ISO Certification Process

ISO27001 helps companies to comply with business, legal, contractual and regulatory requirements. Our experienced team will guide you through the process. 

Your Certification Journey

 As a certification body accredited by ANSI-ASQ National Accreditation Board (ANAB), Frank, Rimerman Information Security can assess and certify an organization’s compliance with ISO/IEC standards. The journey to certification includes the following key steps: 

  1. Assessment: We assess the organization’s information security management systems (ISMS) to ensure they comply with ISO/IEC 27001 requirements.
  2. Certification: If the ISMS meets the standard’s requirements, we issue the certification.
  3. Annual Surveillance Audits: We conduct yearly audits to confirm the organization continues to maintain compliance.
  4. Recertification: Prior to the certificate’s expiration, we perform a recertification audit to verify the ISMS still meets ISO/IEC 27001 standards.

The Process

The following certification activities are performed as part of the ISO 27001 Information Security Management System (ISMS) certification.



  • READINESS ASSESSMENT

    Frank, Rimerman Information Security can perform an optional ISO Readiness Assessment of the ISMS that includes reviewing the policies and procedures, including information system processes, to identify potential gaps in the client’s ISMS. The assessment informs an organization of necessary remediation to be better prepared for the initial ISO 27001 certification audit.

    CERTIFICATION AUDIT

    The initial certification is conducted to evaluate the organization’s ISMS documentation, implementation and monitoring. The initial audit is conducted in two stages, as follows:

    • Stage 1 Audit
      The first stage is composed of several components. First, it includes an audit of ISMS documentation that is the foundational information referenced during the Stage 2 audit. Second, it confirms the ISMS scope including the personnel, services, products, processes and sites. Third, the auditor verifies the organization has completed an internal audit including management’s review of the findings. Finally, the organization’s understanding of the standard is also evaluated during this stage.
    • Stage 2 Audit
      The second stage of the initial certification involves a detailed examination of the ISMS controls as noted in Annex A of the standards to determine if the organization has effectively implemented and is consistently monitoring its ISMS in accordance with ISO 27001. This stage is performed remotely or onsite with the organization’s process owners at its various locations as detailed in the agreed-upon audit plan.
  • CERTIFICATION DECISION PROCESS

    The Frank, Rimerman Certification Body management team reviews the results of Stage 1 and Stage 2 assessments, the evidence provided, the corrections and corrective actions of any identified nonconformities and make the certification decision.

    If the organization’s ISMS is approved for certification, Frank, Rimerman Information Security will issue an ISO 27001 certificate, which is valid for three years from the issuance date subject to the successful annual surveillance audits. Details of the certification may be made publicly available.

  • Surveillance Audit

    Information security management does not stop at certification.
    Surveillance audits are performed onsite at the organization’s location(s). These audits are required to verify that the organization continues to conform to the requirements of the standards and to confirm the initial scope remains valid. Surveillance audits are completed annually before the certification anniversary.

    Recertification Audit

    You’ll be required to recertify your ISMS before certification expiration (every 3 years). The goal of recertification is to assess that the ISMS has been effectively maintained ,that any changes have been properly implemented into the ISMS, and that identified nonconformities and opportunities for improvement are being handled appropriately. The recertification will evaluate the entirety of your ISMS, which includes ISMS Clauses 4-10 and each applicable Annex A control.

    Any noted nonconformities during this process will require corrective action plans and evidence of correction and remediation based on their classification as major or minor. Reissuance of the organization’s ISO 27001 certificate is dependent on the correction and remediation of major nonconformities and the correction of minor nonconformities.

    Recertification audits will need to take place every 3 years for as long as an organization wants to maintain its ISO 27001 certification.

  • Transfer Your Certification

    Get global recognition with the FRIS Certification Mark and discover how our experience and reputation deliver real value to your business.

    We focus on continual improvement, as well as maintaining your system – showing you how to grow and develop your business. Plus, transferring from another certification body is easy.

    Scope Change

    ISO/IEC 27001 can grow and evolve with your business, making sure your information stays secure no matter how much it changes and as new security threats emerge.

    Any changes required to the organization’s scope of certification can be processed in conjunction with the ongoing audit program. If your organization wishes to change or add to the systems against which it already holds certification, or wishes to add more sites into the scope of certification, the scope can be changed with the assigned project manager or by contacting Nelly Spieler at Frank, Rimerman Information Services.

    Special Audits

    It may be necessary to perform audits of certified clients on short notice or without prior announcement, either to address complaints, respond to changes, or follow up on suspended clients. In such instances, FRIS will communicate in advance the conditions under which these audits will occur to the client. These conditions may include a detailed description of the unplanned audit, the normative requirements for certification, documents outlining the rights and obligations of certified clients (including requirements for referencing certification in communication), client obligations to comply with certification requirements, and the necessity for clients to make all necessary arrangements for audit conduct, including accommodating observers such as accreditation assessors or trainee auditors, where applicable.

    SUSPENSION, REFUSAL, WITHDRAWAL, AND RESTORATION OF CERTIFICATION

    Frank, Rimerman Information Security reserves the authority to suspend, withdraw, or diminish the certification’s scope, as dictated by surveillance audit findings or other pertinent circumstances. The denial of certification may stem from the organization’s failure to comply with various factors, encompassing our terms and agreements. The circumstances under which a client’s certification may be suspended or withdrawn include but are not limited to:

    1. The client’s certified management system has persistently or seriously failed to meet certification requirements
    2. The certified client does not allow surveillance or recertification audits to be conducted at the required frequencies, or prior to the expiry of their certification
    3. The certified client goes into receivership, liquidation, becomes the subject of bankruptcy laws, is convicted of breaking the law of the land, or acts in a disreputable manner
    4. Non-payment of fees
    5. The client has voluntarily requested a suspension

    Refusal to grant, continue, or renew certification may be for a number of reasons. These reasons shall be clearly and fully explained by FRIS to the client in writing by email. The client will be given the opportunity to respond.

    The decision to withdraw certification will be taken by the certification body in conjunction with FRIS management if required, and a record will be kept. Upon notice of withdrawal, the client will be directed to discontinue its use of all advertising matter that contains any reference to certified status, discontinue the use of marks, and where applicable the use of the certification number. In the event that the client fails to meet such obligations, FRIS will use other measures as appropriate.

    Restoration of a suspended certificate can take place after all issues have been resolved and verification of such resolution (audit, testing, or other methods) has been undertaken within 6 months from the original suspension. Where the scope of certification has been reduced instead of complete suspension of a certificate, the scope reduction can be restored following issue resolution and, where appropriate, an audit, testing, or other method of evaluation has taken place to confirm and verify resolution. In all cases, a certification decision will be recorded.

    If the client is unhappy with the decision and or explanations given, then the complaints or appeals process should be followed.

  • Appeals

    Frank, Rimerman Information Security clients may contest an application, certification, or other decision taken by the Firm. The appeal must be submitted by requesting and completing an Appeals document which will be provided by Frank, Rimerman via email. The Firm will acknowledge receipt of the appeal and notify the client of the status of the appeal. Firm personnel involved in the certification activity will not be involved in the matter of the appeal. Frank, Rimerman Information Security will ensure the investigation, and decision on an appeal submitted does not result in any discriminatory action taken against the client.

    Frank, Rimerman Information Security will give formal notice to the appellant at the end of the process.

    To file a confidential appeal, please send an email to [email protected] with “ISO Appeal” in the subject line.

    Complaints

    Frank, Rimerman Information Security shall acknowledge the receipt of a complaint and will provide the client with progress on its resolution. The decision, formally communicated at the end of the complaint-handling process, will be communicated by individuals not previously involved in the subject of the complaint. Prior to disclosing any complaints against Frank, Rimerman Information Security or its clients, both parties will collectively discuss such matters unless disclosure is required by law.
    To file a confidential complaint, please email [email protected] with “ISO Complaint” in the subject line.

    Use of Frank, Rimerman Information Security Certification Mark

    Use of Frank, Rimerman Information Security Certification Mark is restricted, and may not be used in a misleading manner, such as by implying that Frank, Rimerman certifies a product or that the Certification applies to activities outside the scope of the certification. Clients are required to discontinue the use of advertising matter that contains a reference to the certification upon suspension or withdrawal of the certification.

     

  • Certification Status

    Click here to check the certification status of our ISO Clients by using our certificate directory.

  • ISO/IEC 27001 and ISO/IEC 27701 services are provided by Frank, Rimerman Information Security, LLC which is accredited by the ANSI-ASQ National Accreditation Board (ANAB). As a certification body accredited by ANAB, Frank, Rimerman Information Security, LLC can certify our client’s ISMS conforms to the ISO/IEC 27001 and ISO/IEC 27701 standards.

     

    Frank, Rimerman Information Security LLC is an affiliate of Frank, Rimerman + Co. Although separate legal entities, Frank, Rimerman Information Services maintains a services agreement with Frank, Rimerman + Co, which provides access to the technical expertise, staffing capabilities and technologies of a larger, more diversified professional services firm.  

Contact Us

We are here to help ease your transition and answer any questions you may have regarding risk governance or ISO certification. Contact our risk management and cybersecurity experts today.