The following certification activities are performed as part of the ISO 27001 Information Security Management System (ISMS) certification. 

Pre-Audit Readiness Assessment

BPM performs an optional ISO Readiness Assessment of the ISMS that includes reviewing the policies and procedures, including information system processes, to assess potential gaps in the client’s ISMS. The assessment informs clients of necessary remediation to be performed so that clients are prepared for undergoing an initial ISO 27001 audit.

Certification Audit

The initial certification is conducted to evaluate the client’s ISMS documentation and its implementation, including its monitoring. The audit is conducted in two stages, as follows:

Stage 1 Audit

The first stage includes an audit of the ISMS documentation, which will be the foundational information referenced during Stage 2 of the audit, as well as an evaluation of the client’s location(s). The client’s understanding of the standard, including the scope of the audit and resources, is also evaluated during this stage.

Stage 2 Audit

The second stage of the initial certification involves detailed testing to determine if the client has effectively implemented and is consistently monitoring its ISMS in accordance with ISO 27001. This stage is performed onsite at the client’s location(s).

Certification Decision Process

The BPM Certification Body Management Team reviews the results of the Stage 1 and Stage 2 testing, the evidence provided, and corrective actions of any identified nonconformities in order to determine the certification decision.  If the client’s ISMS is approved for certification, BPM will issue an initial ISO 27001 certificate, which is valid for three years from the issuance date subject to the success of the annual surveillance audit.

Surveillance Audit

Surveillance audits are performed onsite at the client's location(s). These audits are required to ensure that the client continues to conform to the requirements of the standards to which the initial certification is granted. Surveillance audits are performed at least once a year.

ISO 27001