Compliance with ISO 27001 does not relieve the organisation of compliance with the minimum security measures and requirements required by European Regulation 679/2016 (General Data Protection Regulation). However, there are several points of contact:
- Data confidentiality, availability and integrity: need to establish effective systems for data protection and privacy management
- Evaluation of related risks: mandatory analysis and monitoring of possible risks related to specific activities of the organisation
- Notification requirement: authorities in charge and interested must be informed in a timely manner in the event of a breach of privacy
- Processing of records: each organisation must complete and keep a record of the activities and data held.
One of the main concerns for those approaching the certification process for the first time is the thought of having to turn their organization upside-down.
The interventions necessary to properly implement an Information Security Management System consist of a series of activities that aim to carefully reorganise the practices already in place within the company in order to ensure greater control.
Also the ISO 27001 certification, like all the main new generation international protocols, is based on the Risk-Based Thinking approach and aims at analyzing and monitoring risks from a damage prevention perspective, guaranteeing a management plan that is consistent with the company peculiarities.
The Certification ISO 27001 process begins with the System’s implementation, carried out by an internal specialist of the organisation or an external consultant.
Once the implementation is completed, ASACERT verifies the system consistency with the legislation and issues the Certificate that will be valid for 3 years and verified yearly.
The Audit taking place in the first year is carried out in two phases (Stage 1 and Stage 2) and leads to the final Certificate issue.
Within 12 months from the first certification, ASACERT carries out a Surveillance audit in order to verify that the management system is unchanged and still compliant with the standard. If any great change occurs, the Certification Body can modify the Certificate updating it to the organisation’s new situation.
Within one year from the first Surveillance Audit a second Surveillance Audit is due.
At the end of the third year, the organisation has to renew the Certificate through a specific Renewal Audit, otherwise the Certification will be no longer valid.
The timing depends on the consistency level of the Management System and on the business size.
For further information contact us.
We are happy to help you!