About ISO 27001
ISO 27001 provides an international standard and methodology for the implementation, management and maintenance of information security for organizations. Obtaining ISO 27001 certification demonstrates conformity of your Information Security Management System (ISMS) requirements and is a framework that can illustrate your security posture to current and potential organizations.
Skoda Minotti Risk Advisory Services, a certification body for ISO 27001, provides the following services:
Scope Assessment: As part of the initial engagement, we will perform a comprehensive understanding of the services and systems that are under review. After obtaining a clear and thorough understanding of our client’s environments, we will customize an audit plan and provide access to an online collaboration tool that includes all required documentations, identification of key personnel responsible from Skoda Minotti and the client and documented milestones within our project calendar.
Stage 1 Audit: As part of the Stage 1 audit, Skoda Minotti reviews your company’s documentation to confirm that it is in compliance with the requirements of ISO 27001. At the completion of this stage, clients are provided with a detailed report identifying any nonconformities. In additional to the deficiencies/nonconformities report, Skoda Minotti will provide you with a roadmap of next steps required; this will depend on the results from the Stage 1 audit.
Stage 2 Audit: Once organizations complete Stage 1, you move into Stage 2, which tests the conformance of the ISMS with ISO 27001. During the onsite audit, we will perform testing procedures such as interviews, observation of processes and inspection of artifacts to support your conformance of ISMS with ISO 27001.
Surveillance Audit: To ensure that your organization’s ISMS continues to demonstrate conformance with ISO 27001, surveillance audits are required to maintain certification. Surveillance audits are designed to confirm the scope is consistent with the original certification, improvement of the ISMS is present and validation of ongoing monitoring procedures are being performed. Certification are valid for three years, but require a surveillance audit in year two and three. Surveillance audits are required to be completed within 12 and 24 months of the initial certification decision date.
Skoda Minotti Risk Advisory Services has developed an audit methodology for conducting ISO 27001 certification audits that is in conformity with ISO 17021:2015. The methodology addresses the steps of the certification cycle including Stage 1, Stage 2, Certification Decision, as well as the ongoing Surveillance audits that are required.
We communicate the audit expectations, timing, and deliverables to our clients through the audit planning documentation, kick-off/closing meetings, status sheets available through our client portal and regular meetings. Skoda Minotti Risk Advisory Services’ standard methodology provides consistency to the certification audits process.
As your certification body for ISO 27001, we have defined criteria for all certification decisions including granting, refusing, maintaining, renewing, suspending, restoring and withdrawing the certificate. These processes follow the requirements defined in ISO 17021:2015.
Skoda Minotti Risk Advisory Services communicates with our clients through the engagement team regarding all certification decisions. All decisions related to the ISO 27001 certification are approved by Skoda Minotti Risk Advisory Service’ senior leadership, and are required to follow our document certification processes.
Skoda Minotti Risk Advisory Services’ Name and Logo
Skoda Minotti Risk Advisory Services’ ISO 27001 certification logo is only to be used to illustrate conformance with ISO 27001. The use of our name and logo in regards to ISO 27001 certifications are governed by the terms and conditions in our contracts with clients. Skoda Minotti Risk Advisory Services monitors the use of its name and logo to ensure compliance with our contractual agreement and ISO 17021:2015.
Skoda Minotti Risk Advisory Services’ audit team strives to clearly communicate the justification for their decisions related to the certification activities. When a situation arises where the client does not agree with the audit team, they may appeal the decision to Skoda Minotti Risk Advisory Services’ leadership. A point of contact, who is separate from the audit team, is assigned to research the appeal Skoda Minotti Risk Advisory Services’ leadership will review the results of the research and communicate the decision to the client. Appeals may be generated directly with the client’s audit team or by submitting here.
Complaints filed against Skoda Minotti Risk Advisory Services or our certified clients are received, handled and resolved in accordance with ISO 17021:2015. Skoda Minotti Risk Advisory Services has developed a process managed by a team independent of our audit team to document and track the complaint. The complaint will be investigated and resolved in accordance with our documented policies. The complaint initiator will be kept informed through the process and of the complaint resolution. Complaints can be submitted here.
Inquiries regarding status of a given certification or inquiries on geographical areas that we operate can be submitted here. Received inquiries will be responded to in 48 business hours.
All professional personnel who work on auditing engagements and are required to be independent, sign a representation letter when hired and annually thereafter acknowledge their familiarity with the firm’s relevant ethical requirements policy and procedures, particularly with regard to independence and impartiality of all clients and related entities of the company. The representation letter also confirms personnel understanding that if a conflict of interest arises, they are required to immediately report the conflict to the managing partner. The representation letter also lists known circumstances and relationships that may create a potential threat to independence and impartiality or violate the firm’s relevant ethical requirements policy.