Solution: Information Security Certification | ISO 27001
TÜV AUSTRIA Information Security Certification according to ISO 27001
In which region do you need this solution?
- All regions
ISO 27001 certification procedure
Certification Stage 1
Certification Stage 2
TÜV AUSTRIA certificate
Fachliche Aus- und Weiterbildung
Information on ISO 27001
The rapidly advancing digital transformation harbors both opportunities and risks, especially in the information technology sector. The risks include acute threats such as hacker attacks, global virus attacks, unforeseeable data loss or the general misuse of confidential information that forms an important basis for business. These scenarios can become a serious threat to operational IT processes and, in the worst case, even paralyze the entire business operation. ISO 27001 (factsheet), the only international standard for information security, helps to specifically identify and minimize these risks through a systematic and structured approach.
The standard allows companies and organizations of any size and in any industry to implement and continuously evaluate information security.
The prerequisite for this is a documented information security management system that is integrated or lived in the organization. ISO 27001 takes greater account of the area of risk management. Based on the risk assessment (also called risk analysis), the “application of security controls” from Annex A (14 sections) of the standard comes into play to mitigate any unacceptable risk.
The certificate (see sample certificate) has a validity period of three years and may be used for advertising purposes in accordance with the certification regulations. The certification logo can be used, for example, on stationery, the website (in each case in connection with the organization). The respective planned use must be released or confirmed by the certification body for legal reasons.
Your advantages in cooperation with TÜV AUSTRIA Group:
- ISO 27001 certification increases data security in your company. The standard actively helps to protect your confidential data from improper access, data loss or hacker attacks. Likewise, it ensures rapid recovery after this type of attack.
- The structured and globally recognized information security management system helps to identify imminent threats in time and to reduce them systematically.
- ISO 27001 enables you to meet external requirements (e.g. operational risks under Basel II). The information security management system takes into account the three IT protection goals of information: Confidentiality, availability and integrity.
- Through certification, the operational ACTUAL situation is continuously analyzed and can be optimized and adapted to the TARGET situation at any time if necessary. This leads to a continuous improvement of internal processes.
- The holistic approach of the management system ensures that the standard is lived in practice and can be easily integrated into everyday work. The responsibility of the management is demanded as well as regular trainings and internal audits.
ISO 27001 Certification Process
A certification process usually takes between three and five weeks. We determine the exact effort, as well as duration and costs together with you before the certification process.
1. information meeting
During a non-binding and free of charge meeting, we will inform you about the procedure for obtaining your certificate. Furthermore, the following points will be clarified, among others:
- Basic requirements for certification
- Goals and benefits of certification
- Comparison of company data and definition of the scope of certification
- Discussion of your specific requirements and wishes
- Determination of the next necessary steps towards certification
Based on this informational discussion, you will receive an individual offer tailored to your organization.
If you are satisfied with the offer, the certification body is commissioned. After you have received an order confirmation, the certification process begins with a joint appointment with the responsible auditor.
3. pre-audit (optional)
If desired, a pre-audit can be carried out. Based on a jointly defined framework, either specific areas or processes or the overall situation of your organization will be audited. Any weaknesses in the documentation and implementation of the system will be identified. If desired, a pre-audit can provide you with a status report regarding the basic certification capability, a detailed expert opinion on individual processes or the conformity to individual requirement points of the respective standard. The audit methodology corresponds to that of the certification audit.
4. certification audit stage 1
The stage 1 audit serves to determine your certification capability. Site-specific conditions are assessed and necessary information regarding the scope is collected. The following main items are primarily addressed in the Stage 1 audit:
Review of documentation for conformity and completeness in comparison with the respective standard requirements.
Status of the implementation of the management system in the company: Does the existing management as well as the degree of implementation of the management system in the organization basically permit certification or are decisive details still missing?
Before audit stage 2 is carried out, an audit plan for the actual certification audit is drawn up with the knowledge gained about your organization and the management system and agreed with you.
5. certification audit stage 2
During stage 2, the effectiveness of the management system introduced in your company is checked. In the process, random samples are taken in departments or organizational units and along the process chains for all requirements.
The basics of the audit are:
- Audit planning
- the respective certification standard or individual standard requirements specified therein
- organization-specific documents
- general and industry-specific basics (laws, further, industry-specific, required standardizations,..)
After evaluation and assessment of the results, you will already be informed of the audit result and any deficiencies or deviations during the final meeting. In case of deviations, corrective measures are determined.
6. TÜV AUSTRIA Certificate
The actual certification is issued by the TÜV AUSTRIA certification body after successful auditing and reporting based on the audit report. The certificate is issued if the following certification requirements are met:
Documentation and implementation of the management system
Certification agreement (confirmation of the certification offer, the certification regulations and the general terms and conditions)
positively completed audit and thus a corresponding recommendation of your audit team to the certification body
A certificate is issued for a period of three years. In order to maintain the validity of the certificate over the entire term, it is necessary to conduct an annual surveillance audit (12 months and 24 months after issuance of the certificate) or to complete each surveillance audit with a positive result.
7 Surveillance audits
During the annual surveillance audit, the effectiveness and further development of the management system are checked on the basis of random samples. Surveillance audits are shorter in terms of the scope of the audit and, on the one hand, cover topics specified by accreditors, focal points specified in the audit plan and address the deficiencies of the last audit.
8 Re-certification audit
This must be carried out before the certificate expires (usually after three years). In a re-certification audit (often also called a repeat audit), all points of requirements are checked on a random basis, as in a certification audit. The effort of this repeated certification procedure is reduced compared to an initial certification procedure (approx. 2/3 of the audit time of an initial certification procedure).
After a positive certification decision, a new certificate with a validity of three years is issued.