EN 
NL 
DE 
Information security is an increasingly important issue, also for your customers and relations. They would therefore like to be sure that this is well regulated and that they are not at risk. With the ISO 27001 certificate, you can show that you have a good management system and that you control the risks. But before you get the certificate, you have to go through a certification process. What does that route look like?
Before the process begins, your company has to fill in an intake form. That form states, among other things, how many FTEs you have, what processes there are within the organisation, what you do yourself and what IT matters e outsourced. From there, the number of audit days needed to conduct a proper audit is determined.
Management system
The audit itself is cut into two parts. The first audit - often called Stage 1 - looks at the performance of the management system, explains DigiTrust director Marco Bijl. This includes looking at your information security policy, risk assessment and handling, all documented information, annual planning, KPIs, management review and internal audits.
This often turns out to be the phase where there is the most difficulty, Bijl says. "If things go wrong at an IT company, they always go wrong at the management system. That is something that is often found difficult to understand."
Should problems be found here, it does not immediately mean that the track is stopped. "Often those problems can be resolved before phase 2 starts three weeks later," he says.
Technical management measures
The second audit (Stage 2) always starts by discussing the issues from Stage 1. Often, the organisation has made some more adjustments to the management system. These are then reviewed again by the auditor.
Then the second part of the audit officially starts. This one often turns out to be a lot simpler for most companies. In it, they look at the technical control measures. "This part consists of 13 chapters, each covering a different part of the control measures."
Think about rules related to assets, awareness, access rights, cryptography, your office, malware, secure development, backup, suppliers and how to deal with security incidents.
Certificate
The final certificate is issued only when everything from the first and second phases is found to be in order. "At the end of each phase, we make an audit report. Then the customer has to provide a few more documents so that it becomes a complete file. This file is checked for accuracy and completeness by the DigiTrust certification manager," Bijl says.
"If there are not too many deviations, the certificate is issued." So a few non-critical deviations is no big deal. Of course, there should not be too many, and there should certainly not be any critical deviations present, Bijl knows.
The certificate is awarded at an official ceremony. But after that, the journey is not over. "You enter into a three-year contract with DigiTrust. This means that there will be two more checks after the certificate is awarded. These checks take place every year. After three years, a recertification takes place. That one is similar to the first certification, but takes less time."
Want to know more about ISO 27001 certification or want to go through the certification process yourself? Then get in touch with DigiTrust's back-office specialists!
