We prepare your organization for formal certification or alignment against internationally recognized standards including ISO; the Cloud Security Alliance Security Trust & Assurance Registry (CSA STAR); and NIST Cybersecurity Framework (CSF).

Our specialists determine your organization’s preparedness to pursue formal certification in advance of external audits. ISO readiness assessments are performed against the mandatory certification requirements comprising Clauses 4 through 10 of management system standards (MSS). In the case of ISO 27001 consulting, we evaluate control objectives prescribed within Annex A against required policy and procedure documentation through an abbreviated design check of the management system.

The pre-assessment includes:

• Workshop overview that provides an interpretation of applicable ISO requirements to be documented
• Observations and best practices based on your organization’s peers and sector-specific trends
• Insights into your management system documentation on processes, internal controls, internal auditing, and management review
• Upfront analysis of risks that could threaten your ability to meet the applicable ISO standard requirements
• A summary of current business processes and related controls along with remediation recommendations

The pre-assessment serves as a training and awareness session for internal stakeholders and interested parties, who may serve as designated control owners and participate in required annual activities (e.g., risk assessment, internal audit). In addition to reviewing the defined common controls framework objectives, the lead auditor covers:

• Plan-Do-Check-Act and the continuous improvement cycle
• Governance structure originating from the International Accreditation Forum (IAF) and each country or region’s specific accreditation body that provides oversight to conformity assessment bodies (CAB)
• Guidance for executing your risk assessment, internal audit program, and controls implementation, if applicable
• Strategies for evaluating the validity of an ISO certificate produced as part of any third-party oversight and risk management program

Management system internal audit

In accordance with ISO 19011, we execute an independent, periodic internal audit against management system requirements of the in-scope MSS, as well as, in the case of standards like ISO 27001, CSA STAR, and ISO 27701, controls justified for inclusion per the statement of applicability. As part of the required documentation inspection, we determine sufficiency of sampled control procedures provided by your organization. Deliverables include:

• A three-year management system internal audit plan
• Annual management system internal audit report
• Lead auditor competency profile or evidence of relevant lead auditor certification

Management review

After the completion of the risk assessment and internal audit inputs, we facilitate the resulting review of the management system with senior and operations management personnel who are key internal interested parties to the program’s establishment. We develop a recurring supporting agenda presentation template that meets the ongoing requirements for this periodic management review activity.

External audit support

We help your organization identify and select an accredited certification body registrar that will assess your organization against in-scope certification requirements. During the initial certification audit, we respond and defend inquiries related to its advisory work products made by the appointed lead auditor in interviews and walkthroughs on behalf of your organization. For any identified findings or non-conformities, we assist with the root cause analysis (RCA) and the development of corrective action plans resulting from the external certification audit.