less than 9.2. Ah, high level overview off The certification process
in this video will go over the high level overview off the certification process.
We'll also come the different types of findings that can come out of your audits.
You will start your order process when you have the majority off your isom s requirements in place.
I say the majority as a nice mess will never really be finished due to the continual improvement cycle.
The key thing here is to have the defined processes, procedures and documentation which are required by clauses forward to 10 in the standard.
It is also important to have a least the majority of your statement of applicability controls implemented or in the process of being implemented.
Ensure that the status of controls is accurate on your statement of applicability prior to any audit.
ensure that all the key pieces of documents are completed and ready to be audited.
Ensure that you have your internal audit off your eye. Smith's before scheduling your external certification ordered,
you want to know if there are any major nonconformity is that the internal order detects that need to be fixed prior to your certification ordered
certain nonconformity, ease or ordered findings
our severe enough to risk your chances of being successfully certified.
This means that you would need to spend the money again
and go through an external audit again.
So your internal order is a good way to ensure that things are in place first.
Now, when you contact the external service provided to do your certification ordered,
they will most likely give you an option doing a pre assessment ordered.
This is an essence, just a gap assessment,
where you get an independent assessment of whether or not your ice mess is at a level ready to go through the certification orders.
This extra cost can end up saving you in the event that your ice mess is missing one or two critical components, which could result in a negative certification outcome.
Another benefit of doing a pre gap assessment with the same service provided that would do your external certification ordered
is that this gives the auditor
background already about your isthmus as well as the context of the organization,
which makes your certification orders a lot smoother.
The Stage One audit, which is the first ordered in your external certification audit
is, as the name suggests,
the first stage in your certification ordered process.
This is a non optional audit and counts as a formal pre assessment.
This is a documentation intensive orders,
and the duration of the ordered can range between one and five days, depending on your organization, size and the scope of your eyes.
The second stage audit is the formal certification audit.
This is the final stage, and the outcome of this ordered will determine whether or not you pass or fail certification.
The Stage one audit will most likely have raised findings on your eyes mess,
which would need to be remediated,
or at least have a concrete plan for remediation
by the time you get to the stage to order it,
Stage two will also focus a lot more on testing the effectiveness off everything that was reviewed and examined during Stage one.
Stage two will often involve the auditors speaking to various personal within your organization
to gain an understanding as to whether or not those personal haven't understanding off the ice miss
and what their role is.
Stage two will also involve the order to reviewing certain information security controls on your statement of applicability.
They will go through all of the controls and determine if the controls are fully implemented, partially implemented or not yet implemented at all.
They can also do a sample based testing to check the effectiveness off certain control operations, so be prepared for that.
Let's have a look at the timeline. Once more,
you'll begin with your internal audit of your SMS.
You didn't have the optional
option of taking the gap assessment,
which is a pre assessment prior to your certification ordered.
You will then start with your external audit stage one.
Upon having a successful stage one, you will move to your stage to external audit.
Ensure that you have remediated. Any nonconformity is identified during Stage one prior to the stage to taking place.
You will then have a surveillance or it.
The surveillance ordered will only happen if you were successfully certified from your stage to order it.
The surveillance order can happen within six months to one year after being certified
and will re occur on an annual basis thereafter.
This is a top up audit to ensure that your ice, um, is is performing as it should
on this leads. The auditors know that your is a mess and the certification that was awarded
You will then have a re certification audit.
This would happen about three years after your initial certification ordered.
The re certification ordered
will be similar in nature to the stage to certification ordered.
This happens due to the amount of time that has passed since the initial certification ordered.
It needs to be re performed to ensure that your item is is still operating as intended
and is meeting all of its requirements and the objectives of the standard,
becoming certified against the 27,001 standard for your organization.
It is not a once off effort.
It is a continual process and a continual journey.
And it is important that all stakeholders, especially or top management, that is sponsoring the project understand and accept this
so your orders will raise three types of findings.
The first one is an observational finding.
This is mostly nitty gritty attention to detail and housekeeping level issues to look at and fix up in the future.
These can also be opportunities for improvement,
a minor non compliance is something that is more significant
and means that the ice 0 27,001 standard has not been followed in some way,
but that this does not necessarily directly impact the effectiveness of the ice, miss overall.
But this will be an issue if it is left unattended or unresolved.
An order to console past your audit and grant certification with minor non compliance is
on the condition that these air remediated
and agreed upon proof is submitted
or that you are reorder it'd on an agreed upon date.
Major noncompliance is our show stopper items.
These issues mean that there is some fundamental component missing,
and certification will not be awarded until these issues are resolved.
In this lesson, we learned that there is not just one order to become certified,
but multiple audits that lead up to certification,
as well as multiple audits that will continue after certification has been awarded.
We also covered an overview of the different types of findings and what they mean