ISO27001 Certification
At Meridian we can offer two choices when it comes to IS27001.
Option 1: Compliant Certificate issued by Meridian
Occasionally a company wishes to comply to a standard however not to
be certified to it by an external body. Reason for wanting to comply and
not certify are usually to ensure that the organisation works to a high
standard on which they can be regally audited for internal compliance
reasons, however without the charges associated with a compliance audit.
At Meridian our auditors are able to do just this, we follow the steps
below and upon achievement of compliance to the standard we award you
with a Meridian Compliance Certificate.
A Meridian defined Questionnaire is completed by the company We then conduct a ‘GAP Analysis’ A report is produced identifying areas which do not meet the required standard
A period for the update of processes and practices is then taken, allowing time for the client to collect evidence of compliance.
A review is then conducted by our audit team to asses if the company is compliant. If the result is acceptable to our compliance model then a Meridian certificate of compliance is awarded
A schedule then can be agreed to validate ongoing compliance.
This option is the much more cost effective route, however is not certified by a certified body.
Option 2: Formal Certification Route
Meridian’s approach to each assignment can be adapted according
to the size and specific requirements of our clients, we produce a personalised
offering to meet with your requirements.
Common reasons to seek certification include but are not limited to; Organisational
assurance; trading partner assurance; Competitive advantage (market leverage);
reduction or elimination of trade barriers; reduced regulation costs.
To meet the certification requirements, an organisation's ISMS must be
audited by a 'Certification Body', which is an assessor who works for
a Certification Body. There is a clear segregation of duties here as in
the assessor must be independent of consultancy and training.
A Certification Body must have been accredited by the National Accreditation
Body for the territory in question (e.g. UKAS in the UK). This helps ensure
that the Certification Bodies meet national and international standards
for their services, and ensure consistency.
In respect to ISO 27001, this is typically a document called EA-7/03 (‘Guidelines
for Accreditation of Bodies Operating Certification / Registration of
Information Security Management Systems’).
The following diagram may clarify this process:
Meridian recommends the following six step process towards obtaining
and retaining certification:
Questionnaire (the Certification Body obtains details of your requirements) Application for Assessment Pre-assessment Visit or a ‘GAP Analysis’ – an optional, however worthwhile step The Stage 1 Official Audit – a ‘Document Review’ Audit The Stage 2 Official Audit – known as the ‘Compliance Audit’ Ongoing Audits then take place to confirm compliance
This option is the much more expensive route, however is an official audit and is approved by a certifying body.
