All organizations today have to respond to a rapidly changing and increasingly threatening range of information security risks – risks which can, if unmitigated, lead to severe financial, regulatory and reputation damage for organizations. Information security investment and control decisions should be specifically driven by the outcome of a risk assessment process that identifies risks to specific information assets. We provide clear, practical and comprehensive inspection/auditing on developing a risk management methodology that meets the requirements of ISO27001, the information security management standard that will help achieve corporate risk management objectives.
Improves credibility and enhances customer’s confidence
Reduces the needs for multiple assessments
Provides opportunity for continuous improvement through regular audits
Provides more avenues for trade in the global market
It assures customers that the company has a good Information Security Management system.
Many Organization requires their suppliers to have ISO 27001 Certification.
It shows committed to Confidentiality, Integrity and Availability of customers data.
It leads companies to better operations, improved performance and improved profitability.
An ISO 27001 certificate enhances company image in the eyes of customers, employees and shareholders alike.
It also gives a competitive edge to an organization’s marketing.
1. Management responsibility – management must demonstrate their commitment to the ISMS, principally by allocating adequate resources to implement and operate it.
2. Develop policies, processes and related process assets to plan and implement information security controls.
3. Plan and perform Internal ISMS audits & management Reviews – the organization must conduct periodic internal audits and management reviews to ensure the ISMS incorporates adequate controls which operate effectively.
4. ISMS improvements – the organization must continually improve the ISMS by assessing and where necessary making changes to ensure its suitability and effectiveness, addressing nonconformance (noncompliance) and where possible preventing recurrent issues.
Client interested in obtaining certificate of registration under QMS scheme from CQAL, shall have established a documented quality system in accordance with the requirements of current version of the ISO 27000 standard and the applicable product standards.
CQAL Certification Services reviews the submitted documentation against the requirements of ISO 27000 standard and prepares a report detailing its finding. The deficiencies, if any, will have to be corrected prior to assessment, since this documentation will form a part of assessment criteria during assessment.
Stage 1 assessment shall include – Review of quality manual/ procedures, supporting documentation, evaluation of client’s location, assessment of preparedness for stage 2 audit, collecting of information regarding the scope of the management system, statutory and regulatory aspects, legal aspects and risks and processes and locations, preparation of an audit plan for stage 2 audit, evaluation of internal audits and management review performed by the customer.
Stage 2 assessment is an on-site assessment which includes
- Evaluation of the implementation, including effectiveness of the client’s management system
- Evidence about conformity to all requirements of the applicable standard or scheme
- Performance monitoring and reviewing against key performance objectives and targets
- Conformance to regulatory and legal aspects relevant to the standard
- Operational control of the client’s processes
- Internal auditing, management review and management responsibility, competence of personnel, performance data, audit findings and conclusions
- Links between the normative requirements, policy, performance objectives and targets
CQAL Certification Services will issue a certificate of registration to the applicant once the corrective action has been accepted. The certificate carries a validity of three years from the date of issue subject to satisfactory findings during surveillances.
The certified clients are committed through signing of certification agreement to comply with the certification body’s requirements.
The Organization may choose one of two surveillance methods:
- Annual surveillance method – which includes conducting one surveillance audit annually, and performing a Recertification every third year
- Semi-annual surveillance method – which includes conducting two audits annually and a Recertification every third year
Surveillance audits shall be conducted at least once a year. The date of the first surveillance audit shall be not more than 12 months from the last day of stage 2 audit.
The following clauses shall be checked in each surveillance audit cycle:
- Implementation or the corrective actions required by the previous audit
- Review of changes in the organization
- Management reviews
- Internal system audits
- Customer complaints
- Corrective and preventive actions
- Scopes/activities that have changed since the last audit
- Customer complaints & appeals received in the Division concerning the organization
- Use of marks (certification logos)
The client’s quality system is re-assessed for the renewal of certificate. All actions related with renewal (including completion of corrective actions) shall be completed before expiry of certificate to ensure continuity of certificate.
Are we ready for certification audit? What is the cost of an audit to ISO 27001:2022? When can we get audited? Please Contact us for more information!