ISO/IEC 27001 certifications – how can they be obtained?

ePrivacy advises businesses and public authorities on setting up and introducing information security management systems (ISMS).
Information security management systems preserve the confidentiality, integrity and availability of information in organisations by establishing risk management processes. The introduction of such a system makes internal processes and procedures more secure and efficient, not least enabling the achievement of efficiency gains.
What is ISO/IEC 27001?
ISO/IEC 27001 is the internationally recognised standard that defines the requirements for an ISMS using a process approach, taking into account the organisation-specific IT risks. It describes the requirements for the structure, implementation, maintenance and continuous improvement of an ISMS.
1.     Design and implementation of an ISMS
After a first initial workshop to define the process, perform a gap analysis, set up a project plan etc., the risk analysis for the ISMS takes place, as well as the definition of security measures and guidelines. The ISMS is then set up within the organisation. This step takes about 6–9 months and is often supported by ISMS consultants. After the ISMS has been implemented, an internal audit of the ISMS including a management assessment must take place. Before the final internal audit for the ISMS and the management assessment, training measures are defined and offered to employees.
2.     Initial certification audit in two stages
Licensed auditors first check the conformity of the ISMS according to the ISO/IEC 27001 standard and create the audit report. A certification body then verifies the audit report.
Level 1 (internal audit)
In stage 1 of the audit, the certification body obtains the documentation on the design of the ISMS. The aim is to:

  • assess the documented information on the client’s ISMS
  • assess the client’s site-specific conditions
  • assess the level of preparation and understanding of the requirements of the standard.
  • obtain necessary information regarding the scope of the ISMS
  • evaluate the allocation of resources for stage 2 and agree on the details of stage 2.
  • assess whether the internal audits and management reviews are planned and carried out and the client is ready for stage 2

Level 2 (management review)
Stage 2 assesses the implementation and effectiveness of the client’s ISMS. The audit focuses on:

  • ISMS leadership by top management
  • the documentation requirements listed in DIN EN ISO/IEC 27001:2017-06
  • risks related to information security
  • determination of the security measures
  • information security performance and the effectiveness of the ISMS
  • implementation of the security measures
  • programmes, processes, procedures, records, internal audits and assessment of ISMS effectiveness 

Following these steps, the actual certification can be obtained.
ePrivacy advises on setting up and implementing an ISMS as well as preparing for certification.
Feel free to contact us if you need support in this regard.

Your contact to ePrivacy: