6

Advice/opinion appreciated.

  1. Ultimately, our company would like to achieve ISO27001:2013 certification, but that is some way off. In the interim, we want to be able to get to the point whereby we can "attest" to compliance (similar to the PCI DSS AOC). Is there such a mechanism for ISO27001:2013? Is it possible to get a 3rd party auditor to confirm "progress towards compliance" or will a 3rd party only ever certify based on an audit establishing full compliance?

  2. Our company is effectively split into 2 business units within the same corporate structure. We anticipate that scope for compliance would exist almost entirely within one of those units. If we presented that scope to a 3rd party auditor, but the auditor felt that the scope wasn't wide enough to fully address information security risk within the company, would the auditor be likely to agree to certification?

    In other words, will a 3rd party auditor only ever certify at corporate level, or are they amenable to certify particular functions within a corporate structure?

Community
  • 1
Garreth McDaid
  • 161
  • 2

2 Answers2

3
  1. Certification by accreditation bodies only occurs if you are indeed compliant within the scope you have set for your company. You can request ISO27001 auditors to perform a gap assessment and current state and they can do low or high level recommendations to improve your ISMS or assist with implementation. Note that depending on the amount of advise given to you, they may not be allowed anymore to perform the audit (you aren't allowed to audit your own work).
  2. Your certificate states what you are complying with and what the scope is of your certification. Therefore if you can't state to your clients that you are compliant with ISO27001 for your whole company. You are only compliant for that particular business unit within your organization.

They can certify certain parts of your company depending on your scope. Let's say you want to for instance only certify your datacenters then you can, but it will also clearly be stated with regard to your certificate.

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
  • Thx. If my company were to set out a particular scope, which was general in nature, would an accreditation body take a view on what systems should be included in that scope? For instance, if we said our scope was "data processing function" which in our case is cloud based, which would exclude desktops using by data entry operators to control data flow (but which do not actually process data) could an auditor refuse to certify on the basis that they did not believe that the enough systems were being included in the scope? – Garreth McDaid Jan 28 '16 at 11:57
  • To be fair, that's entirely up to the auditor – Lucas Kauffman Jan 28 '16 at 13:49
  • But know that it doesn't make sense to get all the documents and controls in place for a very very small scope. It would cost you a lot of extra time and effort to expand your ISMS. – Lucas Kauffman Jan 28 '16 at 14:03
1

  1. Yes, it's possible. For example, I have several clients that used an assurance report such as an ISAE 3000 to get some assurance over their alignment with the ISO 27001 standard. But note that this is not a certification.

  2. The scope will be among the first things your auditor will look at. If they think the scope is not adequate, they will report it to you immediately and you will find how to address the issue together probably.

In other words, will a 3rd party auditor only ever certify at corporate level, or are they amenable to certify particular functions within a corporate structure

Auditor can certify a particular function, business unit or business process. It really depends on your company, your risk profile etc.

In any case, my advice to you would be to have that discussion with your auditors right now to ensure you're on the right tracks.

ack__
  • 2,728
  • 14
  • 25