Many organizations have been impacted by office closures during the COVID-19 pandemic. Here’s how to maintain your ISO 27001 certification during the crisis.

Many organizations are facing the challenge of maintaining their ISO 27001 certification schedule during the Coronavirus (COVID-19) pandemic. This includes scheduling (or rescheduling) on-site audits in a time when most organizations aren’t sure when they will be able to open their offices and return to a normal schedule.

In this blog post, we will review official guidance released by ANAB (the ISO 27001 governing body) as well as share our own experience with various certification bodies so that you have a clear understanding of your options.

What do we do about on-site certification audits during the Coronavirus pandemic?

ANAB, the primary governing body for ISO audits in the United States, has issued two “Heads-Up” notifications (HU 448, HU 450) guiding certification bodies. ANAB has provided two primary options if on-site audits are impacted by the COVID-19 pandemic:

  1. Virtual meetings:

Certification bodies may choose to leverage “information and communication software” (ICT) to perform their assessments. Because the auditor is responsible for meeting ANAB’s audit guidelines, the certification body is ultimately responsible for deciding whether virtual meetings are a sufficient means to carry out the audit.

You should work closely with your certification partner to develop a plan if you would like to perform virtual walkthroughs – especially if the walkthroughs include facility or physical security walkthroughs.

  1. Perform the on-site at a later date:

If the on-site portion of the audit cannot be sufficiently performed with virtual meeting technology, the on-site portion of the audit “may be completed on-site later in 2020 or added to the 2021 plan”. In this case, you will need to work with the certification body to agree on new dates.

How will postponing our on-site audit impact our certification timeline?

If you choose to postpone the on-site portion of your certification audit, you will need to work closely with the certification body to understand the potential impact on your certification timeline. For most organizations there are two likely outcomes:

  1. Expect no impact to certification timeline:

If your organization can perform virtual meetings and physical security is not a significant component of your certification audit (e.g., physical security is low risk), you will likely be able to move forward with your certification as scheduled. Cloud-based, Software-as-a-Service, and remote workforces will likely fall into this category.

  1. Your timeline will likely be impacted:

If your organization cannot support virtual meetings, if physical security is an important component of your audit, or if physical space is an important component of the system being certified, your timeline may be impacted. You will need to work directly with your certification partner to understand the impact.

However, the most likely scenario is that your certification timeline will be pushed back until the on-site audit can be completed. If this is a surveillance audit (second or third-year audit), the firm may be willing to issue the recertification without the on-site. If you are a data center or have significant on-premise infrastructure you likely fall into this category.

How do I ensure the continuity of my compliance program?

Organizations should take three immediate steps to help set their program up for success during this pandemic:

  1. Coordinate with your certification partner as soon as possible:

Reach out to your certification partner to understand your options and develop a plan of action. Travel arrangements will likely have to be updated, new meeting schedules will need to be developed, and stakeholders will have to adjust their schedules.

  1. Coordinate with internal stakeholders:

Communicate any changes to internal stakeholders so all parties understand the potential impact to your certification timeline. You will likely need to inform top-level management of any changes, work with stakeholders and control owners on a new schedule (or meeting location), and ensure everyone is available for the new audit dates.

Information technology professionals are busy helping colleagues work from home during this pandemic, so be sure to work with them to ensure they have time on their schedule as well.

  1. Coordinate with external stakeholders:

Whether your certification timeline has been impacted or not, it is good practice to proactively communicate any news to external stakeholders (clients, prospects, partners) that may be expecting the result of your ISO 27001 certification audit.  If your timeline has been postponed, most organizations should understand that these are unusual times and appreciate the transparency. If possible, provide an updated timeline to reset expectations.

Do you have additional questions?

At risk3sixty, we work with dozens of organizations to navigate and achieve ISO 27001 certification. If you have additional questions that we did not answer in this blog post, please reach out to our team and we would welcome the opportunity to assist.