Module 10:  The benefits and requirements of ISO 37001

Certification of compliance with ISO 37001

An organisation’s compliance with ISO 37001 can be certified by an independent third party.

There are numerous well respected certification bodies which undertake the certification of organisations to various national and international management and technical standards.

The certification process normally involves an auditor from the appointed certification body visiting the main office(s) of the organisation being certified. 

  • The first part of the audit will involve the auditor assessing the organisation’s ABMS against the requirements of ISO 37001.  If there are any deficiencies in the organisation’s ABMS, the auditor will issue recommendations to the organisation to improve its ABMS accordingly.
  • The second part of the audit will normally involve the auditor:
    • verifying that any deficiencies identified in the first part of the audit have been rectified, and,
    • verifying that the organisation is actually implementing the ABMS on a day to day basis throughout the organisation’s operations.  This part of the audit will be undertaken by way of a sample of documentation from all of the organisation’s key functions and projects.

Upon completion of the audit, the auditor will do one of the following, depending on the status of the organisation’s compliance:

  • issue a certificate of compliance with ISO 37001, with no non conformities
  • issue a certificate of compliance with ISO 37001, with listed minor non conformities
  • refuse to issue a certificate of compliance, and issue a list of major non-conformities which the organisation must rectify before it is certified. Once the organisation has rectified the major non-conformities, it can request a re-audit, and will receive a certificate of compliance if it has successfully rectified them.

The certificate of compliance will normally be issued for three years, but the auditor will during this three year period visit the organisation periodically (normally every six months) to undertake a short sample interim audit of continued compliance.  These short interim audits will normally examine different functions of the organisation’s business every six months, with a view to auditing all functions within the three year period.  If the organisation fails any interim audit (apart from minor non conformities), the certificate of compliance will be revoked.

Independent certification is a highly effective method of providing additional external assurance that the organisation is compliant with ISO 37001.

The risk of corrupt or negligent certification is reduced by the use of major, well known, national or international certification bodies.

There is no obligation on an organisation to obtain independent certification to ISO 37001.  An organisation may simply ensure that its procedures are compliant with the standard.  However, independent certification adds an extra level of independent assurance.

                            18 of 22

January 2025
© GIACC