cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Lwhite
Newcomer III

ISO 27001 advice

Does anyone have any best practices or recommendations when selecting a 3rd party auditor when undergoing a new ISO 27001 certification?
Specifically does it matter which paper it's on, the 3rd party auditor's or another entity?
Already sent an RFP, and have 2 selected, but wanted some additional insight.
Thank you.

4 Replies
Steve-Wilme
Advocate II

It depends where you are in the world to some degree.  In the UK we always look for a auditors who are UKAS accredited, as it says that the are working to proper standards for their audits. 

 

We have found in our supply chain that some suppliers have used 'audit' firms that have also supplied a pre-written ISMS to the company.  It's a basic rule of auditing is that you can't audit your own work.   We've also found that such companies often won't supply an SoA for their ISMS so the certificate itself is ambiguous.  In that context we audit them ourselves and if they fail to co-operate we recommend termination. 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
AppDefects
Community Champion


@Lwhite wrote:

Does anyone have any best practices or recommendations when selecting a 3rd party auditor when undergoing a new ISO 27001 certification?
Specifically does it matter which paper it's on, the 3rd party auditor's or another entity?
Already sent an RFP, and have 2 selected, but wanted some additional insight.
Thank you.


This is difficult to answer without naming certifiers. Usually, you'll find a lot of similarity in their pricing or at least you should because they all use the same spreadsheet calculator.Then you need to cut through the fluffy proposals and determine what they can really do. Often it is looking for matching personalities and capabilities that you can work with. A vendor must be accredited. They must have competent staff that is available to work the project in your timeline without a premium. I tend to go with the ones that offer a more of a "boutique" experience i.e., they work with you on creating the supporting documentation and implementation of the ISMS as well as help you all the way through the process. I like a vendor that thinks in terms of building automation into an ISMS for risk management ticketing, but not many can offer that level of development as a service. A vendor also needs to think big picture for your organization and not necessarily think of how they can increase their fees with certificate amendments in the years to come.

 

IMHO the pedigree of the certifier matters. Their clients are a reflection of that - ask them who they have certified, check their certificate registry, dig into the certificates that are published and ask yourself if they have presented convincing statements on certificate scope. Lastly, I'm simply not comfortable saying abc acme did our certification if no one in the world knows who they are. Brand names matter otherwise you will have to educate your certificate consumers or executive board members on who they are and why you made that seemingly crazy decision when spending their money - the choice becomes a reflection of you. Familiarity breeds trust.

SFH
Viewer

I would also consider it best practice to change your auditors every few years to remove the element of 'familiarity breeds contempt'

 

In other words a fresh set of eyes assessing your ISMS and SOA and asking different questions of you, in my experience, is very beneficial because it makes you think about everything with a fresh perspective.

AppDefects
Community Champion


@SFH wrote:

 

In other words a fresh set of eyes assessing your ISMS and SOA and asking different questions of you, in my experience, is very beneficial because it makes you think about everything with a fresh perspective.


That's great advice to complement your surveillance audits and help you innovate along the way. I say that because it is not easy to change unless the process is broken. Few firms "transfer" their certificates and move onto new certifiers, but it can be done if you really want to put the effort and dollars into it.