Key Questions to Ask When Choosing an ISO 27001 Certification Body

Embarking on the journey to ISO 27001 certification is a significant step in fortifying your organisation’s information security management system (ISMS). Selecting the right Certification Body (CB) to partner with is crucial, as it can impact not just the certification outcome but also how smoothly the process goes. Here’s a list of essential questions to ask potential ISO 27001 Certification Bodies to ensure you make an informed decision.

Who is your Accreditation Body?

Understanding who accredits your potential Certification Body is vital. Accreditation Bodies ensure that the CB meets stringent standards and operates with integrity. Make sure the Accreditation Body is recognised internationally to guarantee the certification’s credibility.

For a company like mine, what Annex A Controls do you think maybe Out of Scope or Not Applicable?

Annex A of ISO 27001 outlines 114 controls that may be applicable to your ISMS. However, depending on your organisation’s specific context, some controls might be out of scope or not applicable. Asking this question helps you understand the CB’s approach to tailoring the certification process to your business needs.

What other items will I need to complete besides my Drata dashboard to be audit-ready?

While platforms like Drata streamline compliance and audit preparation, they might not cover everything. The CB can provide insight into additional documentation, policies, or processes that need to be in place to meet ISO 27001 requirements fully.

What percentage of controls will you be able to confirm through Drata, and how much evidence will I need to manually gather?

It’s essential to clarify how much of the audit process can be automated through compliance platforms and what will require manual input. This will help you allocate resources and manage expectations effectively.

From planning to report and certificate delivery, what is the high-level audit process, and how long does it typically take to complete?

Understanding the timeline and the steps involved in the audit process is crucial for planning. The CB should provide a clear roadmap from the initial planning stages to the final certification, including how long each phase typically takes.

How much communication should I expect during the audit process?

Consistent and clear communication is key during the audit. Knowing how frequently and through which channels the CB will communicate can help avoid misunderstandings and ensure a smooth process.

How will I know if you identify a Non-Conformity? Will we have an opportunity to discuss results before the final report and certificate are issued?

Non-Conformities (NCs) can arise during an audit, and how they are handled is critical. Ask the CB about their process for identifying, communicating, and resolving NCs, and whether you will have the chance to address any issues before the final report.

What is the typical period between the stage 1 and stage 2 audits?

ISO 27001 certification typically involves two stages: a preliminary review (stage 1) and a more detailed audit (stage 2). Knowing the typical timeframe between these stages helps in planning and ensuring continuous compliance.

Will you need to come onsite for our audit?

Remote audits have become more common, but certain situations may still require onsite visits. Clarify if the CB anticipates needing to visit your physical locations and under what circumstances.

Will you need to audit all locations where we have an office?

For organisations with multiple offices, it’s important to know if the CB will need to audit each location. This impacts both the scope of the audit and logistical planning.

How would you audit our tech stack?

Every organisation’s tech stack is different, and this can influence the audit approach. Whether you use AWS, Kubernetes, or another platform, ask the CB for specific details on how they would audit your particular setup. This ensures they have the expertise to understand and assess your environment effectively.

Choosing the right ISO 27001 Certification Body involves more than just ticking boxes. It requires a partnership with a CB that understands your business, your industry, and your unique challenges. By asking these key questions, you’ll be better equipped to find a CB that helps you achieve certification and adds value to your information security management processes.

Assess your security posture with our FREE Cybersecurity Gap Assessment Tool — instant results, no sign-up required.