Search in ISMS Guides


Tuesday, September 25, 2007

The CB Audit process

In order to become a certified organization, you needs to start off correctly at the beginning and determine which CB you are going to engage to provide BS 7799 Certification services.
If you have any other certifications in the organization, it makes sense to use the same CB for BS 7799 (assuming that they are Accredited to provide BS 7799 Certification services). This is called integrated auditing and allows the number of days to be spent by the CB on site to be reduced as they use the same auditor to audit more than one standard.
In my case, I have the same auditor do ISO 9001 and BS 7799 as he is dual qualified and it saves me at least an audit day per year. Additionally I have only one visit so my routine is not disturbed twice.
If you have no existing certificates, then make a list of all of the CBs that are available, ring each of them and get some idea of costs and services and then them to send you the relevant forms to fill in.
The actual Certification process is a six step one:

*** Note: Not all CBs follow this process exactly – when investigating them determine the discrepancies from this generic approach and ensure that you are happy with them.

Step 1 - Questionnaire
Typically the chosen CBs will send out a questionnaire for you to fill in. The certification process starts when you complete a questionnaire giving details of your requirements. This provides the CB with the information needed to send you a quotation.

Step 2 - Application for Assessment
If you decide to proceed with certification with the chosen CB, then you fill in an application form must be filled in. Once this has been done it is returned to the CB. On receipt, an initial visit by a BS 7799 Auditor is arranged

An initial visit allows you to meet the Auditor who will assess the ISMS for BS 7799 certification. The Auditor will explain the assessment process and carry out a review of the existing documented management system. An assessment date and an audit programme will be agreed.

Step 3 - Stage 0 Audit or could be called a ‘Pre-assessment Visit’ or a ‘Gap Analysis’.
This is an optional stage, but if you can afford it, I always recommend it
You should do this after you have implemented the Information Security Management System (ISMS) and developed the Statement of Applicability (SoA) and may have some controls in place and documented and may have some records available.
If you are doing this in house, it is a way of demonstrating to your management that you are on track and doing the job correctly and that your management can have confidence in that.
It also can show management where they fail as well, as non-conformances are written up as part of the audit.
Typical management failures that I see at this stage are usually lack of management commitment (5.1), inadequate resource management (5.2) or any other management type failure.
If you are using consultants, more or less the same applies, and passing this audit can be a useful pay point in their remuneration cycle or indicate the need to get a different consultancy!
Whilst this audit cannot be relied on to support a Stage 1 or2 CB Audit, it would be difficult for an Auditor to later find major non-conformances in the ISMS unless something dramatic had occurred in the organization to warrant this.

This step provides a sanity check.

Step 4 – the Stage 1 Audit (otherwise called a ‘Document Review’)
This is the first part of the audit proper.

This stage looks to see if the SoA has been implemented by selection of controls and documenting all the policies and procedures that surround their use. The auditor will also look to see that there is evidence of records being collected for implemented controls, though the full audit for this is the Stage 2 Audit. At this time also the auditor will plan the Stage 2 audit.

Typically, the auditor reviews documented ISMS – looking at:
- Policy
- Scope
- Asset Registers
- Roles and Responsibilities
- Risk process/treatment and acceptance
- SoA
- Documented processes and procedures supporting the ISMS
- Compliance, contractual and other regulatory issues.
If there are any audit failures, i.e. non-conformances then they will be written up on the Corrective Action Plan (CAP). It is then up to you, the client, to document how they are going to address these and return to the CB for agreement.

Typically, you have 20 days to respond to the raising of a CAP, and once agreed, 3 months to address issues raised on a CAP.

Failure to either respond or carry out the agreed work in the time limit can prejudice the granting (retaining) of a certificate. When the next audit occurs, the CAPs are the first items reviewed to ensure that they have been suitably addressed.

Step 5 - Stage 2 Audit (otherwise called the ‘Compliance Audit’)
During the Stage 2 Audit, an objective assessment of the organizational procedures and practice will be carried out against the documented ISMS (reviewed in the Stage 1 Audit).

The Auditor will be looking for records (i.e. proof) that the ISMS is operated as the documented ISMS says it should be.

On completion of the assessment the Auditor will present the findings of the assessment in a written report to you and CAPs will be raised if appropriate.

Following a successful Stage 2 Audit and the decision to grant registration, a certificate of registration is awarded and the organization is permitted to use the CB Certification Mark and the relevant BS 7799 certification mark.

Step 6 – Ongoing audits
A program of regular surveillance visits is agreed with you to verify that the requirements of the BS 7799 standard continue to be met and again CAPs will be raised if appropriate.

There are two types of ongoing audits, each is covered in turn below:

Surveillance Audit

A programme of ‘surveillance audits’ is undertaken over a three year cycle to ensure that the ISMS is working properly. This is performed in addition to the internal audits and ongoing monitoring and management that you perform internally (4.2., 4.2.4, 6.2, 6.3, 6.4, 7.2, 7.3, A.4.1.7, A.12.2.1, .12.2.2 to name just some of the requirements you must meet on an ongoing basis).

The actual frequency of these will vary on the CB, but typically the following will occur:

l Surveillance audits are carried out regularly (either annually, 9 monthly or 6 monthly);

l The first one is usually 3 months after the Stage 2 Audit to check for any CAPs outstanding since that audit;

l At every audit any outstanding CAPs are audited for completeness;

l Audit all mandatory requirements;

l Audit a representative sample of all other controls (so that all controls in the ISMS are reviewed in the surveillance cycle).

Triennial Audits

The Triennial audit, as the name suggests, is carried out every three years.
This audit is similar to the original Stage 2 or Certification Audit, but it should take less time as the CB Auditor now knows your systems, unless a scope or other change has occurred.
All controls are evaluated to ensure that the ISMS is operating properly and assuming it is, your certificate is renewed for another 3 years.
If not, CAPs are raised and you have to address them

The three year surveillance audit process starts all over again.

Back to : How does the BS7799 / ISO 27001 certification audit process actually work?
Source :

No comments: