High-Level Overview of the Certification Process

00:00

less than 9.2. Ah, high level overview off The certification process

00:08

in this video will go over the high level overview off the certification process.

00:14

We'll also come the different types of findings that can come out of your audits.

00:23

You will start your order process when you have the majority off your isom s requirements in place.

00:29

I say the majority as a nice mess will never really be finished due to the continual improvement cycle.

00:36

The key thing here is to have the defined processes, procedures and documentation which are required by clauses forward to 10 in the standard.

00:46

It is also important to have a least the majority of your statement of applicability controls implemented or in the process of being implemented.

00:54

Ensure that the status of controls is accurate on your statement of applicability prior to any audit.

01:00

Also

01:02

ensure that all the key pieces of documents are completed and ready to be audited.

01:10

Ensure that you have your internal audit off your eye. Smith's before scheduling your external certification ordered,

01:17

you want to know if there are any major nonconformity is that the internal order detects that need to be fixed prior to your certification ordered

01:26

certain nonconformity, ease or ordered findings

01:30

our severe enough to risk your chances of being successfully certified.

01:34

This means that you would need to spend the money again

01:38

and go through an external audit again.

01:41

So your internal order is a good way to ensure that things are in place first.

01:46

Now, when you contact the external service provided to do your certification ordered,

01:52

they will most likely give you an option doing a pre assessment ordered.

01:57

This is an essence, just a gap assessment,

02:00

where you get an independent assessment of whether or not your ice mess is at a level ready to go through the certification orders.

02:08

This extra cost can end up saving you in the event that your ice mess is missing one or two critical components, which could result in a negative certification outcome.

02:20

Another benefit of doing a pre gap assessment with the same service provided that would do your external certification ordered

02:27

is that this gives the auditor

02:30

background already about your isthmus as well as the context of the organization,

02:35

which makes your certification orders a lot smoother.

02:44

Sir.

02:45

The Stage One audit, which is the first ordered in your external certification audit

02:51

is, as the name suggests,

02:53

the first stage in your certification ordered process.

02:57

This is a non optional audit and counts as a formal pre assessment.

03:01

This is a documentation intensive orders,

03:06

and the duration of the ordered can range between one and five days, depending on your organization, size and the scope of your eyes.

03:15

The second stage audit is the formal certification audit.

03:20

This is the final stage, and the outcome of this ordered will determine whether or not you pass or fail certification.

03:28

The Stage one audit will most likely have raised findings on your eyes mess,

03:32

which would need to be remediated,

03:36

or at least have a concrete plan for remediation

03:38

by the time you get to the stage to order it,

03:43

Stage two will also focus a lot more on testing the effectiveness off everything that was reviewed and examined during Stage one.

03:52

Stage two will often involve the auditors speaking to various personal within your organization

03:58

to gain an understanding as to whether or not those personal haven't understanding off the ice miss

04:04

and what their role is.

04:06

Stage two will also involve the order to reviewing certain information security controls on your statement of applicability.

04:15

They will go through all of the controls and determine if the controls are fully implemented, partially implemented or not yet implemented at all.

04:25

They can also do a sample based testing to check the effectiveness off certain control operations, so be prepared for that.

04:35

Let's have a look at the timeline. Once more,

04:38

you'll begin with your internal audit of your SMS.

04:43

You didn't have the optional

04:45

option of taking the gap assessment,

04:48

which is a pre assessment prior to your certification ordered.

04:55

You will then start with your external audit stage one.

05:00

Upon having a successful stage one, you will move to your stage to external audit.

05:06

Ensure that you have remediated. Any nonconformity is identified during Stage one prior to the stage to taking place.

05:16

You will then have a surveillance or it.

05:18

The surveillance ordered will only happen if you were successfully certified from your stage to order it.

05:27

The surveillance order can happen within six months to one year after being certified

05:32

and will re occur on an annual basis thereafter.

05:36

This is a top up audit to ensure that your ice, um, is is performing as it should

05:42

on this leads. The auditors know that your is a mess and the certification that was awarded

05:47

is still valid.

05:51

You will then have a re certification audit.

05:55

This would happen about three years after your initial certification ordered.

06:00

The re certification ordered

06:02

will be similar in nature to the stage to certification ordered.

06:08

This happens due to the amount of time that has passed since the initial certification ordered.

06:15

It needs to be re performed to ensure that your item is is still operating as intended

06:20

and is meeting all of its requirements and the objectives of the standard,

06:26

as you can see

06:28

becoming certified against the 27,001 standard for your organization.

06:33

It is not a once off effort.

06:35

It is a continual process and a continual journey.

06:40

And it is important that all stakeholders, especially or top management, that is sponsoring the project understand and accept this

06:57

so your orders will raise three types of findings.

07:00

The first one is an observational finding.

07:04

This is mostly nitty gritty attention to detail and housekeeping level issues to look at and fix up in the future.

07:13

These can also be opportunities for improvement,

07:16

a minor non compliance is something that is more significant

07:20

and means that the ice 0 27,001 standard has not been followed in some way,

07:27

but that this does not necessarily directly impact the effectiveness of the ice, miss overall.

07:33

But this will be an issue if it is left unattended or unresolved.

07:39

An order to console past your audit and grant certification with minor non compliance is

07:45

on the condition that these air remediated

07:48

and agreed upon proof is submitted

07:51

or that you are reorder it'd on an agreed upon date.

07:57

Major noncompliance is our show stopper items.

08:01

These issues mean that there is some fundamental component missing,

08:05

and certification will not be awarded until these issues are resolved.

08:16

In this lesson, we learned that there is not just one order to become certified,

08:22

but multiple audits that lead up to certification,

08:26

as well as multiple audits that will continue after certification has been awarded.