View Categories

Compliance Basics: Implementation and Certification

Table of Contents

Introduction #

This article is written primarily for ISO but most parts also apply to other compliance frameworks like SOC 2 and NIS2.

ISO (International Standards Organization) standards are internationally recognized frameworks that define best practices for various organizational processes. These standards help organizations improve quality, safety, efficiency, and compliance.

SOC (System and Organization Controls) was developed by the American Institute of CPAs (AICPA) and defines criteria for managing customer data based on five “trust service principles” – security, availability, processing integrity, confidentiality and privacy.

NIS2 (Network and Information Security Directive) was established by the European Union in 2022. This is not a compliance framework but European legislation that has been translated by each Member State. The directive focuses on risk management, supply chain management and accountability in information security. ISOPlanner implements the NIS2 Quality Mark as a translation from legislation to practical controls.

This manual will give a high level overview about the certification process and the steps to implement a compliance framework.

ISO Standard license #

For ISO standards, your organization needs to have a licensed version of the ISO standard you want to implement. You can buy them at https://www.iso.org. ISOPlanner will ask if you have purchased this license before you activate the standard.

3 year certification cycle #

Initial certification audit #

This is the audit you are subjected to in order to determine whether you should be awarded your certificate for the first time. It’s also known as an external audit, a third party audit or a registration audit and is conducted by a Certification Body. The Certification Body (CB) will appoint an Auditor or possibly a team of auditors, depending on the size of your organization, the number of sites and the scope of your Management System. This audit consists of 2 stages:

  1. The Stage 1 Audit is also referred to as the Document Review (or Document Audit) or sometimes as the Readiness Review. The basic objective of the Stage 1 Audit is to determine if you’re ready for the Stage 2 Audit. The audit will typically focus on written word. You could describe it as a reconnaissance exercise, where the Auditor gets a flavour of what your organization and Management System is all about. It may involve conversations with employees. Your Certification Body should contact you in advance to let you know what will happen on the day so that you can ensure the employees availability and materials needed.
  2. The Stage 2 Audit is the last stage before certification. It normally takes place on-site and is longer and more in-depth than the Stage 1 Audit. The overall purpose is to determine if your ISO Management System is compliant with the standard and whether you can be awarded certification. When you scheduled your Stage 1 Audit, you probably also agreed dates for your Stage 2 Audit, about 6 to 8 weeks later. Normally, your system should have been running for at least three months – ideally longer – before the Auditor comes in for Stage 2. You also need to leave yourself enough time to address any Improvement Requests from the Stage 1 Audit. The date of your Stage 2 Audit should have been confirmed with the Auditor at the end of the Stage 1 Audit.

 

The Stage 2 Audit will start with an Opening Meeting where the Auditor will explain what is going to happen. Some of the issues covered include:

  • Review of actions from the Stage 1 Audit to ensure the Improvement Requests have been acted upon (also referred to as ‘closed out’)
  • Inspection of documented information for evidence that the Management System is compliant with the standard
  • The overall effectiveness of your Management System and whether it’s helping you achieve your organisational objectives
  • Audit of activities and processes to determine whether you have operational control and are operating in accordance with your policies and procedures
  • Evaluation of your own Internal Audits and Management Reviews
  • Effectiveness of preventive and corrective actions
  • Examination of key performance objectives and targets

 

At the end of the audit, the Auditor will hold a closing meeting with you to review the audit and talk about any nonconformities and potential corrective action. At the meeting, you will be told whether you have been recommended for ISO certification or not. You will also receive a written report after the meeting which will include observations made by the Auditor and a summary of the findings. The report will identify minor nonconformities, major nonconformities and opportunities for improvement.

  • major nonconformity is the total breakdown of a system meaning you fail to meet a requirement of the standard. A number of minor nonconformities against one requirement can represent a total breakdown of the Management System and thus be considered a major nonconformity. Major nonconformities must be rectified before certification can be recommended by the Auditor. This may involve a further site visit by the Auditor.
  • minor nonconformity may be either a failure or a single observed lapse in some part of the management system. Minor nonconformities do not affect the recommendation for approval but must be addressed prior to the issue of your certificate.
  • Opportunities for Improvement (OFI). These relate to existing conditions which, according to the Auditor, may warrant clarification or investigation so as to improve the overall status and effectiveness of the Management System. They do not affect the recommendation for certification.

 

If there are any nonconformities – whether they are minor or major – you will not receive certification until corrective action has been taken. You will normally be allowed up to three months to do this. Failure to be recommended for ISO certification on the day does not necessarily mean that the Auditor will have to visit and audit you again. You will probably just need to provide evidence that you have taken corrective action.

Annual surveillance audits #

One of the main objectives of ISO Management System is to ensure continual improvement. The principle of Plan – Do – Check – Act supported by audits and reviews will help achieve this aim. The Annual Surveillance Audits are a major component of this. This is a mandatory requirement to maintain accredited ISO certification.

In most circumstances, your organisation will undergo an Annual Surveillance Audit at the end of Year 1 and Year 2. The first of these will actually be performed a little before the end of the first year. This is so that the three year cycle is set to allow your Re-certification Audit to take place before the end of Year 3. This is important because if any nonconformities are discovered at the end of the third year, there could be a lapse in your certification while you take corrective action.

The Annual Surveillance Audit is usually conducted on-site. However, audits may be done remotely in exceptional circumstances. If you have multiple sites, then your head office will always be audited plus different sites than those chosen for the Initial ISO Certification Audit. Different sites again will be selected for the second Annual Surveillance Audit and Re-certification Audit although the head office will be included on every audit.

On an Annual Surveillance Audit, the Auditor will take a similar approach to that of the Stage 2 ISO Audit. However, less time will be spent on some areas of your Management System and probably only parts of your organisation will be audited. Much of what happens will be driven by what the Auditor discovered on previous audits, for example, examining areas of weakness. The following will be covered as a minimum:

  • Review of nonconformities and corrective actions from previous audits
  • Maintenance and performance of the Management System
  • The effectiveness of your Internal Audits
  • Consideration of your Management Reviews
  • Preventative and corrective actions
  • Updates to documentation

 

The second Annual Surveillance Audit in the three year certification cycle will likely examine different aspects and operations in your organisation. The aim is to audit all processes within the 3 year cycle. As with other audits, the Auditor will summarize the findings at the end of the visit. A written report will also be submitted outlining any nonconformities. If there are any major nonconformities, you will have up to three months to take corrective action and provide evidence that you have done so. Failure to do so could mean that your ISO certificate will be withdrawn. For minor nonconformities the Auditor will agree a plan with you. Depending on the risk and severity, the Auditor will use their discretion to establish how the nonconformity can be ‘closed’. It can potentially be closed at the next audit, or through evidence being sent to the Auditor, or maybe even another audit.

Re-certification ISO audit #

Your ISO certificate is valid for three years from the date of issue. In order to maintain your ISO certification, in year three, you get a thorough Re-certification Audit similar to the original Stage 2 Audit.

It’s best to have your Re-certification Audit done at least three months before the end of Year 3. This is because if you want to avoid any break in your certification, you need to allow time to take corrective action on any nonconformities (either minor or major) identified in the audit.

A Re-certification Audit is typically about two-thirds the time allocated to the Initial Audit. The Re-certification Audit is usually conducted on-site. If you have multiple sites, it will always include your head office plus sites not included in your Initial Audit and Surveillance Audits. After the Audit, there will be a closing meeting followed by a written report from the Auditor. It’s essential that you address any nonconformities identified by the Auditor before the third anniversary of the date your certificate was issued. If you fail to do this, then your certificate could be withdrawn.

Assuming everything goes well, you will be issued with a new ISO certificate and the three year cycle begins again.

High-Level Structure (Annex SL) and the PDCA Cycle #

Most modern ISO management system standards share a common High-Level Structure (HLS) known as Annex SL. This structure ensures consistency across different ISO standards, simplifies integration, and helps streamline implementation. The HLS is built on the Plan-Do-Check-Act (PDCA) cycle, a continuous improvement model that supports ongoing development and success. You can see this structure reflected in the chapters of the ISO document.

Frameworks like SOC 2 and NIS2 don’t have this structure but have Controls that must be implemented and checked on a regular basis. This process is (almost) similar to the PDCA cycle.

The PDCA cycle consists of four stages:

  • Plan: Establish objectives and processes necessary to deliver results.
  • Do: Implement the processes as planned.
  • Check: Monitor and evaluate the performance of the processes.
  • Act: Take actions to improve the processes based on the evaluation.

 

The HLS contains 10 chapters. Chapters 1, 2 and 3 define boundaries, references and definitions. They are good to read but not part of the implementation. Organizations that implement an ISO standards typically start at chapter 4 and are ready for certification after implementing chapter 10. Each chapter is linked to a PDCA stage and is explained below.

  1. Scope
    • Informative only
  2. Normative References
    • Informative only
  3. Terms and Definitions
    • Informative only
  4. Context of the Organization
    • PDCA Stage: Plan
    • Identifying internal and external factors affecting the organization’s success is part of planning. This clause helps define risks, opportunities, and the context in which the management system operates.
  5. Leadership
    • PDCA Stage: Plan/Do
    • Top management must plan and commit to the implementation and improvement of the management system. Leadership provides direction and commitment to the system, ensuring that it is integrated into the organization’s culture.
  6. Planning
    • PDCA Stage: Plan
    • This clause involves identifying risks and opportunities, setting objectives, and determining actions to achieve those objectives. It directly contributes to the “Plan” phase of PDCA.
  7. Support
    • PDCA Stage: Do
    • This clause focuses on ensuring that resources, competence, awareness, communication, and documented information are in place to support the effective operation of the management system.
  8. Operation
    • PDCA Stage: Do
    • In this stage, the processes identified during the planning phase are implemented. The organization’s operations must follow the procedures and practices set out in the planning phase.
  9. Performance Evaluation
    • PDCA Stage: Check
    • Monitoring, measurement, analysis, and evaluation of performance help assess how well the management system is performing. This includes internal audits and reviews to verify that objectives are being met.
  10. Improvement
    • PDCA Stage: Act
    • This final phase focuses on continual improvement. Based on the evaluation of performance, corrective actions and improvements are identified and implemented to enhance the system.

 

Steps to implement and achieve certification #

Implementing and achieving certification is more than going through the stages described in the ISO, SOC 2 or NIS2 documentation. You’ll need some kind of project plan that is specific to your organization.

ISOPlanner creates a project plan automatically based on which frameworks you have, you want to certify for and your timeline. This saves a lot of time but this project also needs to be made more specific for your organisation. This depends on your organization hierarchy, roles and teams for example.

More specific content for your compliance framework is available in our Store. This content contains templates for policies, procedure, risk and recurring tasks for example. This also saves a lot of time (80%) but this is a starting point because not all organizations are the same. You’ll need to implement each requirement and/or control in your organization because the auditor will need evidence on how you did this and how its performing.

Consider the following steps in your project plan for better understanding of what needs to be done so you can create one specific to your organization.

  1. Contact a Certification Body
    • Description: Contact a certification body to get a quote for certification.
    • Tip: Compare Certification Bodies and choose a certification body in your area and / or language because they will visit your organization for the external audit. Contact ISOPlanner for suggestions which certification body might fit for you.
  1. Commitment from Top Management
    • Description: To implement a compliance framework, commitment is essential for getting things done. It may require that some departments must change some of their processes.
    • Tip: Secure commitment and engagement by giving an overview presentation and allocating the necessary resources for the implementation process and certification.
  1. Understand the Standard
    • Description: Familiarize key personnel with the these basics, ISOPlanner and the requirements of the compliance framework. This understanding will guide your organization in implementing the necessary controls and processes.
    • Tip: Use the ISOPlanner free online training and use ISOPlanner to go through the requirements in a user friendly way (instead of scrolling in the PDF). In ISOPlanner you can immediately create tasks for example for someone to further analyse a particular requirement.
  1. Implement the requirements and controls
    • Description: Begin implementing the requirements and/or controls. For ISO: follow the high level structure (HLS) as described.
    • Tips:
      • Foster a culture of communication and cooperation to ensure smooth implementation.
      • Create the policies and procedures in SharePoint and link them to requirements and controls using ISOPlanner.
      • Use the Approval module so management can easily approve new versions (using Teams on their mobile).
      • Use the created project milestones in ISOPlanner to further plan and keep track of progress.
  1. Optimize the Management System
    • Automation: During implementation, consider automating controls using ISOPlanner. ISOPlanner can receive evidence from external systems reducing manual effort and errors. For example, a Power Automate workflow can be created to gather the multi-factor-authentication status for all users or a Teams message can be send to users periodically to review a process.
    • Approvals. Approvals can be made easy by using the Approvals module of ISOPlanner (Business subscription). By leveraging Power Automate, approvals can be sent to the mobile Teams app for easy approval for example.
    • Handle tasks. Enable the Outlook integration to schedule recurring tasks directly in their Outlook calendar. Or enable the Teams app to let colleagues handle their (recurring) tasks directly from within Teams.
  1. Certification
    • Description: Once the system is fully implemented and evaluated, prepare for the certification audit. Submit all necessary documentation, coordinate with the certification body, and ensure the system’s effectiveness.
    • Tip: Before the official audit, conduct a pre-assessment / internal audit audit to ensure everything is in place and any gaps are addressed.

 

Resources #

What are your Feelings