ISO 27001 Certification: Part 2 - Stage 1 and Stage 2

Team working on a computer with the word ISO

As an internationally accepted standard, ISO 27001 is a valuable way to differentiate your organization by demonstrating your compliance with industry standards and commitment to keeping information secure.

ISO 27001 is one of the most thorough certifications an organization can achieve. Annex A of the ISO 27001 standard includes 114 controls, and certification is broken into a two-stage engagement process. While ISO 27001 may feel daunting for your organization, rest assured BARR Advisory will lead you through each step so you can enjoy the endless benefits of obtaining your certification.

Additional benefits of ISO 27001 certification include:

Establishing the maturity of your information security management system (ISMS);
Ensuring customer trust;
Avoiding fines and penalties;
Meeting regulatory requirements; and,
Differentiating your organization to stakeholders.

This is the second iteration of a two-part series on BARR Advisory’s ISO 27001 certification process. We first discussed getting ready for stage 1 through an internal audit. Here, we’ll highlight what happens during stages 1 and 2 as you’re working toward ISO 27001 certification.

Now that your organization has assessed the effectiveness of your ISMS against clause 9.2 of the ISO 27001 standard, you’re ready to begin the remediation and certification process.

Stage 1

Following preparation for the two-stage ISO audit, stage 1 includes an assessment process of ISO clauses 4-10 and your organization’s readiness for stage 2. Stage 1 typically takes two to three days to complete.

Stage 1 is sometimes referred to as the “documentation review,” because your auditor will assess the documentation process of your ISMS.

Stage 1 begins with a kickoff meeting, during which your engagement lead will review your audit program and application. Additionally, you’ll discuss dates for your walkthroughs of ISO clauses 4-10, inspect supporting documentation, and make a conformance decision.

Clauses 4-10 include:

Clause 4: Context of the organization
Clause 5: Leadership
Clause 6: Planning
Clause 7: Support
Clause 8: Operation
Clause 9: Performance evaluation
Clause 10: Improvement

Areas of Concern

BARR has recently updated their process for stage 1, including the addition of areas of concern to the engagement report. Previously, during this stage, your engagement lead would highlight any nonconformities, categorizing them as either major or minor.

According to the recommendations of the ANSI National Accreditation Board (ANAB), during stage 1, BARR will now list out all areas of concern, track them in the engagement report, and determine if there’s a nonconformity during stage 2.

Stage 2

If your organization is successful during stage 1, your engagement team will then lead you through a more thorough assessment.

Stage 2, often defined as the “certification audit,” is the part of your audit when certification is considered.

Stage 2 walkthroughs cover ISO 27001 Annex A controls and any areas of concern noted in Stage 1. This includes evaluating the implementation, including effectiveness, of your management system, and confirming if your organization adheres to its own policies, objectives, and procedures. Additionally, your audit team should ensure any areas of concern have been remediated. If not, these areas will be classified as nonconformities.

Annex A Controls

Annex A contains 114 controls which are classified into 14 categories that cover topics related to ISO 27001, including human resource security, physical and environmental security, and compliance.

Think of Annex A controls as an inventory of security controls. Your organization won’t be required to implement each control. However, you should consider which controls would be best for your organization to implement based on your security requirements.

For most organizations, stage 2 can be completed within one to two weeks. At the end of your engagement, BARR will issue an internal report and public-facing certification, which is good for three years with surveillance audits.

Nonconformities

During stage 2, it’s important to consider the difference between major and minor nonconformities that will show up during your assessment. Any areas of concern noted in stage 1 will be addressed and determined if there’s a nonconformity.

Major nonconformities: A nonconformity that affects the capability of the management system to achieve the intended results.

Nonconformities could be classified as major if: 1) there’s a significant doubt that effective process control is in place or products or services will meet specified requirements, or 2) a number of minor nonconformities associated with the same requirement or issue could demonstrate a systemic failure and thus constitute a major nonconformity.

Minor nonconformities: A nonconformity that does not affect the capability of the management system to achieve the intended results.

If there are areas that may not meet the effectiveness of the requirement, process, or control that affect the capability of the management system to achieve the intended results, it may be noted as a potential major nonconformity but will not be explicitly cited as a major nonconformity as part of the Stage 2 review.

ISO 27001 v. 27701

BARR now offers an additional ISO certification, ISO 27701. While ISO 27001 assesses your ISMS, focusing on the security aspect of your organization, ISO 27701 is the data privacy extension of ISO 27001; it’s also known as the Privacy Information Management System (PIMS) framework and outlines controls and processes to manage data privacy and protect personal identifiable information (PII).

If you already have ISO 27001 under your belt and are looking to further demonstrate your commitment to privacy, ISO 27701 can be a great fit for your organization.

Interested in learning more about how BARR can partner with your organization to reach ISO 27001 or ISO 27701 certification? Contact us today.