Audit and Certification

Having set up an information security management system (ISMS) using the International Standards Organization (ISO) standards, an organization is able to manage business risk with repeatable processes using many standards-based policies, procedures, tools, and templates. Business benefits from this approach include leveraging initial investments in procedures, tools, and templates across many parts of the organization. Centralized creation and management of these tools support organizational learning where lessons learned by one result in better practices by all. Moreover, the creation of standards-based traceability matrices that align security initiatives with business drivers provides the ability to prove the business value of information security. With this foundation in good security management practices, many organizations desire to pursue the next step of independent audit of their ISMS and obtain certification that their ISMS meets ISO 27001 standards. This chapter presents details of preparing for and obtaining ISO 27001 certification.