What does an ISO process look like?

First of all, the choice is between setting up what you need yourself or with support from an external party. Undoubtedly, both ways will produce results, but it is important to realize that implementing a so-called management system, for example, the ISO 27001 whether NO 7510, involves a lot of work.

‍

Step 1. GAP analysis

The starting point is a GAP analysis. Here, the entire organization is inventoried and all processes, stakeholders and the internal and external context of the organization are identified.

‍

Step 2. Risk Analysis

On the basis of a brainstorm, all possible risks (and opportunities) for the organization are identified. These are assessed and controlled with the aim of reducing the chance and/or impact. After all, a risk is nothing more than the chance that an event with a negative effect will occur.

‍

Step 3. Management System

The management system is the set of processes, procedures, responsibilities and documentation. Do you want to know the right software for setting up an ISO management system? Also read our article “The right software for your ISO management system?”

‍

Step 4. Awareness

An important part of implementing a management system is making the organization aware. This informs and informs all internal stakeholders about which parts of the system are relevant to them. This contributes to creating capacity within the organization. Also read our article “Raising awareness? An explanation of ISO 27001 information security awareness”.

‍

Step 5. Internal Audit & Executive Review

During the internal audit you will look for improvements in the organization's management system. Also read our article “What does an internal audit look like?”

‍

In addition to the internal audit, an obligatory part is the management review. Here, the management will review the organization's management system at scheduled intervals. This is to ensure continuous suitability, applicability, effectiveness and alignment with the strategic direction of the organization.

‍

Step 6. Certification Audit

Now we have arrived at the official part: the audit that tests whether the management system meets the requirements of the standard for which it was set up. This audit is always carried out by a certification body (this term stands for organizations appointed by the Dutch Accreditation Council to issue certifications).

‍

The audit often consists of two parts:

‍

• The preliminary investigation, which tests whether the organization is ready for the certification audit; and
• The certification audit, in which the management system is randomly tested.

‍

After the certification audit, the lead auditor will give positive or negative advice to the certification body to certify the organization.

‍

Step 7. Management System Maintenance

You have received the certificate and want to keep it. This means that the management system serviced must be. The certification cycle is three years, starting from the moment the certificate is issued. An audit will take place every year, with a recertification audit in the third year. Here, the entire management system will be examined.

‍

Implementation process at Fendix

Want to see our entire implementation process in detail? Click here!

‍