MUSCAT -- Ernst & Young has recently established a separate legal entity called Ernst & Young CertifyPoint to oversee the issuance of ISO/IEC27001 certifications based on globally consistent accreditation, audit and certification guidelines. ISO/IEC27001 is an internationally recognised standard describing the certification audit requirements for an Information Security Management System, or ISMS. This standard was the first of the ISO27xxx series, published by the International Organisation for Standardisation in October 2005.
Mohamed Nayaz, Executive Manager, Business Advisory Services says: "Although this entity is located in The Netherlands, these certification services can be provided across the globe and can be performed by auditors based in the Muscat office of Ernst & Young". CertifyPoint has been accredited by the Dutch Accreditation Council to perform ISO/IEC27001 certification audits (amongst other certification schemes).
From historic reasons, the Dutch Accreditation Council is a highly recognised member (and one of the pioneers) of the International Accreditation Forum (IAF). Certificates issued by Ernst & Young CertifyPoint are recognised as valid certificates in all countries with an IAF member. This provides a unique opportunity for organisations in Oman to seek the services of Ernst & Young CertifyPoint for achieving ISO 27001 certification.
The benefits to Oranisations in achieving ISO 27001 certification include: demonstration of credibility, trust, satisfaction and confidence with stakeholders, partners and customers; providing a holistic, risk-based approach to compliance; ensuring less business disruption from ongoing customer assessments; demonstrating security status according to internationally accepted criteria; providing market differentiation due to prestige, image and external goodwill; qualifying for lower premiums for cyber security risk insurance; demonstrating due diligence to maintain certification through (semi-)annual surveillance visits.
This also provides a unique opportunity for Ernst & Young to help clients demonstrate that they meet the requirements in the ISO/IEC27001 standard, by means of assessing the organisation's current ISO readiness, certifying the organisation through EY CertifyPoint and performing surveillance audits to ensure continued compliance.
As the Ernst & Young Global Security Solution Leader, Ed Napoleon, stated: "We have offered information security assessment services based on our own proprietary methodology and existing security standards for a number of years. With the addition of Ernst & Young CertifyPoint, we can now offer the full suite of ISO/IEC27001 based services, including full certification."
Every organisation that has a management system for information security based on the criteria derived from the ISO27001 standard, can apply for an assessment to obtain certification by Ernst & Young CertifyPoint. Requests for certification are possible for all types of organisation, irrespective of size. The initial certification audit consists of two steps, the stage 1 audit and the stage 2 audit. The objective of the stage 1 audit is to provide a focus for planning the stage 2 audit by gaining an understanding of the ISMS in the context of the client organisation's ISMS policy and objectives, and, in particular, of the client organisation's state of preparedness for the audit.
The objectives of the stage 2 audit are to confirm that the client organisation adheres to its own policies, objectives and procedures and to confirm that the ISMS conforms to all the requirements of the normative ISMS standard ISO/IEC 27001 and is achieving the client organisation's policy objectives. The stage 2 audit always takes place at the site(s) of the client organisation.
After a successful certification audit without any non-conformities against the ISO/IEC27001 standard, the formal certificate can be awarded to the organisation and is valid for a period of three years. At least annually, a surveillance audit needs to be performed by the certification body to ensure continuous compliance according to the scope of the certification.
By Staff Reporter
© Oman Daily Observer 2008
