ISO 27701 Certification - Privacy Information Management Systems (PIMS)

What is an ISO certification audit and how does it work?

An ISO Certification Audit is the official Audit performed by a ISO Certification Body or Registrar that determines if an organization has met the ISO Standard’s Generic Requirements they intend to certify to (Example:  ISO 27001, ISO 22301, ISO 9001, ISO 42001, etc).  Upon successful completion, an organization will receive a ISO Certificate from the Certification Body or Registrar with their name, date of certification and “scope of registration” (what was audited).

What is the difference between an internal audit and a certification audit?

ISO 19011 – “Under ISO 19011, known as the guidelines for auditing management systems” an audit is defined as a systematic, independent and documented process for obtaining audit evidence and evaluating it objectively to determine the extent to which the audit criteria are fulfilled. There are three different types of audits for organizations:

·       1st Party – an organization auditing its own ISO 27001 ISMS (Internal Audit)

·       2nd Party – an organization auditing a supplier (External Audit)

·       3rd Party – an organization being audited by a ISO Certification Body or Registrar (External Audit).  Also known as an ISO Certification Audit.

How should a business prepare for an ISO certification audit?

By following the “auditable” generic requirements of all ISO Standards which are found in clauses 4-10 in each specific ISO Standard.

The ISO Clauses 4 through 10, across various standards like ISO 9001 and ISO 27001, generally cover the following key areas: Context of the Organization, Leadership, Planning, Support, Operation, Performance Evaluation, and Improvement. These clauses outline the core requirements for establishing, implementing, maintaining, and continually improving a management system.

Here’s a more detailed breakdown:

Clause 4: Context of the Organization

This clause focuses on understanding the organization’s internal and external issues, the needs and expectations of interested parties, and defining the scope of the management system.

Clause 5: Leadership:

This clause emphasizes the role of top management in demonstrating leadership and commitment to the management system. It includes defining the quality policy, assigning responsibilities, and ensuring the system’s effectiveness.

Clause 6: Planning:

This clause addresses planning for the management system, including identifying risks and opportunities, setting objectives, and determining the resources needed for implementation.

Clause 7: Support:

This clause covers the resources, competence, awareness, communication, and documented information required for the management system’s effective operation.

Clause 8: Operation:

This clause focuses on the operational aspects of the management system, including planning and control of operations, requirements for products and services, design and development, control of external providers, and production and service provision.

Clause 9: Performance Evaluation:

This clause deals with monitoring, measurement, analysis, and evaluation of the management system’s performance. It includes internal audits and management reviews.

Clause 10: Improvement:

This clause focuses on continuous improvement of the management system, including addressing nonconformities, taking corrective actions, and implementing improvements

How often do ISO certification audits need to be performed?

At least once annually.  All ISO Certification Audits follow a 3 year cycle including:

• 1st year is a full Stage 1 and Stage 2 certification audit
• 2nd year a Survelliance Audit (partial audit of the system)
• 3rd year is a  year is a Survelliance Audit (partial audit of the system)
• 3 Year cycle starts over on Year #4

Can an ISO auditor also issue the ISO certificate?

No, only an accredited ISO Certification Body or Registrar can issue ISO Certificates.  The auditor only recommends the organization for certification if it finds the organization has “conformed” to all the generic requirements of the ISO Standard they are certifying to.  That mean they have “no major non-conformities” to those generic requirements.

Are ISO training certifications internationally recognized?

Yes, ISO Standard are short for International Organization for Standardization (ISO).  Yes, the acronym is not in chronological order.  Here is the ISO Website that explains that.  www.ISO.org   You can reference www.ISO.org as the originator of the ISO Standards in every blog  …because it is not a competitor of ours or anyones.  It creates the standards.

ISO (International Organization for Standardization) is an independent, non-governmental organization that develops standards to ensure the quality, safety and efficiency of products, services and systems.

This statement is in the intro to all ISO Standards:  

“The requirements set out in this International Standard are generic and are intended to be applicable to all organizations, regardless of type, size or nature.”