Stage 1:

It is an initial assessment to evaluate the organization’s Information Security Management System (ISMS) readiness for the full certification audit. It focuses on understanding the organization’s context. The auditor reviews key documents, including the Information Security Policy, the ISMS scope, risk assessment, Statement of Applicability (SOA), and other relevant documentation. After the auditor identifies any gaps, he/she sends the Feedback report to the organization. The client will have 1-3 months to remediate all the issues found during Stage 1. Once Stage 1 is cleared, the auditor proceeds to Stage 2.

Stage 2:

In this stage, the auditor evaluates the implementation and effectiveness of the ISMS. The auditor assesses the entire ISMS, including the effectiveness of controls, processes, and documentation. He/she reviews additional documents, procedures, and records to ensure compliance. Based on that, the auditor issues the non-conformity report (Audit Finding Action Report) to the organization. The client will have 30-90 days to remediate all the non-conformities (NCRs) found during Stage 2. Once the organization mitigates all the non-conformities and the auditor verifies it, the certificate is issued to the organization. Once the organization mitigates all the non-conformities and the auditor verifies it, the certificate is issued.

After 1 year, In the first surveillance audit, Auditor will confirm ISMS compliance with ISO 27001 by monitoring the ISMS Key documents, sample records and corrective actions for ongoing effectiveness.

Then, year 2nd In the second surveillance audit, Auditor will confirm ISMS compliance with ISO 27001 by monitoring the ISMS Key documents, sample records and corrective actions for ongoing effectiveness.

Then, year 3rd In the re-certification audit, Auditor will assess the entire ISMS to confirm compliance with ISO 27001, ensuring effectiveness.