EN 
NL 
DE 
Information security is increasingly a hot topic these days. As an organisation, you want to have this properly set up and also be able to demonstrate that you comply with it. You demonstrate this through ISO 27001 certification, a standard that is accepted worldwide. But which steps do you have to go through to obtain certification? In this article, we explain exactly what you can expect using the ISO 27001 checklist. And we elaborate on what actions you need to take.
ISO 27001 checklist
To achieve ISO 27001 certification, there are always a number of standard steps you need to go through. Below, we list them all:
- Purchasing the ISO 27001 standard, for example through the NEN.
- If required, engage a consulting firm that will guide you through implementation.
- Delve into the standard and make sure you get the right knowledge about ISO 27001.
- Implement or optimise the management system within your organisation, in a way so that it complies with the standard.
- Check internally that the management system is functioning properly and that it meets the ISO 27001 standard requirements.
- Analyse the results of the internal audit and record potential areas for improvement in the management review.
- Implement the measures from the internal audit and improve your management system.
- Once you have determined that your organisation complies with the ISO 27001 standard, engage DigiTrust for an independent review.
- After the assessment, the auditor decides that your organisation meets the standard requirements, you will receive the ISO 27001 certificate.
What is an audit within the ISO certification process?
During an audit, an independent certifying body (such as DigiTrust) assesses whether your organisation meets the specified standards requirements. A certifying body is an organisation authorised to test other organisations against certain norms or standards. So this is done during an audit, which systematically examines whether all processes and an organisation's management system are reliable and have integrity. Does it meet all the requirements? Or are there deficiencies or risks that need to be resolved first?
- In advance, we agree with you on which dates the first (initial) audit will take place. This consists of a Phase 1 and a Phase 2. During the first appointment, the Phase 1 audit, our auditor introduces himself and explains the entire process. We check whether the organisation and the ISMS are actually ready for the Phase 2 audit. Haven't you forgotten anything essential or are there things we still need to know for Phase 2? Next, the auditor creates the Phase 2 audit plan and will discuss it with you. Which topics are we going to cover when and who do we need for this.
- During the Phase 2 audit, we actually take a close look at the operation of your ISMS (information Security Management System). We do this through observations, interviews and checks on documents and records. The auditor assesses whether your organisation meets the standard. And how you have translated these requirements into your own requirements and whether you then also operate in accordance with these established requirements.
- All findings are recorded in a report and the conclusions are presented. Should there be any discrepancies, they will be discussed with you in the final interview. A Corrective Action Plan (CAP) should be completed for the discrepancy found. The auditor will assess the entire file and will give a positive or negative recommendation for certification. The certification manager will also assess the file and this will take the decision for certification.
- If the decision is positive, you will be sent the certificate within a few days, along with the corresponding hallmark logos that you may use on website and email from then on.
Start your ISO 27001 certification today
If you plan to use your organisation for ISO 27001 (NEN 7510 or ISO 9001) certification, you can start preparing today. Read more here the certification process. Do you have questions about the ISO 27001 checklist or want to go through this process yourself? If so, please feel free to contact the DigiTrust team.
