We are uniquely qualified and experienced to help you build a compliance management system that complies with ISO standards, as Coalfire is one of a few vendors in the world that maintains an advisory practice that shares team resources with Coalfire ISO, an accredited certification body.

To help your organization decrease implementation timelines and costs during initial certification, our advisory team evaluates your environment and determines short-term project plans from the perspective of experienced implementers and auditors who maintain the necessary credentials to certify an organization as prescribed by relevant accreditation rules.

By wearing both the auditor and implementer “hats,” we reduce the risk that your organization spends too much time over-preparing for a certification audit or is ill-prepared for the initial third-party audit and fails the resulting inspection.

Our certified lead auditors determine your organization’s preparedness to pursue formal ISO certification via an accredited certification body. ISO readiness assessments are performed against the mandatory certification requirements comprising Clauses 4 through 10 of management system standards (MSS). In the case of ISO 27001 consulting, we evaluate control objectives prescribed within Annex A against required policy and procedure documentation through an abbreviated design check of the management system.

The pre-assessment includes:

• Workshop overview that provides an interpretation of applicable ISO requirements to be documented
• Observations and best practices based on your organization’s peers and sector-specific trends
• Insights into your management system documentation on processes, internal controls, internal auditing, and management review
• Upfront analysis of risks that could threaten your ability to meet the applicable ISO standard requirements
• A summary of current business processes and related controls along with remediation recommendations

The pre-assessment serves as a training and awareness session for internal stakeholders and interested parties, who may serve as designated control owners and participate in required annual activities (e.g., risk assessment, internal audit). In addition to reviewing the defined common controls framework objectives, the lead auditor covers:

• Plan-Do-Check-Act and the continuous improvement cycle
• Governance structure originating from the International Accreditation Forum (IAF) and each country or region’s specific accreditation body that provides oversight to conformity assessment bodies (CAB) like Coalfire ISO
• Guidance for executing your risk assessment, internal audit program, and controls implementation, if applicable
• Strategies for evaluating the validity of an ISO certificate produced as part of any third-party oversight and risk management program

Management system internal audit

In accordance with ISO 19011:2018, we execute an independent, periodic internal audit against management system requirements of the in-scope MSS, as well as, in the case of standards like ISO 27001, CSA STAR, and ISO 27701, controls justified for inclusion per the statement of applicability. As part of the required documentation inspection, we determine sufficiency of sampled control procedures provided by your organization. Deliverables include:

• A three-year management system internal audit plan
• Annual management system internal audit report
• Lead auditor competency profile or evidence of relevant lead auditor certification

Management review

After the completion of the risk assessment and internal audit inputs, we facilitate the resulting review of the management system with senior and operations management personnel who are key internal interested parties to the program’s establishment. We develop a recurring supporting agenda presentation template that meets the ongoing requirements for this periodic management review activity.

External audit support

We help your organization identify and select an accredited certification body registrar that will assess your organization against in-scope certification requirements. During the initial certification audit, we respond and defend inquiries related to its advisory work products made by the appointed lead auditor in interviews and walkthroughs on behalf of your organization. For any identified findings or non-conformities, we assist with the root cause analysis (RCA) and the development of corrective action plans resulting from the external certification audit.