Module 10: The benefits and requirements of ISO 37001
An organisation’s compliance with ISO 37001 can be certified by an independent third party.
There are numerous well respected certification bodies which undertake the certification of organisations to various national and international management and technical standards.
The certification process normally involves an auditor from the appointed certification body visiting the main office(s) of the organisation being certified.
Upon completion of the audit, the auditor will do one of the following, depending on the status of the organisation’s compliance:
The certificate of compliance will normally be issued for three years, but the auditor will during this three year period visit the organisation periodically (normally every six months) to undertake a short sample interim audit of continued compliance. These short interim audits will normally examine different functions of the organisation’s business every six months, with a view to auditing all functions within the three year period. If the organisation fails any interim audit (apart from minor non conformities), the certificate of compliance will be revoked.
Independent certification is a highly effective method of providing additional external assurance that the organisation is compliant with ISO 37001.
The risk of corrupt or negligent certification is reduced by the use of major, well known, national or international certification bodies.
There is no obligation on an organisation to obtain independent certification to ISO 37001. An organisation may simply ensure that its procedures are compliant with the standard. However, independent certification adds an extra level of independent assurance.
January 2025
© GIACC