex organizations and management systems may require a longer period to prepare for and achieve certification. LBMC will solicit an engagement application to determine the organization’s readiness for audit and to estimate audit duration and timing.

ISO/IEC 27001 and 27701 Certification Conditions

In accordance with ISO/IEC 17021-1:2015, LBMC has established the following processes and conditions for issuing and maintaining certifications against the accredited ISO standards:

Granting or refusing certification

All initial and recertification audits, as well as any surveillance, follow-up, or special audits resulting in the issuance of a new or changed certificates, require review and approval by LBMC’s internal Certification Committee. The Certification Committee reviews the audit report prior to making the decision to grant or refuse certification. Prior to deciding whether to grant certification the committee will ensure:

  • The information provided is sufficient with respect to the certification requirements and the scope of certification.
  • Major nonconformities have been reviewed, accepted, and verified the correction and corrective actions.
  • Correction and corrective action for any minor nonconformities have been reviewed and accepted by the auditor.

Failure to meet any of these criteria will result in refusal of certification by the committee.

Maintaining and renewing certification

All certificates will be maintained in accordance with the certification process provided above. Clients may request for changes to certification for reasons including but not limited to:

  • Change in ownership.
  • Change in name of the company.
  • Change in location.
  • Increase or decrease in scope (personnel, locations, services, etc.).

Clients may submit certification change requests to LBMC at any time. LBMC will review requests and determine whether a special audit is necessary or if changes can be audited at the next annual audit. LBMC will also determine if changes are within the accreditation scope of LBMC.

Following a successful audit of the changes, a revised certificate will be issued as appropriate. In most cases this does not change the initial certification date or the certification cycle.

Suspending, withdrawing, and restoring certification

The following are considered sufficient grounds for certificate suspension or withdrawal:

  • Major nonconformities or effective correction action plans are not implanted within a specified time.
  • Improper use of the certificate, symbol or logo not corrected to the satisfaction of LBMC.
  • Client ceases to supply product or service of the certified management system for an extended period.
  • Client’s certified management system has persistently failed to meet any of the requirements for certification including requirements for the effectiveness of the management system.
  • Client makes a formal request to withdraw certification.
  • Infringement by the client of any contractual conditions between the client and LBMC.
  • Client is unable or unwilling to ensure conformance to standards revisions.
  • Receipt of a serious complaint, or a significant number of second- or third-party complaints, indicating that the management system is ineffective.
  • Client does not allow routine surveillance audits to be conducted at the required frequency.

Suspension procedures through withdrawal of certification are as follows:

  • Grounds for action are brought to the attention of the client’s Engagement Partner, who reviews the information and decides whether to proceed. The Engagement Partner issues a letter to the client advising them of the details of the grounds for action and the decision on whether to proceed.
  • If the Engagement Partner decides to proceed, the client must reply to LBMC within fourteen days of advisory letter issuance.
  • If the Engagement Partner determines that the action or position contained in the client’s response is satisfactory, they issue a letter to the client stating this via email or registered mail.
  • Due dates will be established for corrective actions, and the Engagement Partner must review the actions at those times to ensure that they are effectively completed to prevent suspension or cancellation.
  • If the client does not reply within fourteen days, or if the reply is not satisfactory, or if corrective actions are not effectively completed by the due date, the Engagement Partner determines whether to suspend or withdraw certification.
  • If the decision is made to withdraw certification, the Engagement Partner is responsible for suspending the client or canceling the client from the Certificate Registry, and advising the client by email or registered mail.

Impartiality

LBMC evaluates and achieves impartiality in two primary ways: first, we perform a risk assessment, at a minimum annually, to evaluate the risk to overall organization level impartiality and evaluate the safeguards in place to protect against those risks. Second, on a project-by-project basis, we evaluate conflicts of interest related to a specific client and project.

Organization level impartiality evaluation and risk analysis

The organization level risk analysis is completed by the QA Manager with the assistance of the entire LBMC ISO team. The process to identify, analyze, evaluate, treat, monitor, and document the risks related to conflict of interests arising from certification, including any conflicts arising from business and personal relationships, is performed on an ongoing basis. The risk assessment is required to identify all threats to impartiality and to document threats, risks, risk treatment, and residual risk in a matrix format.

LBMC recognizes the following potential threats to impartiality:

  • Self-interest threats: threats that arise from person or enterprise acting in their own interest, for example financial self-interest.
  • Self-review threats: threats that arise from a person or enterprise reviewing the work done by them.
  • Familiarity (or trust) threats: threats that arise from a person or body being too familiar or trusting of another person instead of seeking evaluation evidence to base the audit conclusion on.
  • Intimidation threats: threats that arise from a person or enterprise having a perception of being coerced openly or secretively, such as a threat to be replaced or reported to a supervisor.
  • Conflicts of Interests: threats that arise because of relationships between LBMC Certification Services and other interested parties or with the parent company, LBMC PC, who might provide ISMS or PIMS management system consultancy services to a client.
  • Financial Pressure: threats that arise because a client’s certification decision may result in financial loss to LBMC Certification Services.
  • Other threats known or unknown.

The impartiality risk analysis is presented annually to LBMC’s Impartiality Committee to allow input from interested stakeholders.

Project and Personnel Level Impartiality Procedures

  • All personnel are required to sign a representation letter when hired (and annually thereafter) that acknowledges their familiarity with the independence, integrity, and objectivity policy and procedures.
  • All personnel are required to notify the Engagement Partner of any potential prohibited transaction or violation of an independence, integrity, or objectivity rule as soon as they become aware of such a situation. To acknowledge that responsibility, all personnel are required, when hired (and annually thereafter), to sign a representation letter and to list situations they know of that could impair independence or that violate LBMC’s integrity and objectivity policy.
  • All personnel are required to review LBMC’s client list annually for possible violations. The list of clients is maintained in LBMC’s time and billing software and is available to all employees. Additions to the list are communicated on a timely basis via email when a new client setup form is submitted. When hired (and annually thereafter), all personnel are required to sign a representation that affirms this responsibility.

The Engagement Partner is responsible for identifying the risks to the impartiality for each client. If a risk is identified, the Engagement Partner will document the risk and the measures taken to eliminate or minimize the risk. This includes those risks that arise from LBMC’s activities, relationships, or from the relationships of LBMC personnel.

A relationship that threatens our impartiality can be based on ownership, governance, management, personnel, shared resources, finances, contracts, marketing (including branding), and payment of a sales commission or other inducement for the referral of new clients, etc.

If a member of the audit team, or an immediate family member, has a direct financial interest, or a material indirect financial interest, in the client, the self-interest threat created would be so significant the only safeguards available to eliminate the threat or reduce it to an acceptable level would be to:

  • Dispose of the direct financial interest prior to the individual becoming a member of the audit team;
  • Dispose of the indirect financial interest in total or dispose of a sufficient amount of it so that the remaining interest is no longer material prior to the individual becoming a member of the audit team; or
  • Remove the member of the audit team from the audit engagement.

Any threat to impartiality, e.g., intimidation threats, commercial or financial threats, that arises after the audit team has started the audit activities and after having been appointed to the audit team, must immediately be reported to the Engagement Partner. The audit team member must report the threat telephonically, followed by a written report via e-mail. The audit team member involved must cease work immediately and leave client premises, until the Engagement Partner has resolved the threat by either:

  • Addressing the matter with the client and then having subsequently removed the individual or circumstances that have created the threat to impartiality.
  • Replaced the audit team member.
  • Cancelled the audit engagement.

Executive Team

Link to Brian ISO/IEC 27001 & 27701 Certification Audit

Brian Willis

Senior Manager, Information Security

phone icon email icon Nashville
phone icon email icon Nashville