While your selection of certification body should have no impact on your success in achieving certification, there are a couple of issues you should consider in making your selection – which isn’t necessary until you have already made considerable progress toward readiness for certification. You will of course want to ensure that there is a cultural fit between yourself and your supplier of certification services, and that pricing and so on is acceptable.
There are two other key issues that do need to be taken into account when making this selection: the first is relevant to organizations that already have one or more externally certified management systems in place; and the second applies specifically to organizations tackling ISO 27001.
It is essential that your ISMS is fully integrated into your organization; it will not work effectively if is a separate management system and exists outside of and parallel to any other management systems. Logically, this means that the framework, processes and controls of the ISMS must, to the greatest extent possible, be integrated with, for instance, your ISO 9001 quality system. Clearly, therefore, assessment of your management systems must also be integrated: you only want one audit, that deals with all the aspects of your management system. It is simply too disruptive of the organization, too costly and too destructive of good business practice, to do anything else. You should ensure that whoever you choose for your ISMS audit can and does offer an integrated assessment service.
The second issue that you should take into account when selecting your supplier of certification services is their approach to certification itself. An ISMS is fundamentally designed to reflect the organization’s assessment of risks in and around information security. In other words, each ISMS will be different. It is important, therefore, that each external assessment of an ISMS takes that difference into account so that the client gets an assessment that adds value to its business, rather than one that is merely a mechanical comparison of the ISMS against the requirements of ISO 27001.
There are, once you have chosen your certification body, and once you are ready for a certification audit, six secrets to certification success. None of these secrets will get you through an audit that you are fundamentally not ready for, nor will they enable an inadequate ISMS to achieve certification. What they do do, is ensure that all the good aspects of your ISMS are noted and that the overall impression with which the auditors are left is a favourable one.
Ensure that your documentation is complete, comprehensive and all available for inspection – at the initial visit, the one that comes before the actual certification audit. This first visit is expressly to determine if your ISMS is ready for external audit; impress the auditors as early as possible.
Ensure that all your internal audit and testing records are immediately available for the certification auditors when they plan and commence their work; they should use these records to ensure they focus on key areas of the ISMS, so ensure that you have adequately tested them. No external auditor wants to ‘sign off’ a system that is breached a week later, and the thoroughness of your own work will give the auditor confidence.
Teach staff throughout the organization to be completely open and honest with the auditors, especially about things which they feel may not be up to standard. This serves two purposes: it flushes out weaknesses that you can tighten up on, and it demonstrates to the auditors that you have an open organization that identifies and deals with information security issues. Any attempt to suggest that everything throughout the organization is perfect will, on the other hand, provoke incredulity amongst the auditors; they have learned, through long experience, that not only is everything never perfect but that every attempt to pretend to perfection hides a myriad of previously undetected imperfections. Do not encourage them to start hunting these imperfections down.
Teach those staff who are likely to be interviewed by auditors to show the auditor how the system that is being examined actually works and to restrict everything they say to answering the specific question actually asked by the auditor, rather than moving on to explain anything else that is not specifically and tightly on the subject of the question. This will demonstrate to the auditor that your people are tightly focused, and will also avoid the danger of someone talking so much that they lead the auditor to examine an aspect of your ISMS that doesn’t need external examination.
Critically, ensure that management are fully involved in the certification audit. If necessary, rehearse with senior management the type of questions they will be asked and the types of answers they will be expected to give. While senior management should be perfectly capable of handling the audit (as they will have been involved in and fully committed to the ISMS project from the outset) they may not be fully aware of how best to demonstrate this commitment to an external auditor. Done well, senior management’s performance on the day can make a substantial contribution to certification success.
Be prepared to argue – constructively and calmly, but if there are issues on which you feel that an auditor has misunderstood your ISMS or some aspect of it, or has misinterpreted the standard, and is, as a result, considering recording a non-conformity (either major or minor), you should set out, calmly and firmly, why you believe that you are in the right. Auditors will respond negatively to any attempt to browbeat or belittle them; they will (usually) respond positively to any constructive attempt to help them achieve a better outcome. And the greater their conviction that you’re committed to the long term effectiveness of your ISMS, the more prepared they will be to give you the benefit of any doubt on any marginal decisions.
Remember that, in a horse race, the difference between the horse that comes first and the one that comes second doesn’t need to be more than a nose, but the difference in prize money is substantial. In any certification project, it’s always worth ensuring that you do everything as well as possible, because every little bit contributes to a successful outcome.