Search in ISMS Guides


Tuesday, September 25, 2007

What is a CB Audit, and why should I undergo one?

Auditing by a third party (an Accredited CB) is an assurance of an acceptable and risk based level of information security being implemented that is regularly reviewed.
There are a number of reasons to obtain certification, these include:
- Organizational assurance;
- Service provider assurance;
- Business trading partner assurance;
- Demonstrable and effective way of showing appropriate information security in place;
- Competitive advantage;
- Reduce trade barriers – international acceptance;
-Reduce costs of regulation, corporate governance etc.

So who can do this Certification?

The only body who can carry out this certification is a CB that has been Accredited by the ‘national accreditation service’ (in the UK this is the United Kingdom Accreditation Service – UKAS).

This ensures that CBs meet national and international standards for services they are offering. This is typically EA-7/03, which is the ‘Guidelines for Accreditation of Bodies Operating Certification / Registration of Information Security Management Systems’. EA-7/03 can be found at

This harmonises use of Guide 62 for ISMS’s and was approved by Europeans Co-operation for Accreditation (EA) in Nov 1999.

Guide 62 is the ‘General requirements for bodies operating assessment and certification / registration of quality systems’.
A CB uses auditors who are totally independent of the organization being audited.
The CB is regularly audited by the National Accreditation Service to ensure that the CB processes are appropriate and correct. This means that all work is to the standard required by EA-7/03 and allows’ mutual recognition’ between the National Accreditation Services.

So am I certified against BS 7799 Part 2 (2002) or ISO 17799 (2000)

Certification is carried out against (currently) BS 7799 Part 2 (2002). This contains the requirements for the ISMS in terms of the PDCA (Plan, Do, Check, Act or Deming Cycle) and the old Annex A (Updated) from BS 7799 Part 1 (1995).

BS 7799 Part 2 (2002) is a Specification.

ISO 17799 is a Code of Practice.

Back To : How does the BS7799 / ISO 27001 certification audit process actually work?
Source :

No comments: