Recertification Preparation
Year 3—time for full recertification. Prove that three years of ISMS operation have created lasting value.
What is Recertification?
Full re-assessment audit at the end of your 3-year cycle.
Recertification vs Initial
| Aspect | Initial | Recertification |
|---|---|---|
| Scope | Full ISMS | Full ISMS |
| Duration | 3-5 days | 3-5 days |
| Focus | Can you do it? | Have you been doing it? |
| Evidence | Point-in-time | 3 years of operation |
| Maturity | New system | Proven track record |
| Outcome | First certificate | New certificate |
What Auditors Look For
1. Continuous Operation
- Three years of management reviews
- Three years of internal audits
- Ongoing risk assessment updates
- Active corrective actions
- Evolution and improvement
Questions:
- "Show me reviews from all three years"
- "How has risk profile changed?"
- "What major improvements made?"
- "How do you know ISMS is effective?"
2. ISMS Maturity
Maturity Levels:
- Level 1: Ad hoc, reactive
- Level 2: Processes defined
- Level 3: Standardized (aim for this)
- Level 4: Quantitatively managed
- Level 5: Continuous improvement culture
Signs of Maturity:
- Integrated into operations, not bolted on
- Strong security culture
- Optimized processes
- Metrics drive decisions
- Leadership genuinely engaged
3. Effectiveness of Controls
Proof controls actually work, not just exist.
Examples:
- Incident response: Show detection and response
- Access control: Regular reviews prevent unauthorized access
- Vulnerability management: Trending over time
- Training: Improved awareness (reduced phishing clicks)
- Backup: Successful restoration tests
4. Non-Conformities Handling
From previous audits:
- Were NCs corrected?
- Root causes addressed?
- Similar issues recurred?
- What was learned?
From internal processes:
- How identify NCs?
- How tracked and resolved?
- Closure rate?
- Continuous improvement evidence?
5. Changes and Change Management
Over three years:
- How has organization changed?
- How has ISMS adapted?
- How are changes managed?
- ISMS part of change management?
Preparation Timeline
6-12 Months Before
- Review certificate expiry
- Assess ISMS maturity
- Identify improvement areas
- Budget for recertification
- Check standard version (2013 vs 2022)
3-6 Months Before
- Comprehensive doc review
- Update all policies
- Verify SoA accuracy
- Update risk assessment
- Compile 3 years of records
Key Records:
- Management review minutes
- Internal audit reports
- Risk assessments
- Training records
- Incident logs
- Corrective actions
- Change management
- Control evidence
2-3 Months Before
- Comprehensive internal audit
- Cover all scope areas
- Test all controls
- Document findings
- Implement corrections
- Verify effectiveness
6-8 Weeks Before
- Comprehensive management review
- 3-year performance summary
- Assess effectiveness and maturity
- Strategic decisions for next 3 years
- Confirm resources
- Renew executive commitment
4-6 Weeks Before
- Confirm audit dates with CB
- Arrange logistics
- Provide updated docs
- Schedule key personnel
2-4 Weeks Before
- Brief all personnel
- Readiness review
- Organize evidence folders
- Test system demos
- Practice questions
- Prepare workspace
1 Week Before
- Final walkthrough
- Test system access
- Confirm availability
- Print key documents
- Mental preparation
The Recertification Audit
Stage 1: Documentation Review (1-2 Days)
- Usually remote
- Review doc package
- Assess readiness
- Identify gaps
Stage 2: Full Assessment (3-5 Days)
Day 1:
- Opening meeting
- Management interviews
- Risk assessment review
- Documentation review
Days 2-3:
- All Annex A controls tested
- Process walkthroughs
- Employee interviews
- System demonstrations
- Evidence examination
- 3-year record reviews
Final Day:
- Closing meeting
- Non-conformities (if any)
- Opportunities for improvement
- Recommendation
- Next steps
Common Findings
- Stale Documentation - Not meaningfully updated
- Lack of Improvement - System unchanged in 3 years
- Ineffective Metrics - Data collected but not used
- Management Review Theater - Perfunctory, no real discussion
- Control Gaps - Never fully implemented or degraded
- Records Retention Issues - Can't produce Year 1-2 evidence
Decision Outcomes
- Recommended - New certificate issued (2-4 weeks)
- Minor NCs - Address within 90 days, then issued
- Major NCs - Correct issues, possible additional audit
- Not Recommended - Must re-apply (rare)
Post-Recertification
Immediate
- Debrief with team
- Celebrate success
- Document lessons
- Submit corrective actions
- Update stakeholders
Next Three Years
Use Insights:
- What feedback received?
- What was harder than expected?
- What improvements possible?
- What to do differently?
Strategic Planning:
- Set objectives for next 3 years
- Plan major improvements
- Allocate resources
- Integrate lessons
Marketing
- Update website (new certificate)
- Update sales collateral
- Customer communications
- Celebrate internally
Readiness Self-Assessment
Rate 1-5 (5 = excellent):
Documentation (20%):
- All policies reviewed (past 12 months)
- SoA reflects control status
- Risk assessment current
- Procedures match practice
Evidence (30%):
- 3 years management reviews
- 3 years internal audits
- All corrective actions closed
- Control effectiveness evidence
Operations (25%):
- ISMS integrated into daily ops
- Staff aware of responsibilities
- Processes followed consistently
- Metrics drive improvement
Maturity (15%):
- Visible security culture
- Continuous improvement mindset
- Leadership genuinely engaged
- ISMS evolved and improved
Readiness (10%):
- Team prepared and confident
- Evidence organized
- Logistics confirmed
- Previous findings addressed
Scoring:
- 90-100: Ready
- 75-89: Minor improvements needed
- 60-74: Some work needed
- <60: Significant preparation required
Final Thought
Three years ago: You implemented ISMS to get certified. Today: Your ISMS is how you run your business securely.
That's the story to tell your auditor.
Next Lesson: Avoiding pitfalls that jeopardize certification.