High-Level Overview of the Certification Process

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
7 hours 56 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:00
less than 9.2. Ah, high level overview off The certification process
00:08
in this video will go over the high level overview off the certification process.
00:14
We'll also come the different types of findings that can come out of your audits.
00:23
You will start your order process when you have the majority off your isom s requirements in place.
00:29
I say the majority as a nice mess will never really be finished due to the continual improvement cycle.
00:36
The key thing here is to have the defined processes, procedures and documentation which are required by clauses forward to 10 in the standard.
00:46
It is also important to have a least the majority of your statement of applicability controls implemented or in the process of being implemented.
00:54
Ensure that the status of controls is accurate on your statement of applicability prior to any audit.
01:00
Also
01:02
ensure that all the key pieces of documents are completed and ready to be audited.
01:10
Ensure that you have your internal audit off your eye. Smith's before scheduling your external certification ordered,
01:17
you want to know if there are any major nonconformity is that the internal order detects that need to be fixed prior to your certification ordered
01:26
certain nonconformity, ease or ordered findings
01:30
our severe enough to risk your chances of being successfully certified.
01:34
This means that you would need to spend the money again
01:38
and go through an external audit again.
01:41
So your internal order is a good way to ensure that things are in place first.
01:46
Now, when you contact the external service provided to do your certification ordered,
01:52
they will most likely give you an option doing a pre assessment ordered.
01:57
This is an essence, just a gap assessment,
02:00
where you get an independent assessment of whether or not your ice mess is at a level ready to go through the certification orders.
02:08
This extra cost can end up saving you in the event that your ice mess is missing one or two critical components, which could result in a negative certification outcome.
02:20
Another benefit of doing a pre gap assessment with the same service provided that would do your external certification ordered
02:27
is that this gives the auditor
02:30
background already about your isthmus as well as the context of the organization,
02:35
which makes your certification orders a lot smoother.
02:44
Sir.
02:45
The Stage One audit, which is the first ordered in your external certification audit
02:51
is, as the name suggests,
02:53
the first stage in your certification ordered process.
02:57
This is a non optional audit and counts as a formal pre assessment.
03:01
This is a documentation intensive orders,
03:06
and the duration of the ordered can range between one and five days, depending on your organization, size and the scope of your eyes.
03:15
The second stage audit is the formal certification audit.
03:20
This is the final stage, and the outcome of this ordered will determine whether or not you pass or fail certification.
03:28
The Stage one audit will most likely have raised findings on your eyes mess,
03:32
which would need to be remediated,
03:36
or at least have a concrete plan for remediation
03:38
by the time you get to the stage to order it,
03:43
Stage two will also focus a lot more on testing the effectiveness off everything that was reviewed and examined during Stage one.
03:52
Stage two will often involve the auditors speaking to various personal within your organization
03:58
to gain an understanding as to whether or not those personal haven't understanding off the ice miss
04:04
and what their role is.
04:06
Stage two will also involve the order to reviewing certain information security controls on your statement of applicability.
04:15
They will go through all of the controls and determine if the controls are fully implemented, partially implemented or not yet implemented at all.
04:25
They can also do a sample based testing to check the effectiveness off certain control operations, so be prepared for that.
04:35
Let's have a look at the timeline. Once more,
04:38
you'll begin with your internal audit of your SMS.
04:43
You didn't have the optional
04:45
option of taking the gap assessment,
04:48
which is a pre assessment prior to your certification ordered.
04:55
You will then start with your external audit stage one.
05:00
Upon having a successful stage one, you will move to your stage to external audit.
05:06
Ensure that you have remediated. Any nonconformity is identified during Stage one prior to the stage to taking place.
05:16
You will then have a surveillance or it.
05:18
The surveillance ordered will only happen if you were successfully certified from your stage to order it.
05:27
The surveillance order can happen within six months to one year after being certified
05:32
and will re occur on an annual basis thereafter.
05:36
This is a top up audit to ensure that your ice, um, is is performing as it should
05:42
on this leads. The auditors know that your is a mess and the certification that was awarded
05:47
is still valid.
05:51
You will then have a re certification audit.
05:55
This would happen about three years after your initial certification ordered.
06:00
The re certification ordered
06:02
will be similar in nature to the stage to certification ordered.
06:08
This happens due to the amount of time that has passed since the initial certification ordered.
06:15
It needs to be re performed to ensure that your item is is still operating as intended
06:20
and is meeting all of its requirements and the objectives of the standard,
06:26
as you can see
06:28
becoming certified against the 27,001 standard for your organization.
06:33
It is not a once off effort.
06:35
It is a continual process and a continual journey.
06:40
And it is important that all stakeholders, especially or top management, that is sponsoring the project understand and accept this
06:57
so your orders will raise three types of findings.
07:00
The first one is an observational finding.
07:04
This is mostly nitty gritty attention to detail and housekeeping level issues to look at and fix up in the future.
07:13
These can also be opportunities for improvement,
07:16
a minor non compliance is something that is more significant
07:20
and means that the ice 0 27,001 standard has not been followed in some way,
07:27
but that this does not necessarily directly impact the effectiveness of the ice, miss overall.
07:33
But this will be an issue if it is left unattended or unresolved.
07:39
An order to console past your audit and grant certification with minor non compliance is
07:45
on the condition that these air remediated
07:48
and agreed upon proof is submitted
07:51
or that you are reorder it'd on an agreed upon date.
07:57
Major noncompliance is our show stopper items.
08:01
These issues mean that there is some fundamental component missing,
08:05
and certification will not be awarded until these issues are resolved.
08:16
In this lesson, we learned that there is not just one order to become certified,
08:22
but multiple audits that lead up to certification,
08:26
as well as multiple audits that will continue after certification has been awarded.
08:31
We also covered an overview of the different types of findings and what they mean
Up Next
ISO 27001:2013 - Information Security Management Systems

The ISO 27001:2013 - Information Security Management Systems course provides students with insights into the detail and practical understandings meant by the various clauses in the ISO 27001 Standard.

Instructed By