ISO 27001/ISO 22301 documents, presentation decks and implementation guidelines


Free_Downloads
 

Have a question on ISO 27001 or ISO 22301?

Ask an Expert
 

Free eBook

Free eBook 9 Steps to Cybersecurity
 
Becoming Resilient: The Definitive Guide to ISO 22301 Implementation
 
Newsletter
 
Sign up for our free Newsletter and as bonus you'll receive my tips on how to launch an information security and business continuity project.
 
 
 
 
 
 
 
    

UPCOMING FREE WEBINAR

    

 
ISO 27001 benefits: How to obtain management support

    

Wednesday
April 23, 2014

    Register_now_green
    
 
 
 

Surveillance visits vs. certification audits

'By 'Dejan Kosutic on November 05, 2012

Surveillance visits are very often quite different from (initial) certification audits, so in this post I’ll explain why this is so and what the differences are.

It bears mention here that all the issues I’ll be talking about in this post are not only applicable to certification audits for ISO 27001 and ISO 22301, but also to all other certifiable management standards like ISO 9001, ISO 14001, ISO 20000, etc.

The certification audit and its limitations

During the first (initial) certification audit the certification auditor will check whether all the main elements of the management system are in place – all the documentation, all the required records, all the processes, etc. The auditor will also check whether the main processes are working as they are described in the documentation, but such check will be limited because at that point in time the management system will have been in place for only a few months, or even only a few weeks. (To read more about the certification process, read this blog post: How to get certified against ISO 27001?)

On the other hand, the certificate is issued for a period of three years – so, for instance, if the initial certification audit was performed in November 2012, this means that the certificate will be valid until November 2015. Since the certification body guarantees that the management system will be in place throughout the validity of the certificate, the only way for the certification body to check out whether it really works is to send the certification auditor periodically to check out how things are going. And these are called the surveillance visits – they have to be performed at least once a year, or in some cases they are performed twice a year.

In cases where they are performed once a year, and using the previous example of a certification audit in November 2012, the first surveillance visit would be in November 2013, and the second (and last) surveillance visit in November 2014. After this, in November 2015, the certificate would expire and a company could go for the recertification audit.

The purpose of surveillance visits

So the main purpose of the surveillance visits is for the certification body to find out whether your management system really works in everyday operations, or not. It will focus on things that the certification audit wasn’t able to check: for instance, whether all the incidents are recorded, whether all the measurements are made, whether all corrective and preventive actions are properly recorded and implemented, whether the top management really supports and cares about the system, etc.

A surveillance visit will also focus on issues that were identified as weak in the certification audit or previous surveillance visit – minor nonconformities, as well as areas where the auditor has made some observations.

The point is, during the surveillance visit the certification auditor will pay far less attention to the documents themselves, and far more attention to how the key processes are performed, how they are measured, and how they are improved – in other words, whether your system really works.

So don’t relax after your certification audit is over – the certification body is highly interested in finding out whether your management system is really functioning, and this is exactly what the surveillance visits will be focused on. And this is one more reason why you shouldn’t implement the standard only for the purpose of certification – the idea should be that the procedures and policies are really used in everyday operations.

Click here to see a series of ISO 27001 and ISO 22301 video tutorials that will help you with your implementation.

 


  • http://www.iso27001-certification.com/ ISO 27001 Certification

    By achieving certification to ISO 27001 your organisation will be able to reap numerous benefits such as:

    - Keeps confidential information secure
    - Provides customers and stakeholders with confidence in how you manage risk
    - Allows for secure exchange of information
    - Allows you to ensure you are meeting your legal obligations
    - Helps you to comply with other regulations (e.g. SOX)
    - Provide you with a competitive advantage
    - Enhanced customer satisfaction that improves client retention
    - Consistency in the delivery of your service or product
    - Manages and minimises risk exposure
    - Builds a culture of security
    - Protects the company, assets, shareholders and directors