ISMS certification based on ISO/IEC 27001
Specific Accreditation Protocol:
This is a brief description of the assessment service for a specific accreditation. It should be
read in conjunction w ith the generic RvA Regulations – RvA-BR002.
1. Normative documents
1.1 Accreditation criteria and guidance
Criteria:

ISO/IEC 17021, Conformity assessment — Requirements for bodies providing audit and certification of
management systems
Guidelines and Explanatory documents:






RvA-T032; Implementation of ISO/IEC 17021 (2007)
IAF MD1, IAF Mandatory Document: “Certification of multiple sites based on sampling”
IAF MD2, IAF Mandatory Document: “Transfer of accredited certification of management systems”
IAF MD4, IAF Mandatory Document: “Use of computer assisted auditin g techniques (CAAT) for accredited
cerification of management systems” (IAF documents: www.iaf.nu)IAF MD10: IAF Mandatory Document for
Assessment of Certification Body Management of Competence in Accordance with ISO/IEC 1 7021:2011
IAF MD11: IAF Mandatory Document for the Application of ISO/IEC 17021 for Audits of Integrated
Management Systems
ISO/IEC 27006; Information technology - Security techniques - Requirements for bodies providing audit and
certification of information security management systems (2007)
1.2 Documents for Conformity Assessment
ISO/IEC 27001: 2013: Information technology – Security techniques – Information security management systems –
Requirements
2. Description of the scope of accreditation
Accreditation of certification based on ISO/IEC 27001 shall be included in the ISO/IEC 17021 scope of
accreditation as follows:
Normative document
Certification scheme
ISO/IEC 27001
Certification of Information Security Management Systems (ISMS)
Accreditation provided in accordance with ISO/IEC 27006
No EA/IAF sectors of other sub-scope is specified.
3. Assessments
The assessment strategy depends on the other activities for which the body is accredited or requests
accreditation. For application for certification to ISO/IEC 27001 by a body already holding an accreditation to
ISO/IEC 17021, the scope extension is performed following the initial assessment procedures described below.
The extent of the assessment will depend on the overlap with existing accredi tation.
Initial or reassessment
-
Evidence of legal entity (abstract from registration Chamber of
Commerce) and articles of association)
√
√
-
Quality manual and procedures addressing the requirements of
the relevant accreditation standard(s)
√
√
√
-
Cross reference table between management system
documents and requirements from the accreditation
standard(s)
√
√
√
(in Dutch or in English)
Dutch Accreditation Council (RvA)
SAP-C010-UK, version 2
Scope
extension 3)
Pre assessment
Documents to b e made availab le prior to the assessment
Surveillance
3.1 Documentation
page 1 of 3
last update of this version: 7-3-2014
-
Documented certification regulation, including requirements for
the use of the certification mark
√
√
√
-
Regulations, procedures and other documents addressing
specific issues regarding the scheme(s) accreditation is
applied for
√
√
√
A certificate template
√
√
-
For witnessing:







Scope of certification (Description) or copy of the issued certificate
A brief description of the organization’s activities and products / services
Documents demonstrating the CB’s contract review
The auditee's SOA (Statement Of Applicability)
CB’s stage one report (only if stage one will not be witnessed) or report from the
previous audit at this auditee
The audit plan, including relevant information about the audit location and name of
auditee’s contact person as appropriate
instructions and requirements regarding security, safety, health and hygiene, and a
confirmation that the RvA assessment team members will be provided with personal
protective equipment when necessary
3.2 Assessment process
Assessment method
Pre-assessment
Initial or reassessment
√
√
optional
√
annual
A full initial or reassessment
audit1) 2)
Once per accreditation
cycle
Document review
Office assessment
Witnessing
Surveillance (refer to RvA- Scope extension
B05 for the general policy)
3)
1) If the CB has not applied the stage one / stage two methodology with other accredited scheme's witnessing
a full stage one / stage two audit is required.
2) If no full stage one / stage two audit is available a re-assessment audit will be witnessed and the CB is
required to report the first full stage one / stage two audit as a witness candidate.
3) Within this accreditation no sub-scopes are defined. Extension for sub-scopes is not applicable.
4. Miscellaneous
4.1 Relevant Legislation
Not applicable
4.2 Internal RvA expertise holder
Jan van den Akker; [email protected]
4.3 Specific assessment subjects
-
4.4 Organizations to be notified by RvA
Not applicable
4.5 Other information
Dutch Accreditation Council (RvA)
SAP-C010-UK, version 2
page 2 of 3
last update of this version: 7-3-2014
Transition process to ISO/IEC 27001: 2013 version.
Per October 1, 2013, ISO published the new ISO/IEC 27001: 2013. IAF in its meeting in Seoul, resolved as
follows: “IAF Resolution 2013–13 – (Agenda Item 8) Endorsement of ISO/IEC 27001:2013 - The General
Assembly, acting on the recommendation of the Technical Committee, resolved to endorse ISO/IEC 27001:2013
Information technology - Security techniques - Information security management systems – Requirements, as a
normative document.
The General Assembly further agreed that the deadline for conformance to ISO/IEC 27001:2013 will be two years
from the date of publication. One year after publication of ISO/IEC 27001:2013, all new accredited certifications
issued shall be to ISO/IEC 27001:2013.
Note: As the date of publication was 1 October 2013, the deadline for Certification Bodies to conform will be 1
October 2015.”
RvA implements this resolution as follows:
Considering the nature of the changes, the CB’s, who have already been accredited by RvA for certificati on in
accordance with ISO/IEC 27001: 2005, may apply this new standard under accreditation per direct (i.e. without
prior approval by RvA). The RvA will, during the first regular surveillance or re -assessment give extra attention to
the introduction of the new standard. The following points will receive specific focus:
Did the CB adequately train her auditors with respect to the new requirements of the standard;
Did the CB adequately adapt its competence requirements (ánd evaluation) to the new stand ard (extra
attention will be given to “technical area” competence);
Did the CB establish a transition plan for its clients, which ensures that all new certifications, issued after
October 1, 2014, shall be issued to the new standard, and that also ensures that all existing certificates
have been transferred to the new standard before October 1, 2015;
Did the CB adapt its working methods (instructions, templates, checklists) to th e new requirements;
During witness assessments, special attention will be given to an appropriate method of assessing the
“risk analysis”, the “statement of applicability” and the “ISMS Policy”.
These points will be reported on specifically.
4.6 Revisions with respect to previous version
Updated with respect to publication of ISO/IEC 27001: 2013 version. Included transition process.
Updated with respect to newly published IAF documents.
Dutch Accreditation Council (RvA)
SAP-C010-UK, version 2
page 3 of 3
last update of this version: 7-3-2014