ISO 27001 certification and auditing

ISO 27001 is an international standard for information security management. ISO provides a framework for managing information and helps organisations identify and manage the risks associated with it. The standard defines a systematic approach to the creation, implementation, maintenance and continuous improvement of information security management in an organisation.

ISO 27001 certification is useful for organisations that need to manage and protect various types of data and whose operations are related to information security, such as financial sector, healthcare and information technology organisations, etc. In addition, it is necessary for organisations whose cooperation with public, private or third sector organisations depends on effective compliance with information security standards.

Organisations can get ISO 27001 certified. This demonstrates to customers and other parties that they take information security seriously and have implemented appropriate controls to protect information.
Phases of services 1

Planning

Preliminary activities for conducting an ISO certification audit.
2

Pre-certification assessment

Pre-audit assessment of the current state of the information security management system.
3

Certification audit

Conducting a certification audit and preparing an audit report that includes a description of deficiencies. After a successful audit, the ISO certificate is issued for three years.
4

Follow-up audit

A follow-up audit is conducted every 12 months or in case of major changes to the ISMS.

Advisory services

ISO 27001 consulting begins with a gap analysis of the organisation's information security. Regarding the deficiencies identified during the analysis, we provide recommendations for the implementation of measures that enable the organisation to effectively bring its information security process(es) into compliance with the standard. In cooperation with the client, we prepare a detailed action plan to achieve compliance; where appropriate, KPMG can provide assistance in implementing the action plan (please see KPMG IT risk assessment service).

Pre-audit

The certification process begins with a pre-audit. The purpose of the pre-audit is to assess the ISMS implemented by the organisation and establish whether it is ready to successfully pass the certification audit. After the pre-audit, the organisation has six months to remove the identified deficiencies and non-conformities, and start the certification audit. If, after six months, the organisation is not ready for the certification audit, meaning the deficiencies identified during the pre-audit have not been removed, the pre-audit must be conducted again.

Certification audit and surveillance audit

There is a three-year certification cycle. It comprises a certification audit and two surveillance audits, which must be carried out within two years from the certificate being issued. If the organisation wishes to maintain certification beyond the end of the third year, recertification must be performed. This requires a successful audit, and then a new three-year certification cycle begins.

ISAE SOC2 and ISO 27001

ISO 27001 certification is also well aligned with ISAE certification (please see KPMG SOC2 (ISAE 3000) certification for more information). KPMG has a unique market position because we offer a service designed to provide assurances about the effectiveness of information security-related controls under ISAE 3000 (SOC2 report) and an information security management system certification service according to the ISO 27001 standard. Simultaneous certification to two standards saves time and money as well as helps achieve certifications and meet well-known information security standards in both the European and US markets.

Provide a safe and sustainable business environment for your company! We will help you build a resilient and reliable digital world, even in the face of changing threats.

KPMG Baltics OÜ

+372 626 8700
itaudit@kpmg.ee
Ahtri 4, 10151 Tallinn, Estonia
${item.title}
KPMG Baltics KPMG Küberkaitse KPMG Global Privacy Policy
Oma veebilehel kasutame küpsiseid. Küpsised aitavad analüüsida veebiliiklust ning annavad meile statistilist teavet.
Email again:

HR assessment 

HR assessment focuses on mapping the skills and increasing the competencies of the weakest link in cyber security: the users, the employees.

Email again:

Threat assessment

Threat assessment is a tactical and technical service that allows a company to get a quick overview of external threats.

Email again:

Maturity assessment

Maturity assessment helps plan IT investments and design further steps to mitigate vulnerabilities and ensure better security.

Email again: